• 14
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

I've got LAMP running on Ubuntu 14.04 and almost a year ago I installed SSL (TLS 1.2) certificate for my web server, so my site would only run under HTTPS protocol. On October 8 the certificate expires. And from now on I want to install and use Let's Encrypt. They have pretty good tutorials on how to use Let's Encrypt, so (hopefully) I won't have any issues with it. But I don't know what to do now. Must I wait till after my old cert expires? Or should I go ahead and proceed with Let's Encrypt installation ASAP? If the latter, then another question arises. How to get rid of the old cert? I mean, it's probably NOT a good idea to use two of them side by side. In short, too many things I don't understand.

Must I wait till after my old cert expires?

No, not at all.

Or should I go ahead and proceed with Let's Encrypt installation ASAP?

Sure, go for it.

If the latter, then another question arises. How to get rid of the old cert? I mean, it's probably NOT a good idea to use two of them side by side.

Umm, delete it. How do you propose using them side by side? That's not how TLS works. There's no magic here. Put the new cert in place, configure your web server accordingly, and restart it to start using the new cert.

Of course, it goes without saying that you should test this on a test machine before doing it in production. Fortunately, you can spin up a VPS somewhere for an hour to test for pennies.

In short, too many things I don't understand.

Sounds like now would be a great opportunity to dig in and truly learn the technologies you're using. Copy/paste sysadmin is dangerous.

  • 3
Reply Report
      • 2
    • So what's the correct order of things? First, to delete the old files? I placed .crt and root_bundle.crt files in /etc/ssl/certs directory and a .key file in /etc/ssl/private directory. Other than physically deleting those files, do I have to run any specific command in the terminal or something? I used to run "openssl req -new -newkey etc.etc." command when I was installing my old cert. And then to install Let's Encrypt? New cert from what I understood shouldn't be put like a file, it's somehow automatically works. Not the way it was with the old one...
    • Also, in file /etc/apache2/sites-available/000-default.conf I had a reference of those 3 files in "SSLCertificateFile", "SSLCertificateKeyFile" and ""SSLCertificateChainFile" So what about those three lines?
      • 2
    • There are hundreds of tutorials online that cover this. I'm not going to repeat that content here. As I mentioned, start up a test system to test your procedure. There will be very close to zero cost to do this, and you'll feel much more confident when you go to do it on your live server. If you're unable or unwilling to do that, then consider hiring someone to help you out.
      • 1
    • Hundreds of tutorials? Show me at least ONE where it says how to transition from a regular cert to something like Let's Encrypt, which (from what I understood) is very different.
      • 2
    • It's not that different. You still have a key and a certificate chain, just like you currently have. You're making much ado about this "transition" bit. Forget that you're transitioning. Read the documentation. Test. Test. Test. Don't rely on others to spoon-feed you exactly what has to happen.

You can get a new certificate any time. You should really do this in advance of certificate expiry because it can be fiddly. Here's the steps I'd take

  1. Set up Let's Encrypt, or another client.
  2. Request the certificate.
  3. (Optional) Install the certificate on another VM / instance, to test it.
  4. Install the certificate on the production server, during a period of low load.

The old certificate is just a file, just don't point at it any more.

I have a tutorial for Let's Encrypt with Wordpress and Nginx, which may be of some interest. It shows how to use a different client, I found the official Let's Encrypt client didn't work on Amazon Linux.

  • 1
Reply Report
      • 2
    • Amazon Linux is a steaming pile of crap that nobody should be using for anything anyway. certbot would hardly be the first thing that doesn't work on it.
      • 1
    • I probably won't use Amazon Linux again, but I made the choice before I knew much about the practicalities. I'd probably use Ubuntu in the future.

Trending Tags