Webstack - Security Certificate Renewal
Only notes I can find about this are Security Certificate Renewal on lsces.uk so probably about time it was documented fully WHILE I still have the commands in the terminal history.
The main problem was that I'd forgotten to copy the /root/.acme.sh directory over before wiping the problem server so all I had is an older version from the previous server which on the whole ran smoothly. rsync copied from srv9 to srv10 and changed to .acme.sh on the command prompt. The first steps were to update and configure it on the new install so the following list of commands is a lot shorter than I actually used, being modified by the warnings, and is in the optimum order now to hopefully eliminate miss-steps. Something I can verify when rebuilding the older server to a newer distribution.
zypper in socat ./acme.sh --upgrade crontab -e ./acme.sh --install-cronjob ./acme.sh --list ./acme.sh --renew-all
This flagged up two problems. The missing phpsurgery.uk domain which had been sorted on the new server, and for some reason rainbowdigitalmedia.uk would not renew. Adding the missing domain was something of a doddle but the second problem was more challenging. A new domain takes the format ...
./acme.sh --issue -w /srv/website/phpsurgery -d phpsurgery.uk -d www.phpsurgery.uk -d phps.rdm1.uk --keylength 4096 ./acme.sh --issue -w /srv/website/phpsurgery -d phpsurgery.uk -d www.phpsurgery.uk -d phps.rdm1.uk --keylength ec-384 /root/.acme.sh/acme.sh --install-cert -d phpsurgery.uk --key-file /etc/nginx/ssl/phpsurgery.uk.key --fullchain-file /etc/nginx/ssl/phpsurgery.uk.fullchain.crt --ca-file /etc/nginx/ssl/phpsurgery.uk.ca.crt --cert-file /etc/nginx/ssl/phpsurgery.uk.crt /root/.acme.sh/acme.sh --install-cert --ecc -d phpsurgery.uk - -key-file /etc/nginx/ssl/phpsurgery.uk.key.ecc --fullchain-file /etc/nginx/ssl/phpsurgery.uk.fullchain.crt.ecc --ca-file /etc/nginx/ssl/phpsurgery.uk.ca.crt.ecc --cert-file /etc/nginx/ssl/phpsurgery.uk.crt.ecc
All that was needed then was to update the .conf file to add Le_ReloadCmd='systemctl reload nginx' as appears in the other files. I had not realised that nginx was restarted after an automatic update but it's nice to know that it is. The rainbowdigitalmedia.uk problem perhaps too too long to figure out. I was trying Claude Haiku 3.5 chatbot as Mistral was partially responsible for the original system crash! All the chatbots get stuck in the question and fail to consider other possible problems. They all fail to think 'why'! Eventually --debug 2 flagged up something was wrong in nginx rather than acme.sh and it turned out I had the :80 port on rainbowdigitalmedia.uk forwarding to lsces.uk, something that Claude failed to pick up on. Fix nginx and all good to go. I had already wiped the domain by then so the above script modified for the domains and we are all good again. Hopefully simply cloning the new .acme.sh folder to the next machine will be all that is needed ... for reference from srv10 ...
rsync -avz /root/.acme.sh/ root@srv11:/root/.acme.sh/