The process is essentially "reuse the previous CSR", as I understand it; it's the same thing the official client does with its 'certonly' command, IIRC, except it runs through all of them instead of one certificate at a time;

https://letsencrypt.org/howitworks/#renewing-a-certificate

They're currently discussing updating this process as well;

https://community.letsencrypt.org/t/help-us-test-renewal-with-letsencrypt-renew/10562

But basically, reusing the existing CSR is how we're using the nosudo client, with some evolving logic around it in our existing workflow that checks whether a certificate exists, sets the existing certificate aside in case anything goes wrong, etc.

Good test to use for renewal;
openssl x509 -noout -checkend 2419200 -in ${CERT_FILE}

Exits with 0 if valid for more than 28 days (2419200 seconds), or with 1 if there's less then 28 days left.

Oh, and you'll probably want to start testing the age of the key, at some point, and generate a new one at a suitable interval, anywhere from one to three years.

from acme-nosudo.

I'm happy to help. Is the process essentially "keep your previous CSR, just do the remaining dance steps again"?

from acme-nosudo.

More info or documentation for renewal will be of much help... is there any way to use the renewal script from http://do.co/le-renew , the code still needs letsencrypt to be installed any ideas?

from acme-nosudo.

The process for renewal is basically the same as the initial signing, but would love hold on updating the README for clarified instructions on how to renew.

from acme-nosudo.

anyone can help me identify the files to be used in:

SSLCertificateFile directive is needed.

SSLCertificateFile /etc/ssl/certs/example.com.crt // i used the chaimed.pem
SSLCertificateKeyFile /etc/ssl/private/example.com.key // used the user.key
#SSLCertificateChainFile /etc/ssl/certs/ca-bundle.crt commented this out

Am i doing it correct

from acme-nosudo.

@noelgeorgi The CSR, or the Certificate Signing Request, not the certificate (.crt) or the private key (.key); if you did not save it somewhere, you should just request a new certificate, and then save the CSR this time around for renewal in two months or so.

from acme-nosudo.

If you're looking at which files to test for expiry; test the certificate, not the key. The latter does not expire on its own.

from acme-nosudo.

the script only produces two files the private key and the certificate. what should i use for the SSLCertificateChainfile?

from acme-nosudo.

@noelgeorgi The same one you've used before. Covered in the documentation; https://github.com/diafygi/letsencrypt-nosudo#how-to-use-the-signed-https-certificate

from acme-nosudo.

I've decided that renewals should just re-run the sign_csr.py script. It works fine in renewing the same CSR and public key files.

from acme-nosudo.