LetsEncrypt manual certificate Renewals

Renewal of Lets Encrypt certificates, applicable when no auto renewals such as certbot / certmanager are being used.

Instructions

1. Exec into running nginx pod and execute,
   •  acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $DOMAIN && renew=1
2. Once command is successful, check for new certs, 
   • ls -lrt /etc/ssl/acme/$DOMAIN
3. Reload nginx to pick up new certs and verify if domain reflects right certificates,
   • nginx -s reload
4. Copy certs from pod
   1. kubectl cp nginx-2087212062-c67lk:/etc/ssl/acme/egov-micro-qa.egovernments.org/ ./certs-egov-micro-qa
5. ssh to bastion node using the key file and ssh to minion nodes with admin user one-by-one
   1. ssh -i <KEY>.pem admin@<BASTION-IP> this is not accessible outside the egovernment network. Or need to whitelist the ip.
   2. scp to writable directory on the minion
   3. ssh to minion and sudo cp to /srv/acme/egov-micro-qa.egovernments.org directory
6. Restart nginx pod to test to make sure everything is running ok

Related articles

• Page:
  LetsEncrypt manual certificate Renewals