Certbot - how to manually install certs?

kenw232 · June 1, 2020, 1:54am

Hi, I manually generate my shiny new SSL cert from with certbot. I now want to manually add it to the sites config. What exact .pem files go where? I already have SSL on my site which works fine. I’ve been doing it manually for a long time with sslforfree.

vps(/apps/apache/conf/ssl/random.com): ls -l -a
…
-rw-r–r-- 1 root root 1646 May 31 21:50 ca_bundle.crt
-rw-r–r-- 1 root root 1967 May 31 21:50 certificate.crt
-rw-r–r-- 1 root root 1707 May 31 21:50 private.key

Which pem file from below (eg. /etc/letsencrypt/live/random.com/privkey.pem) goes to which file above? I’ve tried and each combination makes my site have a
Warning: Potential Security Risk Ahead error with SSL_ERROR_BAD_CERT_DOMAIN

Thanks.

My domain is:
random.com

I ran this command:
sudo certbot certonly --apache

It produced this output:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/random.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/random.com/privkey.pem
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt

My web server is (include version):
Apache 2.4

The operating system my web server runs on is (include version):
CentOS 7 Linux

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

The version of my client is: certbot 1.3.0

mnordhoff · June 1, 2020, 2:17am

Instead of replacing the existing files, what do you think of editing the Apache configuration to directly use /etc/letsencrypt/live/?

How is Apache currently configured? Can you post the output of, say, "sudo httpd -t -D DUMP_VHOSTS"?

Which point release?

According to the site's Server header, you're running OpenResty, not Apache.

And you have a wildcard certificate that should be renewed.

kenw232 · June 1, 2020, 2:34am

I don’t know what OpenResty is. pretty sure its apache:
vps(/apps/apache/web): httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Jun 27 2018 13:48:59

I don’t mind setting apache to use /etc/letsencrypt/live, can I do that for the single random.com domain below, one of those?

vps(/apps/apache/web): sudo httpd -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server cdn.extremehosting.ca (/etc/httpd/conf.d/cdn.conf:17)
         port 443 namevhost cdn.extremehosting.ca (/etc/httpd/conf.d/cdn.conf:17)
         port 443 namevhost clubroma.ca (/etc/httpd/conf.d/club.conf:17)
                 alias www.clubroma.ca
         port 443 namevhost naig2017.to (/etc/httpd/conf.d/naig.conf:17)
                 alias www.naig2017.to
         port 443 namevhost vps.extremehosting.ca (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost tourismstcatharines.ca (/etc/httpd/conf.d/tour.conf:17)
                 alias www.tourismstcatharines.ca
*:80                   is a NameVirtualHost
         default server cdn.extremehosting.ca (/etc/httpd/conf.d/cdn.conf:1)
         port 80 namevhost cdn.extremehosting.ca (/etc/httpd/conf.d/cdn.conf:1)
         port 80 namevhost clubroma.ca (/etc/httpd/conf.d/club.conf:1)
                 alias www.clubroma.ca
         port 80 namevhost tourismstcatharines.ca (/etc/httpd/conf.d/tour.conf:1)
                 alias www.tourismstcatharines.ca
         port 80 namevhost vpsserver.extremehosting.ca (/etc/httpd/conf.d/vpsserver.conf:1)

mnordhoff · June 1, 2020, 2:41am

I'm confused. Is random.com your domain name or not? It's not in the httpd output you posted.

In any case, assuming your existing files are using normal naming conventions, the files correspond to:

ca_bundle.crt /etc/letsencrypt/live/example.com/chain.pem
certificate.crt /etc/letsencrypt/live/example.com/cert.pem
private.key /etc/letsencrypt/live/example.com/privkey.pem

You could take a backup and then replace those files with symlinks to the corresponding /etc/letsencrypt/live/ locations.

You could also configure Apache to use them directly, e.g.:

SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

You should also set up a hook so that Apache is automatically reloaded when your certificates are renewed, such as by putting a simple shell script in /etc/letsencrypt/renewal-hooks/deploy/.

kenw232 · June 1, 2020, 5:15am

Thanks for your help. random.com was just an example. its actually tourismstcatharines.ca. What you provided was exactly what I needed but it still does not work for me. When I set Apache to use the .pem files I still get the browser warning - “Warning: Potential Security Risk Ahead”.
In fact this is why I’m trying to use Certbot, because the certs from sslforfree.com started doing this same thing. I’m doing something wrong all of a sudden, but theres nothing different.

