Parliament Hill Computers LtdParliament Hill Computers Ltd

Apache & SSL ongoing maintenance


This is not the end ...

Some on-going work you can automate, some you need to work at yourself.

Certificate renewal

The Let's Encrypt certificates are only valid for 90 days, you should look to renew what you have after 60 days.

The script RenewCertificates you can run via cron, there is a sample crontab in Renewal.crontab that you should arrange to be run by the user acme.

Put the list of certificate families into Renewals.list, update that list as you create new families. A name will be something like EXAMPLE or my-website

Note that all of the scripts can take the --list option.

Apache will not notice the new certificates unless you restart it or reload the configuration. You need to arrange for this. I restart my Apache servers once/week ‐ which takes care of this.

Ensure that email for the user acme is forwarded somewhere where it will be read — otherwise any errors will not be noticed.

It can be hard to see what RenewCertificates is doing as it is run from cron:

Let's Encrypt Chaining Certificate expiry

At the time of writing the cross signing, or chaining, certificate in lets-encrypt-x3-cross-signed.pem is due to expire in March 2021. After this it will need to be replaced; unless Let's Encrypt have managed to get their certificate installed into every TLS setup world wide.

The script RenewCertificates will generate a warning when this certificate has less than 90 days before it expires. At which point you will need to do something — as yet unknown.

Security related configuration changes

This is much harder.

The problem is that vulnerabilities can be found in configurations and code that was previously considered save & good practice. Eg a cypher might be found to be insecure.

Miscellaneous


Next page: Chaining Let's Encrypt certificates

Return to How to Configure Let's Encrypt with acme_tiny.py

Return to tutorial home.

If you want any help using the above, or have any comments or suggestions, please contact us.