Can I create deleted cert again?

benjaone · July 8, 2023, 6:33pm

Hi,

I can't start Apache on a LAMP stack. I get this error:

Jul 08 20:26:34 a-c-d systemd[1]: Starting The Apache HTTP Server...
Jul 08 20:26:34 a-c-d apachectl[2319]: AH00526: Syntax error on line 17 of /etc/apache2/sites-enabled/example1.com-le-ssl.conf:
Jul 08 20:26:34 a-c-d apachectl[2319]: SSLCertificateFile: file '/etc/letsencrypt/live/example2.net/fullchain.pem' does not exist or is empty
Jul 08 20:26:34 a-c-d apachectl[2316]: Action 'start' failed.

I did delete the cert for example2.net because I wasn't aware that I used that one for example1.com.

Is there a way to renew the example2.net certificate?

My problem is that Apache is down.

sudo certbot certonly -d example2.net -d www.example2.net

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 17 of /etc/apache2/sites-enabled/example1.com-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/example2.net/fullchain.pem' does not exist or is empty

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache) [Misconfigured]
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel):

I get the above and don't know what to do from here.

Thanks

rg305 · July 8, 2023, 6:51pm

Why does file "example1..." try to load cert for "example2..." ?
Did you change something in that config file?

benjaone · July 8, 2023, 6:54pm

It was an old mistake I made. I have multiple virtual hosts/websites on the same droplet, and by mistake, I used a cert for one domain name to another, and it worked perfectly. I just didn't know, so I deleted the certificate by mistake,

benjaone · July 8, 2023, 7:03pm

OK, Apache is up now.

I deleted the:

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example2.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example2/privkey.pem

From etc/apache2/sites-enabled/example1.com

benjaone · July 8, 2023, 7:10pm

I ran this:

sudo certbot certonly -d example1.com -d www.example1.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example1.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example1.com/privkey.pem
This certificate expires on 2023-10-06.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

But for some reason, it is not working, the site is just not encrypted.

Osiris · July 8, 2023, 7:13pm

You used certonly. Did you, after getting the certificate, manually install the certificate into your Apache configuration? If not, did you understand the meaning of the certonly subcommand? If not, why did you use an option you didn't understand?

benjaone · July 8, 2023, 7:18pm

I added:

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example1.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example1.com/privkey.pem

to etc/apache2/sites-enabled/example1.com

And it is working now.

Yea, it was a mistake, I just try to fix it the best I can. But it was dumb.

What is the correct command?

Thanks!

Osiris · July 8, 2023, 7:20pm

There's no good or bad command (at least if it works). It's just that when you use certonly, you'll get, well, as the command implies, only a cert. The rest (i.e., the installing part) is up to the user.

rg305 · July 8, 2023, 8:24pm

What shows?:
certbot certificates

How?

benjaone · July 8, 2023, 8:39pm

I deleted it with "sudo certbot delete" and picked the correct number on the list.

schoen · July 8, 2023, 8:41pm

Basically the issue here is that certbot delete doesn't undo everything that certbot --apache does, and certbot certonly doesn't do everything that certbot --apache does.

certbot --apache gets the cert and adds the lines to your configuration file that you saw
certbot delete just deletes the certificate, but doesn't remove the edits to the configuration file
and certbot certonly will get the cert but not install it (in this context, not add the lines referencing it to the Apache configuration file)

So basically none of these things are exact inverses of each other (which can certainly be confusing).

benjaone · July 8, 2023, 9:00pm

Ah I see, this is good to know, thanks!

MikeMcQ · July 8, 2023, 9:17pm

Agree. There is also certbot rollback to revert server changes.

@schoen I don't know exactly what rollback does so never suggest it. Do you have insight?

schoen · July 8, 2023, 9:55pm

It's a somewhat unmaintained feature so I also never suggest it (but I should probably test it out sometime and see how well it actually works nowadays).

rg305 · July 9, 2023, 2:24am

benjaone · July 9, 2023, 8:43am

certbot certificates looks great, it doesn't show any certs not meant to be there, thanks.

system · August 8, 2023, 8:43am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.