Question
SSL renewal for subdomain, main domain hosted elsewhere
- Posted on February 2, 2021
- Let's Encrypt
Asked by Dan Farrow
Hello,
So for a few months now I’ve been trying to get Lets Encrypt to auto renew my domain.
I currently have a subdomain (sub.domain.com) - the A record is pointed to Digital Ocean. The main domain (domain.com) has many other records pointing to different places, so I don’t really want to switch the nameservers to Digital Ocean to use the auto-renewal that Digital Ocean supply.
I have managed to get an SSL running following various tutorials, however it would appear that Digital Ocean doesn’t see the renewals. I think I have to manually re-add the certificate each time.
Doing a dry run of certbot works, and I think my cronjob that checks once a day is working too - it seems to be generating new keys each time.
I’m pretty new to all this - is there a way to renew the same key and have Digital Ocean pick up on it, or using their “Bring your own certificate” solution do I need to manually do it each time?
Running Ubuntu 18.04 (LTS) x64
Thanks!
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
Hi @bobbyiliev - thanks for the reply.
No, I don’t think I am using a Load Balancer. I’m pretty new to Digital Ocean and servers generally but I can see the option to spin one up. I haven’t used that.
It’s just on a normal Droplet as far as I am aware.
Hi @bobbyiliev - it’s been a while, but I am hoping you have a bit of time to help me out again!
Today the SSL failed on some machines - reading deeper, I get the feeling it’s something to do with R3 failing, as the error “r3 certificate has expired” appears on some computers/devices.
Having read through this (it’s very much at the border of my knowledge) https://community.letsencrypt.org/t/r3-intermediate-certificate-has-expired-it-issued-certs-past-its-expiration-date/160797 it appears something has changed with LetsEncrypt.
I’ve tried doing a hard renew, which worked, but hasn’t resolved the SSL issue.
I don’t suppose you’ve got any ideas do you?
I’ve done a hard renew, I’ve checked the expiry - am I missing a setting perhaps with Digital Ocean?!
Hi there @danfarrow,
Are you using this certificate for a Load Balancer? If so, I believe that the only out of the box way to have your certificate automated on the DigitalOcean side is if you manage your domain with DigitalOcean DNS. Only in this case, you can choose the Use Let’s Encrypt tab to create a new, fully-managed SSL certificate.
Regards, Bobby