I’ve got a terrible secret. I’ve let some of my public facing websites x509 certs lapse. I don’t mind too much as long as it’s a date issue. The people who actually consume my services are a bit annoyed with me about it though. It’s time to update at least one and see what the process is again.

Now time to figure out how I configured this. Like a detective. THough I haven’t left very many clues.

Bingo: Found the descriptors in my nginx dyanmic proxy. That thing works well enough I almost forgot about it. Totally great when that happens.

Hmm, let’s see. The command for Let’s Encrypt is letsencrypt. I don’t remember where I left my configuration directories but I’m pretty sure I didn’t run it as root. It dumps a really ugly Python error though. Sweet, easily found with my other adminitrative stuff. Well, now that I’ve stopped it from barfing I need to figure out how to actually drive it. Cool! It’s as simple as running renew. I broke the tool though because I am using the manual configuration. One of these days I’ll figure out how to automate it.

Okay, after a bit of not remembering I need to prefix URLs in the application, I got it ot update.

So the files are under the etc/live/{site}/fullchain.pem and etc/live/{site}/privatekey.pem. Put those in the right place and you are ready to go.