If you followed my last article “How to host an https WordPress site on AWS EC2 with a Let’s Encrypt SSL certificate?” you know have a Let’s Encrypt generated SSL certificate for your WordPress.
Once in a while Let’s Encrypt will generate a new certificate if you scheduled the certbot-auto renew command.
You’ll then need to run the following commands to select the new certificate and avoid the “failed to start the Apache HTTP Server” error once your old certificate expired :
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Once the certificate renew command is scheduled (or manually with sudo ./etc/letsencrypt/certbot-auto renew) a new certificate is generated | |
| ## To check if a new certificate was generated you can run : | |
| [ec2-user@ip-MyIp ~]$ locate *certbot.pem | |
| /etc/letsencrypt/csr/0000_csr-certbot.pem #old certificate | |
| /etc/letsencrypt/csr/0001_csr-certbot.pem #new certificate | |
| ## You then need to change the ssl conf to specify the new certificate : | |
| sudo vim /etc/httpd/conf.d/ssl.conf | |
| ## Search for SSLCertificateKeyFile(vim command : ?SSLCertificateKeyFile) and change the file for the new one : | |
| # Server Private Key: | |
| # If the key is not combined with the certificate, use this | |
| # directive to point at the key file. Keep in mind that if | |
| # you've both a RSA and a DSA private key you can configure | |
| # both in parallel (to also allow the use of DSA ciphers, etc.) | |
| SSLCertificateKeyFile /etc/letsencrypt/live/YOURDOMAIN.com/privkey.pem ## the old file was /etc/letsencrypt/keys/0000_key-certbot.pem | |
| # Server Certificate Chain: | |
| # Point SSLCertificateChainFile at a file containing the | |
| # concatenation of PEM encoded CA certificates which form the | |
| # certificate chain for the server certificate. Alternatively | |
| # the referenced file can be the same as SSLCertificateFile | |
| # when the CA certificates are directly appended to the server | |
| # certificate for convinience. | |
| SSLCertificateChainFile /etc/letsencrypt/live/YOURDOMAIN.com/chain.pem | |
| ## Once this is updated, simply save and quit vim(vim command :wq) and restart the httpd service : | |
| sudo service httpd restart |
by