Certbot renew problem

PatricF · October 20, 2017, 5:36pm

file cert.pem
cert.pem: broken symbolic link to ../../archive/atakama-studio.ca/cert2.pem

PatricF · October 20, 2017, 5:41pm

Is it possible and should it be best to just leave the cert files in their original location ?

I also want to use the right configuration for Apache 2.4.8 or higher which is not the case right now.

sahsanu · October 20, 2017, 6:04pm

Sorry I’m not near a pc right now and posting with the smartphone is a pain

The cp did not work because you used -r option. Use only cp -p or just cp.

Regarding about the right conf to be used on Apache 2.4.8 or higher take a look to one of my previous posts.

And yes, there is no need to copy the certs to another location, you can use the path to /etc/letsencrypt/live/…

Cheers,
sahsanu

PatricF · October 20, 2017, 6:10pm

Haha, thanks for you patience Sahsanu.

Yes, that’s what i’m reading in the manual. Use direct path or create symlinks.

I’ve taken the note on the previous post for the right configuration. I’ll change right now the config to use direct path and only fullchain and privkey and keep you posted with the result in a few minutes.

Quick update. I’ve copied the files using the right command and the site it back online. I’ll try to change the config now.

PatricF · October 20, 2017, 6:23pm

So I guess, all I have to change would be in my virtual host config :

From

#   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on
                SSLProtocol all -SSLv2

                SSLCertificateFile /etc/apache2/ssl/cert.pem
                SSLCertificateKeyFile /etc/apache2/ssl/privkey.pem
                SSLCertificateChainFile /etc/apache2/ssl/chain.pem

to

#   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on
                SSLProtocol all -SSLv2

                SSLCertificateFile /etc/letsencrypt/live/atakama-studio.ca/fullchain.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/atakama-studio.ca/privkey.pem

sahsanu · October 20, 2017, 6:41pm

Yes, that is correct, just one thing, you should add -SSLv3 to SSLProtocol directive, SSLv3 is insecure and should not be used so:

SSLProtocol all -SSLv2 -SSLv3

PatricF · October 20, 2017, 6:43pm

Alright. Let’s try this !

PatricF · October 20, 2017, 6:56pm

Ok, change the configuration and rebooted Apache. Everything seems to be working correctly

No need to change the permissions on the cert files to secure things up ?

I guess next step would be to try to configure autorenew.

mnordhoff · October 20, 2017, 7:32pm

It should be okay. The permissions for the /etc/letsencrypt/live/ and /etc/letsencrypt/archive/ directories allow only root to access them. So the files inside them are safe, regardless of their individual permissions.

(Apache can access them because it starts as root before switching to www-data or whatever.)

system · November 19, 2017, 7:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.