Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: gbumc.church
I ran this command: # apachectl restart
It produced this output:
My web server is (include version): httpd 2.4.53
The operating system my web server runs on is (include version): Debian 11 (Bullseye)
My hosting provider, if applicable, is: Digital Ocean
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): N/A
I have successfully obtained a test cert with the letsencryp staging url. Is was verified as such by Qualys SSL Labs test.
I changed my httpd.conf to the acme v2 url and restarted the server. I have seen no change of the domain status in the md directory and the Qualys test still shows a test cert.
Can I remove any part of the md directory to initiate a change in the situation? (Note the original cert was hosted on another server and it was scheduled to expire on 22 May.)
You now just need to follow the same steps, but this time get a new cert from the normal/production server.
Staging certs are not trusted.
Thanks, but I've tried that: changing the conf file and restarting. I have asked for help on the Apache user list, but no useful ideas yet. If I don't get any other ideas before long, I will try restarting completely from scratch by removing the md directory.
I don't know mod_md well so this is a total guess. But, try adding (or changing):
From: mod_md - Apache HTTP Server Version 2.5
My guess is that mod_md sees your staging cert and does not realize you changed the MDCertificateAuthority. So, it thinks the staging cert is "fresh enough" and takes no action.
The above should force a renewal but be sure to CHANGE IT BACK after this test.
You could quickly get Rate Limited by Let's Encrypt otherwise.
You could also try asking at the mod_md github
I don't see how that is changing anything.
Apache won't obtain a new cert.
You need to run the ACME client again, but this time point it at the production endpoint.
mod_md is installed into Apache and restarting is enough to reactivate and trigger
I removed the md directory
ensured the httpd.conf file has the correct Let's Encrypt valid cert URL
did a start
checked my error log which said valid cert was waiting for a graceful restart
I did the graceful restart and checked for a reasonable looking md directory
then I checked the site with Qualys again: A with a trusted cert
finally, I looked at the site and saw it as was expected
For the future I will ALWAYS set the httpd.conf file to the staging area to make sure the flow under my control works. Then remove the md directory, change the httpd.conf file back to the v2 URL, restart, check the logs, and do a graceful start.
What will they think of next?... Cars that drive all by themselves! - LOL
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.