Thanks for the info.
I don't have backup of this le certificate.
So, what I don't understand is why I have to deal with this problem, although I deleted the le certicate properly...
But as I see, there are still remains of it there.
What should I do?
Delete all remaining le certificate stuff,
or run certbot again and get a new le certificate?
I am not a pro in this,
but if you would tell me what lines to edit, I could do that.
Because:
Generate a self signed certificate:
And then change the lines starting with
SSLCertificateFile
SSLCertificateKeyFile
by putting the paths of certificate and key you have just generated instead of the missing ones.
This will make you server start, but you will get an SSL validation error: it's expected.
But, once your server starts, you can get a certificate using certbot.
And don't delete certificates. Leave them be.
...or, at least, adjust the server config to not require the cert before deleting the cert.
can you please tell me, where I can find the openSSL certificate on my server?
I assume its somewhere in the etc folder, like letsencrypt?
Edit: got it.
And: with editing everything starting with
SSLCertificateFile
SSLCertificateKeyFile
you mean everything inside the httpd.conf file, right?
(/etc/httpd/conf)
Or do you mean also somewhere else?
Thanks a lot!
If you follow the instructions @9peppe linked to, it will be wherever you put it.
It would specifically be in /etc/httpd/conf/httpd-le-ssl.conf. That's the config file that's causing your problems (as the error message is telling you), so that's the one you need to fix.
It has worked -
Thanks a lot!
Now I just need to know how to replace that openssl certificate with letsencrypt,
and we're rolling : )
Note: certbot delete does not equate to "certbot uninstall and also delete this certificate".
certbot --apache (or --nginx) will obtain and install a certificate.
But there is no single "undo" to that (two-step) process.
You should uninstall it manually (first).
Then certbot can delete it for you.
They were a bit unsatisfactory, I'd say. I had to modify them to my taste:
openssl req -x509 -newkey EC -pkeyopt ec_paramgen_curve:P-256 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes
(and maybe add -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.example.com" as they say here)
https://www.openssl.org/docs/man3.0/man1/openssl-req.html
https://www.openssl.org/docs/man3.0/man1/openssl-genpkey.html
Fickle details. -sha256 will probably work but doesn't look like is CA/B approved for P-256 certs. -sha384 should be. (But should self signed certificates follow CA/B standards? Only if you want to be very pitnicky)
Thanks.
I just want to say, that it would be a great thing,
if someone would write a comprehensive guide on how to correctly delete letsencrypt certificates
(or, what to do when you change your domain).
All I was able to find, was that command that has led me into this trouble.
Regards
Which version of Certbot are you using?
Because since version 1.21.0, released on 04 Nov 2021, there is a VERY BIG warning presented to the user when using certbot delete:
I installed certbot just a month ago, so I think its the newest version.
Yeah, I didn't read that 'Warning', and safely skipped it : )
Not that safe I'd say 
How did you install it?
(edit: certbot --version will tell you the version)
certbot version 1.11.0
I followed aws doc,
The most recent versions of Certbot are available using "snap":
I don't have experience with AWS EC2, but this might or might not be possible.
In any case, the repositories such as EPEL are usually not up to date.
It is possible but requires an unofficial repo from Snapcraft as Amazon Linux 2 (AL2) does not have Selinux. I never saw a comprehensive doc of instructions but have notes on how to do it as I went through the process. I thought I might need to for someone to get certbot 1.12 for the "short chain" selection but I never saw it come up.
Amazon Linux 2022 (AL2022) is the successor to AL2 and has Selinux so hopefully certbot snap will install cleanly. AL2022 is still in preview.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
