63
votes
Whoops, Tildes joins the list of sites that forgot to renew their SSL certificates
Tildes was inaccessible for about 2 hours today because the SSL certificate expired, and I wasn't at home at the time to be able to fix it immediately.
I'm going to blame it on Let's Encrypt (the organization that I get the certificates through). They've always sent multiple warning emails starting weeks before the cert expires, but for some reason this time they didn't send any at all. I'll set something else up for future expiries and stop depending on them to be my reminder to renew it.
Certbot is supposed to renew the certificate automatically within a month of the cert's expiration date if I recall correctly. Check the cron folders in /etc/, in Ubuntu 20.04 its crontab is in /etc/cron.d/certbot
Yeah, it's more complex than the basic case because it's a wildcard certificate. You have to add DNS records for validation, so automating it is kind of annoying. I've never bothered to set it up since doing it manually only takes a few minutes every 90 days, but... it would have prevented this, so I should probably just do it.
No idea if helps you, but Nginx Proxy Manager has auto renewal, even for wildcard certs (Using that myself at home). Either NPM helps you itself, or you can look through its source for some code snippets on how it does the auto-extension.
if you’re comfortable with it, there’s certbot-dns-ovh to use an api key etc etc.
I use Traefik as the front-end / reverse proxy for a personal website I host. it has built-in support for Let's Encrypt, including support for wildcard certs via a bunch of provider plugins that automate the DNS challenge.
I use wildcart certs and certbot handles renewing it automatically. I just made the one DNS record, gave certbot the cloudflare stuff and it handled the rest.
So what did you all do without tildes for a little while? I got bored and started gutting old PS3 controllers I had so my toddlers could "play" along with me tomorrow. They'll either love it or get bored of it after 5 minutes, but either way I'm excited to show them!
I almost made some progress on my big term paper. Thank goodness the site wasn't gone for too long.
Did you ever look into Caddy? It's honestly really nice, never had to worry about SSL expiration since I started using it. Ever. And it's so nice and easy to configure I like it a lot to be honest.
Caddy didn’t used to be FOSS. I guess that’s changed because it says it’s Apache 2 licensed.
I forgot to renew too for some of my sites earlier this year. Then I just wrote a script to automate the process. (I got my domain + hosting from Namecheap and they don't proactively support Let's Encrypt so it has to be renewed through their cpanel.)