homeabouttutorials
dog silhouettes

2023-06-9

Renewing our certificate

The production version of the colrc application runs with https, meaning that all traffic to and from the app is encrypted. This is a very important, and it requires that we maintain a certificate verifying that our domain is registered to us and the URL we're running at is registered with that domain.

Every so often, that certificate requires renewal.

For (waves hands in the air) reasons, we have not automated our certificate renewal process. Yet. Instead, we update the certificate manually.

Renew the certificate

what you need

  • root access to the production server
  • access to the AWS Dashboard for the domain thecolrc.org
  • you MUST remember to use the DATABASE PASSWORD when you down the application

what you do

We use letsencrypt as our certificate generator.

And we store our certificates in a directory that lives on our production server at /etc/letsencrypt. This folder is owned by root. ssh into the production server, navigate to the root of /colrc-v2 and down the application by running, and using the DATABASE PASSWORD when prompted for a pwd.

./disaster.sh

When the script prompts you for a pwd, use our database pwd, not your sudo pwd. If you enter the wrong pwd, stop. You'll need to (a) remove the db_data folder, (b) copy the colrc_new.sql file as the colrc.sql file, (c) go to the disaster.sh script and comment out the pg_dump. Then run that script, then up the application again. ffs.

With the system down, su to root. Navigate /etc/letsencrypt, and run this command:

sudo certbot certonly

You'll see a dialog that looks like this:

How would you like to authenticate with the ACME CA?

1: Nginx Web Server plugin (nginx) 2: Spin up a temporary webserver (standalone) 3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel):

Select option 2.

The certificate renewal should succeed, and Certbot will ask you for money. Ignore that.

Check that you have a new certificate.

Navigate to the subfolder called live, > thecolrc.org, then run ls -la. You'll see four files that have the extension .pem. They should have the correct date.

You can also navigate back up one level and over to archive. That folder contains the old and new pem files.

Copy the new certificate into the correct directory

Navigate to the root of /colrc-v2/certbot. Type ls and confirm that there is a subdirectory letsencrypt. While in the certbot directory, delete the directory and all its contents:

rm -rf ./letsencrypt

Then copy the newly refreshed directory into this place:

cp -R /etc/letsencrypt .

Change the ownership of the letsencrypt directory in certbot to match your user credentials:

chown -R [username]:[username] letsencrypt

Build and up the app

Exit from root, become yourself again. Navigate back to /home/[youruser]/colrc-v2.

To bring the system back up, execute the build script (making sure that the script is set to rebuild the images).

./build.sh

Then keep your fingers and toes crossed that the system comes back up again.

When it reconstructs its mapped drive, it'll find the new (valid) certificate.

Navigate to the site from a browser at https://thecolrc.org and it (should) show that the site is secured.

If it doesn't, um, contact Amy and John. We'll cry and then see if we can fix it.