How to renew Let's Encrypt?


(Yomi Tsuku) #1

I got the warning email but don’t know how to renew it.
image


(Robby O'Connor) #3

There should be a cronjob that does it automatically for you.

Also:


(David Jameson) #4

Our forum is down (i.e. blocked by Safari) due to this certificate having expired today. What’s the cron job? Can I run it manually?


(Robby O'Connor) #5

It should happen automatically for you if you are running via Docker. I have never needed to manually renew mine.


(David Jameson) #6

Thanks, Robby. The problem was due to the fact that I was blocking port 80 (seemed like a good idea from a security perspective) and didn’t realize that LetsEncrypt used port 80


(Michael Brown) #7

Yep - outright blocking port 80 is usually a bad idea:

  • people trying to get to the http side won’t be able to connect and thus won’t get the redirect to https
  • let’s encrypt uses http to verify by necessity

(Stephen) #8

Let’s Encrypt needs to expose itself on :80 because verification of the DNS name is done via HTTP.

You want to leave it open anyhow as Discourse will take care of any redirection from :80 to 443 for clients who try to visit the insecure URL. The same instance of nginx is listening on :80 and :443 so there’s nothing to be gained by shutting down that port, and as you’ve already learned there’s quite a lot to lose.


(David Jameson) #9

Ah yes, if I’d known then what I had to later go off and learn to figure out why it didn’t work…

The thing is, I wasn’t using port 443 either. Externally, I was using a port in the high 10,000s and my firewall was redirecting those incoming requests to port 443.

Sigh


(Stephen) #10

That’s always going to be the risk when you deviate from the recommended configuration.

There’s a lot of knowledge here on meta though - maybe next time you want to make those kinds of changes you can run them by us first and we can help you understand any implications and the safest way to make them.

One added benefit to the above is that anyone searching to do the same down the line will also see the advice when(if) they search.


(Robby O'Connor) #11

You should keep port 80 open and do a redirect to HTTPS. This is how most of the web handles things.


(David Jameson) #12

Thank you - but in general I don’t want to keep port 80 open — as I mentioned above, I don’t even expose port 443 publicly.
I guess I’ll just have to temporarily open it every few months, manually update LetsEncrypt and then close it again or else use the DNS challenge.


(Stephen) #13

The only difference between 80 and 443 is the certificate. Unless you don’t trust nginx it’s fine to leave open.