After del. certificate, IP out of reach

Thanks for the info.
I don't have backup of this le certificate.

So, what I don't understand is why I have to deal with this problem, although I deleted the le certicate properly...

But as I see, there are still remains of it there.

What should I do?
Delete all remaining le certificate stuff,
or run certbot again and get a new le certificate?

I am not a pro in this,
but if you would tell me what lines to edit, I could do that.

Because:

  1. You deleted the certificate (and there is usually no reason to do that)
  2. But the webserver config is still referring to the certificate, which is now missing.
2 Likes

Generate a self signed certificate:

And then change the lines starting with

SSLCertificateFile
SSLCertificateKeyFile

by putting the paths of certificate and key you have just generated instead of the missing ones.

This will make you server start, but you will get an SSL validation error: it's expected.

But, once your server starts, you can get a certificate using certbot.

And don't delete certificates. Leave them be.

3 Likes

...or, at least, adjust the server config to not require the cert before deleting the cert.

5 Likes

can you please tell me, where I can find the openSSL certificate on my server?
I assume its somewhere in the etc folder, like letsencrypt?
Edit: got it.

And: with editing everything starting with
SSLCertificateFile
SSLCertificateKeyFile

you mean everything inside the httpd.conf file, right?
(/etc/httpd/conf)

Or do you mean also somewhere else?

Thanks a lot!

1 Like

If you follow the instructions @9peppe linked to, it will be wherever you put it.

It would specifically be in /etc/httpd/conf/httpd-le-ssl.conf. That's the config file that's causing your problems (as the error message is telling you), so that's the one you need to fix.

4 Likes

It has worked -

Thanks a lot!

Now I just need to know how to replace that openssl certificate with letsencrypt,
and we're rolling : )

4 Likes

Note: certbot delete does not equate to "certbot uninstall and also delete this certificate".

certbot --apache (or --nginx) will obtain and install a certificate.
But there is no single "undo" to that (two-step) process.
You should uninstall it manually (first).
Then certbot can delete it for you.

4 Likes

They were a bit unsatisfactory, I'd say. I had to modify them to my taste:

openssl req -x509 -newkey EC -pkeyopt ec_paramgen_curve:P-256 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes

(and maybe add -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.example.com" as they say here)

https://www.openssl.org/docs/man3.0/man1/openssl-req.html
https://www.openssl.org/docs/man3.0/man1/openssl-genpkey.html

2 Likes

Fickle details. -sha256 will probably work but doesn't look like is CA/B approved for P-256 certs. -sha384 should be. (But should self signed certificates follow CA/B standards? Only if you want to be very pitnicky)

1 Like

Thanks.

I just want to say, that it would be a great thing,
if someone would write a comprehensive guide on how to correctly delete letsencrypt certificates
(or, what to do when you change your domain).

All I was able to find, was that command that has led me into this trouble.

Regards

1 Like

There is one :wink:

https://eff-certbot.readthedocs.io/en/stable/using.html#safely-deleting-certificates

4 Likes

Which version of Certbot are you using?

Because since version 1.21.0, released on 04 Nov 2021, there is a VERY BIG warning presented to the user when using certbot delete:

3 Likes

I installed certbot just a month ago, so I think its the newest version.

Yeah, I didn't read that 'Warning', and safely skipped it : )

Not that safe I'd say :roll_eyes:

4 Likes

How did you install it?

(edit: certbot --version will tell you the version)

1 Like

certbot version 1.11.0

I followed aws doc,

The most recent versions of Certbot are available using "snap":

I don't have experience with AWS EC2, but this might or might not be possible.

In any case, the repositories such as EPEL are usually not up to date.

4 Likes

It is possible but requires an unofficial repo from Snapcraft as Amazon Linux 2 (AL2) does not have Selinux. I never saw a comprehensive doc of instructions but have notes on how to do it as I went through the process. I thought I might need to for someone to get certbot 1.12 for the "short chain" selection but I never saw it come up.

Amazon Linux 2022 (AL2022) is the successor to AL2 and has Selinux so hopefully certbot snap will install cleanly. AL2022 is still in preview.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.