Hi, I manually generate my shiny new SSL cert from with certbot. I now want to manually add it to the sites config. What exact .pem files go where? I already have SSL on my site which works fine. I’ve been doing it manually for a long time with sslforfree.
vps(/apps/apache/conf/ssl/random.com): ls -l -a
…
-rw-r–r-- 1 root root 1646 May 31 21:50 ca_bundle.crt
-rw-r–r-- 1 root root 1967 May 31 21:50 certificate.crt
-rw-r–r-- 1 root root 1707 May 31 21:50 private.key
Which pem file from below (eg. /etc/letsencrypt/live/random.com/privkey.pem) goes to which file above? I’ve tried and each combination makes my site have a
Warning: Potential Security Risk Ahead error with SSL_ERROR_BAD_CERT_DOMAIN
I ran this command:
sudo certbot certonly --apache
It produced this output:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/random.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/random.com/privkey.pem
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt
My web server is (include version):
Apache 2.4
The operating system my web server runs on is (include version):
CentOS 7 Linux
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I don’t know what OpenResty is. pretty sure its apache:
vps(/apps/apache/web): httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Jun 27 2018 13:48:59
I don’t mind setting apache to use /etc/letsencrypt/live, can I do that for the single random.com domain below, one of those?
vps(/apps/apache/web): sudo httpd -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server cdn.extremehosting.ca (/etc/httpd/conf.d/cdn.conf:17)
port 443 namevhost cdn.extremehosting.ca (/etc/httpd/conf.d/cdn.conf:17)
port 443 namevhost clubroma.ca (/etc/httpd/conf.d/club.conf:17)
alias www.clubroma.ca
port 443 namevhost naig2017.to (/etc/httpd/conf.d/naig.conf:17)
alias www.naig2017.to
port 443 namevhost vps.extremehosting.ca (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost tourismstcatharines.ca (/etc/httpd/conf.d/tour.conf:17)
alias www.tourismstcatharines.ca
*:80 is a NameVirtualHost
default server cdn.extremehosting.ca (/etc/httpd/conf.d/cdn.conf:1)
port 80 namevhost cdn.extremehosting.ca (/etc/httpd/conf.d/cdn.conf:1)
port 80 namevhost clubroma.ca (/etc/httpd/conf.d/club.conf:1)
alias www.clubroma.ca
port 80 namevhost tourismstcatharines.ca (/etc/httpd/conf.d/tour.conf:1)
alias www.tourismstcatharines.ca
port 80 namevhost vpsserver.extremehosting.ca (/etc/httpd/conf.d/vpsserver.conf:1)
You should also set up a hook so that Apache is automatically reloaded when your certificates are renewed, such as by putting a simple shell script in /etc/letsencrypt/renewal-hooks/deploy/.
Thanks for your help. random.com was just an example. its actually tourismstcatharines.ca. What you provided was exactly what I needed but it still does not work for me. When I set Apache to use the .pem files I still get the browser warning - “Warning: Potential Security Risk Ahead”.
In fact this is why I’m trying to use Certbot, because the certs from sslforfree.com started doing this same thing. I’m doing something wrong all of a sudden, but theres nothing different.
Do you know why this is happening? Do I have to choose a different web server when setting up certbot? I chose Apache.
I see whats wrong, I’m dumb. Its redirecting to www and I don’t have a wildcard cert now I guess. It matters now. So if I get a www.whatever.com it works fine. But how do I add a cert for both (www and non-www) in the conf?
So I need two apache vhosts? And the first one I now remove “ServerAlias www.tourismstcatharines.ca” right? because thats the name of the second vhost.