Renovar ssl evitando errores

Renombramos los ficheros del certificado caducado, por si acaso hubiera algún fallo, poder volver atrás.

mv /etc/letsencrypt/archive/tpv.ircosl.com /etc/letsencrypt/archive/tpv.ircosl.com_old
mv /etc/letsencrypt/live/tpv.ircosl.com /etc/letsencrypt/live/tpv.ircosl.com_old
mv /etc/nginx/sites-available/tpv.ircosl.com /etc/nginx/sites-available/tpv.ircosl.com_old
mv /etc/nginx/sites-enable/tpv.ircosl.com /etc/nginx/sites-enable/tpv.ircosl.com_old

Seguir con el proceso de creado de certificado

sudo nano /etc/nginx/sites-available/tpv.ircosl.com


------------------------INICIO CODIGO---------------------------------
server {
  listen 80;
  server_name tpv.ircosl.com tpv.ircosl.com;

  include snippets/letsencrypt.conf;
}
------------------------------FIN CODIGO-------------------------------


sudo ln -s /etc/nginx/sites-available/tpv.ircosl.com /etc/nginx/sites-enabled/

sudo systemctl restart nginx

sudo certbot certonly --agree-tos --email soporteti@ircosl.com --webroot -w /var/lib/letsencrypt/ -d tpv.ircosl.com

------------------EJEMPLO CERTIFICADO INSTALADO CORRECTAMENTE-----------------------------

 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/tpv.ircosl.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/tpv.ircosl.com/privkey.pem
   Your cert will expire on 2020-09-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 - We were unable to subscribe you the EFF mailing list because your
   e-mail address appears to be invalid. You can try again later by
   visiting https://act.eff.org.
-------------------------------------------------------------------------------------------
/// Una vez se ha generado el certificado CUIDADO!! 

En la carpeta /etc/letsencrypt/archive/ se ha generado el certificado pero con otro nombre, véase tpv.ircosl.com-0001. Debemos renombrar este ficheros en este punto quitándole el -0001

En su interior veremos que los archivos pem también están nombrados a chain1.pem, fullchain1.pem, cert1.pem, etc, por lo que también hay que renombrarlos quitándole el 1. 

Después en la carpeta live eliminar los enlaces simbólicos para volverlos a generar de nuevo.

ASEGURARSE BIEN DE QUE TODO ESTÁ CORRECTO

--------------------------------------------------------------------
/// Editar tpv.ircosl.com
--------------------------------------------------------------------

sudo nano /etc/nginx/sites-available/tpv.ircosl.com


------INICIO CODIGO (REMPLAZAR LA INFORMACION ANTERIOR EN LE ARHIVO)-----------------------

server {
    listen 80;
    server_name tpv.ircosl.com tpv.ircosl.com;

    include snippets/letsencrypt.conf;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name tpv.ircosl.com;

    ssl_certificate /etc/letsencrypt/live/tpv.ircosl.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tpv.ircosl.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/tpv.ircosl.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    return 301 https://tpv.ircosl.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name tpv.ircosl.com;

    ssl_certificate /etc/letsencrypt/live/tpv.ircosl.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tpv.ircosl.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/tpv.ircosl.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    # . . . other code
}
------FIN CODIGO (REMPLAZAR LA INFORMACION ANTERIOR EN LE ARHIVO)-----------------------


sudo systemctl reload nginx

------------------------------------------------
//// Renovar Certificados Vencidos
------------------------------------------------

service nginx stop

sudo certbot certonly --agree-tos --email soporteti@ircosl.com --webroot -w /var/lib/letsencrypt/ -d tpv.ircosl.com

service nginx start


-----------------------------------------
/// Configuracion Final de SSL y Nginx
-----------------------------------------

-----------------------------------------
/// Editar tpv.ircosl.com
-----------------------------------------

sudo nano /etc/nginx/sites-enabled/tpv.ircosl.com


-----------INICIO CODIGO (REMPLAZAR LA INFORMACION ANTERIOR EN LE ARHIVO)-----------------

# Odoo servers
upstream odoo {
 server 127.0.0.1:8069;
}

upstream odoochat {
 server 127.0.0.1:8072;
}

# HTTP -> HTTPS
server {
    listen 80;
    server_name tpv.ircosl.com;

    include snippets/letsencrypt.conf;
    return 301 https://tpv.ircosl.com$request_uri;
}

# WWW -> NON WWW
#server {
#    listen 443 ssl http2;
#    server_name tpv.ircosl.com;

#    ssl_certificate /etc/letsencrypt/live/tpv.ircosl.com/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/tpv.ircosl.com/privkey.pem;
#    ssl_trusted_certificate /etc/letsencrypt/live/tpv.ircosl.com/chain.pem;
#    include snippets/ssl.conf;

#    return 301 https://tpv.ircosl.com$request_uri;
#}

server {
    listen 443 ssl http2;
    server_name tpv.ircosl.com;

    proxy_read_timeout 720s;
    proxy_connect_timeout 720s;
    proxy_send_timeout 720s;

    # Proxy headers
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;

    # SSL parameters
    ssl_certificate /etc/letsencrypt/live/tpv.ircosl.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tpv.ircosl.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/tpv.ircosl.com/chain.pem;
    include snippets/ssl.conf;

    # log files
    access_log /var/log/nginx/odoo.access.log;
    error_log /var/log/nginx/odoo.error.log;

    # Handle longpoll requests
    location /longpolling {
        proxy_pass http://odoochat;
    }

    # Handle / requests
    location / {
       proxy_redirect off;
       proxy_pass http://odoo;
    }

    # Cache static files
    location ~* /web/static/ {
        proxy_cache_valid 200 90m;
        proxy_buffering on;
        expires 864000;
        proxy_pass http://odoo;
    }

    # Gzip
    gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
    gzip on;
}

------FIN CODIGO (REMPLAZAR LA INFORMACION ANTERIOR EN LE ARHIVO)-----------------------

En este punto debemos para atención en el nombre de la carpeta que se ha generado en el certificado. La ubicación es /etc/letsencrypt/live/tpv.ircosl.com. En esta ubicación comprobamos que se ha generado el certificado con sufijo -0002. 

Pues debemos de quitar ese prefijo solo en la carpeta live, en archive se debe de quedar tal cual.

sudo systemctl restart nginx

Deja una respuesta 0

Your email address will not be published. Required fields are marked *