How to regenerate SSL certificate

Every 3 months the SSL certificate is expired So I needs to regenerate it. I also generated new one. But I think I miss some steps to apply this in my website. Can you help me to use this.

In OpenVidu >2.15.0 version, SSL certificates for letsencrypt are updated automatically

but if you want to regenerate it manually using Certboat
certbot-auto renew --dry-run make it auto renew using crontab
for info google it.
But i think for openvidu 2.15.0 don’t need as @cruizba said but for your another application you have to configure yourself
Thanks’

for MANUAL LET’S ENCRYPT REGENARATION (assuming you have the docker-based installation >= 2.13):

just delete/rename the “certificates” subfolder and start openvidu again

details in this thread:

I have deployed Openvidu 2.15.1 and monitoring SSL certificate status by Nagios. Everyday it throws warning message about certificate (letsencrypt) expiration in 1 months or so. Based on above discussion I just want to be sure if I have to do something at this point. Do I have to wait till openvidu regenerates certificate or there is any further things should be done?

i think openvidu use automatic ssl certificate renewal so don’t worry about it
Thanks
Vipin

Something is wrong, it should not notify about expiration.

Maybe you’ve updated the infra from older versions and the nginx container did not configured correctly autorenews. What I recommend is to regenerate the certificates again.

  1. SSH into OpenVidu machine
  2. Remove /opt/openvidu/certificates
  3. Restart openvidu:
sudo su
cd /opt/openvidu
./openvidu restart

Regards,
Carlos

Hi @cruizba. Thank you for reply. I have created totally new openvidu instance with CloudFormation template provided. Do you mean nagios should not alert or openvidu itself? I received alert form nagios since it checks SSL certificate expiration time. I have noticed on doc for 2.15.1 version, it auto regenerates certificate when it expires. But wanted to be sure if it is so. Because in production it can be headache till certificate regeneration is completed manually.

Your Nagios should not alert about certificate expirations because OpenVidu Nginx container has an autorenew crontab which renews the certificate every 12 hours: openvidu/entrypoint.sh at master · OpenVidu/openvidu · GitHub.

If you’re running OpenVidu with nginx running with CERTIFICATE_TYPE=letsencrypt option it should do the task for you.

If you still facing notifications from Nagios with your new deployment, please report it here.

@cruizba I have configured it to alert as Warning (45 days), Critical (15 days). That is why it keeps alerting us every day that certificate is expiring in (45-n) days. But if you say it should not alert and should renew cert every 12 hours I dont know what to do about that. Please let me know steps I should take.

If you’ve redeployed, it should be fixed, can’t do much though. Let’s wait to see if it notify you again.

@cruizba could you please let me know the location of that cronjob so I can check if everything looks good.

If autorenew is working, there should be logs in /var/log/cron-letsencrypt.log inside of the nginx container after 12 hours.

This command should show you the crontab command:

sudo docker exec -it openvidu_nginx_1 crontab -l

If you want to test if the autorenew is working execute this:

sudo docker exec -it openvidu_nginx_1 certbot renew --post-hook "nginx -s reload"

It should return something like that if you’ve deployed some hours ago:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<YOUR_DOMAIN>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/<YOUR_DOMAIN>/fullchain.pem expires on 2021-04-01 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - 

@cruizba As I understood it runs cronjob every 12 hours and checks if cert if expired or not. If Cert has not expired yet it shows “No renewals were attempted. No hooks were run.” If cert expires then renews it. Because I have deployed openvidu more than 1 month ago.

As I understood it runs cronjob every 12 hours

Yes

checks if cert if expired or not

No. It always try to renew. So if your certificate have 30 days before being invalidated, this command will be executed successfully.

I think that’s the problem. You have the alert 45 days before the certificate will be expired, and letsencrypt let you renew the certificate 30 days before.

I would decrease your warning alarm to 29 days.

This crontab will try to renew the certificate each 12 hours, but it will not be renewed until the certificate have 30 days to expire.

References: [SOLVED] How often to renew? - #2 by pfg - Help - Let's Encrypt Community Support

Regards

Now it is clear. Thank you for clarification @cruizba

You’re welcome @OgtayTasinov :slight_smile:

As I said there is no problem renewal but there is warning message
Looks like this also gone :grinning:

Yep @vipin_mishra, thanks. You was right. I just wanted to be sure there was no other problem involved. Bugs happens you know :slight_smile:

Regards