I got an email telling me to renew. I was hoping this would be automatic but it seems not to be so.
I have done some googling and found some documentation which I have tried.
It seems all I need is to run certbot renew which I did but it failed.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomain.com
Using the webroot path /var/www/passbolt/webroot for all unmatched domains.
Waiting for verification...
Challenge failed for domain mydomain.com
http-01 challenge for mydomain.com
Cleaning up challenges
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
I have tried to read up on http-01 but at this point I can’t find the wood for the tree - some simple instructions on what to do to set up this authentication.
I have full control of both the Passbolt server and my domain’s dns.
Sleeping on this and reading some more, the penny finally dropped.
The HTTP-01 challenge is done on port 80 and our router sends port 80 to a different web server - only 443 goes to Passbolt.
Temporarily changing the router to send port 80 to Passbolt and then running certbot renew gets the job done in a few seconds.
If not for out non-standard setup, this could be automated with a simple cron job.
So that is what we will do every three months - unless someone can advise how we can redirect.
Passbolt is linked to a specific domain not used for anything else. Is there anything we can do on our general web server (to which port 80 is normally directed) to redirect the Passbolt traffic?
Both servers are on the same local network on different local IPs.
I see there is the alternative DNS-01 challenge I would use. Would that be easier to set up? (A first reading of the docs has left me confused).
You certainly could use the DNS challenge it usually requires to add a TXT entry in your DNS zone with some token so lets encrypt can validate your domain.
You can also add an entry in your nginx/apache config adding a location ‘/.well-known/*’ are served through http and pointing them to the right folder in your passbolt server. There are plenty of howtos and documentation on the internet.