Parliament Hill Computers LtdParliament Hill Computers Ltd

Apache & Nginx SSL ongoing maintenance


This is not the end ...

Some on-going work you can automate, some you need to work at yourself.

Certificate renewal

The Let's Encrypt certificates are only valid for 90 days, you should look to renew what you have after 60 days.

The script RenewCertificates you can run via cron, there is a sample crontab in Renewal.crontab that you should arrange to be run by the user acme.

Put the list of certificate families into Renewals.list, update that list as you create new families. A name will be something like EXAMPLE or my-family ‐ do NOT put the .cnf suffix.

Note that all of the scripts can take the --list option.

Apache & Nginx will not notice the new certificates unless you restart it or reload the configuration. You need to arrange for this. I restart my Apache servers once/week ‐ which takes care of this.
The script ScriptToRestartWebServer can help with this.

Ensure that email for the user acme is forwarded somewhere where it will be read — otherwise any errors will not be noticed.

It can be hard to see what RenewCertificates is doing as it is run from cron:

Forcing Certificate renewal

RenewCertificates will not renew a certificate if it is less than 60 days old.

You can make it renew (in unusual circumstances) with a --force option, eg:

      $ bin/RenewCertificates --force --list Renewals
      

Security related configuration changes

This is much harder.

The problem is that vulnerabilities can be found in configurations and code that was previously considered save & good practice. Eg a cypher might be found to be insecure.

Miscellaneous


Next page: Chaining Let's Encrypt certificates

Return to How to Configure Let's Encrypt with acme_tiny.py

Return to tutorial home.

If you want any help using the above, or have any comments or suggestions, please contact us.