0

I've got LAMP running on Ubuntu 14.04 and almost a year ago I installed SSL (TLS 1.2) certificate for my web server, so my site would only run under HTTPS protocol. On October 8 the certificate expires. And from now on I want to install and use Let's Encrypt. They have pretty good tutorials on how to use Let's Encrypt, so (hopefully) I won't have any issues with it. But I don't know what to do now. Must I wait till after my old cert expires? Or should I go ahead and proceed with Let's Encrypt installation ASAP? If the latter, then another question arises. How to get rid of the old cert? I mean, it's probably NOT a good idea to use two of them side by side. In short, too many things I don't understand.

Gregory
  • 121
  • 1
  • 3
  • 9

2 Answers2

3

Must I wait till after my old cert expires?

No, not at all.

Or should I go ahead and proceed with Let's Encrypt installation ASAP?

Sure, go for it.

If the latter, then another question arises. How to get rid of the old cert? I mean, it's probably NOT a good idea to use two of them side by side.

Umm, delete it. How do you propose using them side by side? That's not how TLS works. There's no magic here. Put the new cert in place, configure your web server accordingly, and restart it to start using the new cert.

Of course, it goes without saying that you should test this on a test machine before doing it in production. Fortunately, you can spin up a VPS somewhere for an hour to test for pennies.

In short, too many things I don't understand.

Sounds like now would be a great opportunity to dig in and truly learn the technologies you're using. Copy/paste sysadmin is dangerous.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • So what's the correct order of things? First, to delete the old files? I placed .crt and root_bundle.crt files in /etc/ssl/certs directory and a .key file in /etc/ssl/private directory. Other than physically deleting those files, do I have to run any specific command in the terminal or something? I used to run "openssl req -new -newkey etc.etc." command when I was installing my old cert. And then to install Let's Encrypt? New cert from what I understood shouldn't be put like a file, it's somehow automatically works. Not the way it was with the old one... – Gregory Oct 03 '16 at 00:07
  • Also, in file /etc/apache2/sites-available/000-default.conf I had a reference of those 3 files in "SSLCertificateFile", "SSLCertificateKeyFile" and ""SSLCertificateChainFile" So what about those three lines? – Gregory Oct 03 '16 at 00:29
  • There are hundreds of tutorials online that cover this. I'm not going to repeat that content here. As I mentioned, start up a test system to test your procedure. There will be very close to zero cost to do this, and you'll feel much more confident when you go to do it on your live server. If you're unable or unwilling to do that, then consider hiring someone to help you out. – EEAA Oct 03 '16 at 00:32
  • Hundreds of tutorials? Show me at least ONE where it says how to transition from a regular cert to something like Let's Encrypt, which (from what I understood) is very different. – Gregory Oct 03 '16 at 00:40
  • It's not that different. You still have a key and a certificate chain, just like you currently have. You're making much ado about this "transition" bit. Forget that you're transitioning. Read the documentation. Test. Test. Test. Don't rely on others to spoon-feed you exactly what has to happen. – EEAA Oct 03 '16 at 00:44
  • Okay, but in a file /etc/apache2/sites-available/000-default.conf there're 3 references to my old cert's files: SSLCertificateFile /etc/ssl/certs/my_domain.com.crt SSLCertificateKeyFile /etc/ssl/private/my_domain.com.key SSLCertificateChainFile /etc/ssl/certs/root_bundle.crt So what to do with those links? To comment out them? Or update with a new files that would be created by Let's Encrypt etc.? – Gregory Oct 03 '16 at 11:28
  • @Gregory Test it. – EEAA Oct 03 '16 at 12:05
1

You can get a new certificate any time. You should really do this in advance of certificate expiry because it can be fiddly. Here's the steps I'd take

  1. Set up Let's Encrypt, or another client.
  2. Request the certificate.
  3. (Optional) Install the certificate on another VM / instance, to test it.
  4. Install the certificate on the production server, during a period of low load.

The old certificate is just a file, just don't point at it any more.

I have a tutorial for Let's Encrypt with Wordpress and Nginx, which may be of some interest. It shows how to use a different client, I found the official Let's Encrypt client didn't work on Amazon Linux.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • 1
    Amazon Linux is a steaming pile of crap that nobody should be using for anything anyway. certbot would hardly be the first thing that doesn't work on it. – Michael Hampton Oct 03 '16 at 00:41
  • I probably won't use Amazon Linux again, but I made the choice before I knew much about the practicalities. I'd probably use Ubuntu in the future. – Tim Oct 03 '16 at 00:53