After del. certificate, IP out of reach

Help
1

Hi,

so I have deleted my certificate with this method:
sudo certbot delete

Now, my IP is out of reach, and I get the information:
AH00526: Syntax error on line 7 of /etc/httpd/conf/httpd-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/olddomain.com/fullchain.pem'
does not exist or is empty

Well yes, that is what it should be.
I have deleted it.

But why is that a problem?

Maybe this? :
When installing l.e. via certbot,
I followed the instructions of aws:

There is said -
Prepare to instal, point 2:

Edit the main Apache configuration file, /etc/httpd/conf/httpd.conf . Locate the " Listen 80 " directive and add the following lines...

I had done as requested.

Now, that I have deleted the l.e. certificate, the old info (old domain) is still in there.

I have tried to change it to new IP for example,
still the site is out of reach.

What the heck`?

Also, when trying to reach it it automatically shows https in front of the ip adress
(although I had deleted the certificate, as said).

Why?

Nowhere in my script I have ever changed something to force ssl.

2

This is a pretty explicit error message. What don't you understand?

Apache is refusing to start because you're asking it to use a certificate that isn't there. You need to restore it from a backup or disable that virtualhost (or whole https server?)

(You can also edit that line to point to a self signed certificate and key pair)

2 Likes
3

Thanks for the info.
I don't have backup of this le certificate.

So, what I don't understand is why I have to deal with this problem, although I deleted the le certicate properly...

But as I see, there are still remains of it there.

What should I do?
Delete all remaining le certificate stuff,
or run certbot again and get a new le certificate?

I am not a pro in this,
but if you would tell me what lines to edit, I could do that.

4

Because:

  1. You deleted the certificate (and there is usually no reason to do that)
  2. But the webserver config is still referring to the certificate, which is now missing.
2 Likes
5

Generate a self signed certificate:

And then change the lines starting with

SSLCertificateFile
SSLCertificateKeyFile

by putting the paths of certificate and key you have just generated instead of the missing ones.

This will make you server start, but you will get an SSL validation error: it's expected.

But, once your server starts, you can get a certificate using certbot.

And don't delete certificates. Leave them be.

3 Likes
6

...or, at least, adjust the server config to not require the cert before deleting the cert.

5 Likes
7

can you please tell me, where I can find the openSSL certificate on my server?
I assume its somewhere in the etc folder, like letsencrypt?
Edit: got it.

And: with editing everything starting with
SSLCertificateFile
SSLCertificateKeyFile

you mean everything inside the httpd.conf file, right?
(/etc/httpd/conf)

Or do you mean also somewhere else?

Thanks a lot!

1 Like
8

If you follow the instructions @9peppe linked to, it will be wherever you put it.

It would specifically be in /etc/httpd/conf/httpd-le-ssl.conf. That's the config file that's causing your problems (as the error message is telling you), so that's the one you need to fix.

4 Likes
9

It has worked -

Thanks a lot!

Now I just need to know how to replace that openssl certificate with letsencrypt,
and we're rolling : )

4 Likes
10

Note: certbot delete does not equate to "certbot uninstall and also delete this certificate".

certbot --apache (or --nginx) will obtain and install a certificate.
But there is no single "undo" to that (two-step) process.
You should uninstall it manually (first).
Then certbot can delete it for you.

4 Likes
11

They were a bit unsatisfactory, I'd say. I had to modify them to my taste:

openssl req -x509 -newkey EC -pkeyopt ec_paramgen_curve:P-256 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes

(and maybe add -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.example.com" as they say here)

https://www.openssl.org/docs/man3.0/man1/openssl-req.html
https://www.openssl.org/docs/man3.0/man1/openssl-genpkey.html

2 Likes
12

Fickle details. -sha256 will probably work but doesn't look like is CA/B approved for P-256 certs. -sha384 should be. (But should self signed certificates follow CA/B standards? Only if you want to be very pitnicky)

1 Like
13

Thanks.

I just want to say, that it would be a great thing,
if someone would write a comprehensive guide on how to correctly delete letsencrypt certificates
(or, what to do when you change your domain).

All I was able to find, was that command that has led me into this trouble.

Regards

1 Like
14

There is one :wink:

https://eff-certbot.readthedocs.io/en/stable/using.html#safely-deleting-certificates

4 Likes
15

Which version of Certbot are you using?

Because since version 1.21.0, released on 04 Nov 2021, there is a VERY BIG warning presented to the user when using certbot delete:

736×289 30.6 KB

3 Likes
16

I installed certbot just a month ago, so I think its the newest version.

Yeah, I didn't read that 'Warning', and safely skipped it : )

17

Not that safe I'd say :roll_eyes:

4 Likes
18

How did you install it?

(edit: certbot --version will tell you the version)

1 Like
19

certbot version 1.11.0

I followed aws doc,

20

The most recent versions of Certbot are available using "snap":

I don't have experience with AWS EC2, but this might or might not be possible.

In any case, the repositories such as EPEL are usually not up to date.

4 Likes