Security Certificate Renewal

Created by: Lester Caine, Last modification: 21 Mar 2025 (15:48 GMT)

While playing around with the CGI stuff, a couple of problems popped up in relation to the Lets Encrypt security certificates. I have a package called acme.sh running which in theory will update the certificates as they fall due and on the whole this seems to be working, except that Lets Encrypt has decided to drop a facility that all the sites had been set up using. This is the Online Certificate Status Protocol (OCSP). I had already modified all the configuration files to stop them asking for it when a certificate renewed, but not yet checked what else needed to be done. I'd warnings that the graham-ovenden.uk site had a problem renewing, which truned out to be a silly redirect error ... redirecting the http port to itself rather than the https one, and once corrected, the renewal ran fine ( acme.sh --renew --domain graham-ovenden.uk ) but restarting nginx kicked up a warning and nicely pointed to the block of settings in the vhost.conf file relating to the ocsp activation. 

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
 
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/nginx/ssl/graham-ovenden.uk/fullchain.cer;

Is now redundant and will need to be removed from the relevant vhost file as the other domains are renewed without it. At least all seems to be correctly swapping over which was something I had not been sure about, so fingers cross the rest go as smoothly.

The other problem was a little more tricky as it was certificates for a block of James's domains that still forward to cotswoldsecuritygroup.uk. I think that the only reason I haven't just switched them all off is as a reminder of just what he had achieved during his life, and while I've not renewed three domains that have just expired, I will probably just let it all die as they do pass on and perhaps just keep the original cotswoldsecurity.uk domain. Renewing the certificates on these is a little fun as I have to switch off the forwarding so that the certificates renew at all, and then put it back in place. The next problem will be dropping domains that are no longer active, and that is a little more difficult to handle as one has to revoke the existing one and create a new one just listing the remaining domains. I think I can pull the list from the relevant config file as I'm sure it did that previously, but as yet have not needed to do it as while the missing three domains have expired, they are still forwarding to the server here. Couple of months time I will have to do the job properly. The one nice thing is that while James (and Robert who was injured in the accident and has also now died) has been removed from the main website, the welsh language copy is still active.