Some on-going work you can automate, some you need to work at yourself.
The Let's Encrypt certificates are only valid for 90 days, you should look to renew what you have after 60 days.
RenewCertificates you can run via cron, there is a
sample crontab in
Renewal.crontab that you should arrange to be
run by the user
Put the list of certificate families into
Renewals.list, update that
list as you create new families. A name will be something like
my-family ‐ do NOT put the
Note that all of the scripts can take the
Apache & Nginx will not notice the new certificates unless you
reload the configuration. You need to arrange for this.
I restart my Apache servers once/week ‐ which takes care of this.
ScriptToRestartWebServer can help with this.
Ensure that email for the user
acme is forwarded somewhere where it
will be read — otherwise any errors will not be noticed.
It can be hard to see what
RenewCertificates is doing as it is run from cron:
TRACEFILEinto which errors will be appended. This must be writable by the user
VERBOSEfor more chatty messages into
TRACEFILEand also stderr (which is emailed).
RenewCertificates will not renew a certificate if it is less than 60 days old.
You can make it renew (in unusual circumstances) with a
--force option, eg:
$ bin/RenewCertificates --force --list Renewals
At the time of writing the cross signing, or chaining, certificate in
is due to expire in March 2021. After this it will need to be replaced; unless
Let's Encrypt have managed to get their certificate installed into every TLS
setup world wide.
RenewCertificates will generate a warning when this
certificate has less than 90 days before it expires. At which point
you will need to do something — as yet unknown.
This is much harder.
The problem is that vulnerabilities can be found in configurations and code that was previously considered save & good practice. Eg a cypher might be found to be insecure.
It is important that you keep your system updated; when you see a new
ssl.conf installed (maybe as
compare with what you have and update appropriately.
diff is great for this if your current file is not too far
changed — which is why I suggested that you ''comment'' out lines
Look at the Mozilla configuration generator
$ sh bin/ShowSSLinfo www.phcomp.co.ukIf you want to see everything, use the
$ sh bin/ShowSSLinfo -v www.phcomp.co.uk
curlis another useful tool:
$ curl -v https://www.phcomp.co.uk/
$ openssl x509 -text -noout -in SignedCertificates/phcl.crtor
$ sh bin/ShowSSLinfo --family phcl
$ sh bin/ShowSSLinfo --all-families
Next page: Chaining Let's Encrypt certificates