Do you know why this is happening? Do I have to choose a different web server when setting up certbot? I chose Apache.

mnordhoff · June 1, 2020, 5:26am

SSLCertificateChainFile is apparently not set. Some clients will report an error, though browsers can usually work around the problem.

Edit:

The site is using a certificate that expires on June 6, though!

There’s a new Let’s Encrypt certificate that includes tourismstcatharines.ca but not www.tourismstcatharines.ca, but the site isn’t using it.

(You need to get a new one that includes both names.)

kenw232 · June 1, 2020, 6:30am

I see whats wrong, I’m dumb. Its redirecting to www and I don’t have a wildcard cert now I guess. It matters now. So if I get a www.whatever.com it works fine. But how do I add a cert for both (www and non-www) in the conf?

If I do both apache won’t load:

SSLCertificateChainFile /etc/letsencrypt/live/tourismstcatharines.ca/chain.pem
SSLCertificateFile /etc/letsencrypt/live/tourismstcatharines.ca/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tourismstcatharines.ca/privkey.pem

SSLCertificateChainFile /etc/letsencrypt/live/www.tourismstcatharines.ca/chain.pem
SSLCertificateFile /etc/letsencrypt/live/www.tourismstcatharines.ca/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.tourismstcatharines.ca/privkey.pem

Eg.
AH02242: Init: Multiple RSA server certificates not allowed
AH02312: Fatal error initialising mod_ssl, exiting.

mnordhoff · June 1, 2020, 6:40am

If you have two certificates, you need to create two virtual hosts (one for tourismstcatharines.ca and one for www.tourismstcatharines.ca).

(I don’t think you did get a new www.tourismstcatharines.ca certificate yet, though?)

By the way, what does “sudo certbot certificates” show? Is Certbot managing any certificates for www.tourismstcatharines.ca?

If you need to create a new certificate with both names, you can run something like:

sudo certbot --apache -d tourismstcatharines.ca -d www.tourismstcatharines.ca --deploy-hook "apachectl graceful"

(I’m not certain what the correct way to reload Apache on CentOS 7 is.)

kenw232 · June 1, 2020, 8:34pm

I keep putting back the old certs so it works. thats why you can’t see it. Anyway “sudo certbot certificates”” shows this:

Found the following certs:
Certificate Name: tourismstcatharines.ca
Domains: tourismstcatharines.ca
Expiry Date: 2020-08-30 05:23:59+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/tourismstcatharines.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tourismstcatharines.ca/privkey.pem
Certificate Name: www.tourismstcatharines.ca
Domains: www.tourismstcatharines.ca
Expiry Date: 2020-08-30 05:24:25+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.tourismstcatharines.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.tourismstcatharines.ca/privkey.pem

So I need two apache vhosts? And the first one I now remove “ServerAlias www.tourismstcatharines.ca” right? because thats the name of the second vhost.

mnordhoff · June 2, 2020, 12:22am

To use those two certificates, yes, you would need two virtual hosts.

One would have ServerName tourismstcatharines.ca and one would have ServerName www.tourismstcatharines.ca. Neither would need ServerAlias.

You could instead issue a new certificate that includes both names.

kenw232 · June 2, 2020, 3:16am

how can I do this? I can only select the domain with or without www. eg. at 9 & 10

vps(/apps/apache/web): sudo certbot certonly --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: whatever.ca
8: www.whatever.ca
...
9: tourismstcatharines.ca
10: www.tourismstcatharines.ca
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

mnordhoff · June 2, 2020, 3:46am

kenw232:

9: tourismstcatharines.ca
10: www.tourismstcatharines.ca
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Entering "9 10" or "9,10" should do both.

9peppe · June 2, 2020, 10:21am

It's almost like you don't want our help.

That's only a problem when SSLCertificateFile points to cert.pem instead of fullchain.pem

mnordhoff · June 2, 2020, 10:30am

That only works when running Apache 2.4.8 or newer. In 2.4.6, you have to use SSLCertificateChainFile.

(Unless CentOS backported it.)

9peppe · June 2, 2020, 10:32am

Wtf. I took that feature as granted.

kenw232 · June 3, 2020, 2:30am

awesome, it finally worked. thanks everyone.

system · July 3, 2020, 2:30am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.