Ctrl+K
What do you think about our new Documentation Layout? Take the survey
Back to Documentation Hub

Renew a Let’s Encrypt Certificate

Renew a Let’s Encrypt Certificate#

Carbonio can renew the certificates manually using the standard certbot interface or automatically.

Warning

You need to use the certbot command shipped by Carbonio, not the one provided by other clients, like certbot or acme.

Manual renewal#

Hint

Commands for the manual renewal must be issued as the zextras user.

The manual renewal amounts to launch command certbot renew on the Node installing the Proxy Role.

In case your Carbonio infrastructure has multiple Proxy Nodes, first find the one which is responsible for the certificate management, using command

zextras$ certbot certificates

If the output contains something like the following, you are on the right Node:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: example.com
Serial Number: serial number
Key Type: ECDSA
Domains: demo.zextras.io
Expiry Date: 2024-01-31 12:50:33+00:00 (VALID: 14 days)
Certificate Path: certificate path /fullchain.pem
Private Key Path: private key path /privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

To renew the Let’s Encrypt certificate, issue command

zextras$ certbot renew

This command attempts to renew any previously-obtained certificates that expire in less than 30 days.

Automatic renewal#

Hint

Commands for the automatic renewal must be issued as the root user.

In order to automatically renew the Let’s Encrypt certificate, Carbonio makes available two facilities: carbonio-certbot.timer, disabled by default, and carbonio-certbot.service.

To check the status of the timer, launch command

# systemctl status carbonio-certbot.timer

If the output is like the following, the timer is disabled:

● carbonio-certbot.timer - Run Carbonio Certbot twice daily
    Loaded: loaded (/lib/systemd/system/carbonio-certbot.timer; disabled; vendor preset: enabled)
    Active: inactive (dead)
   Trigger: n/a
  Triggers: ● carbonio-certbot.service

To enable the timer, issue command

# systemctl enable --now carbonio-certbot.timer

The command systemctl status carbonio-certbot.timer should now appear as active in its output, for example:

Active: active (waiting) since Wed 2024-01-17 10:28:34 UTC; 3min 30s ago

If you now list all the timers, you will see when the certbot last run and when it will run next

# systemctl list-timers --all

You will see in the output:

NEXT                        LEFT          LAST                        PASSED       UNIT                         ACTIVATES
Wed 2024-01-17 20:37:58 UTC 3h 34min left Wed 2024-01-17 06:21:59 UTC 10h ago      carbonio-certbot.timer       carbonio-certbot.service

Finalise Renewal#

Once the certificate has been renewed, run the two deployment commands

zextras$ /opt/zextras/libexec/zmproxyconfgen
zextras$ /opt/zextras/bin/zmproxyctl reload

In case you have multiple Proxy Nodes, run the two commands on all Proxy Nodes.

Contents