Converting from Purchased Comodo Cert

sprocket12 · February 13, 2020, 7:43pm

My domain is: cms.stonefist.net
My web server is (include version): Apache 2.4.29
O/S: Ubuntu 18.04 LTS
I am self-hosted with full access to root shell.

I run a small web app for a few dozen people on my registered domain. I use dynamic DNS and point my dynamic DNS server name to my domain via my registrar. So cms.stonefist.net is a CNAME for example1.ddns.net.

I use port forwarding of SSL only through my firewall to the internal server that uses virtualhosts to map the requested connection to the correct apache root directory. So cms.stonefist.net goes to its own home area and beta.stonefist.net goes to its own home area, etc.

I purchased a 3 year cert from Comodo about 2 years ago and installed it so that my users no longer would get the dreaded ‘not safe…’ messages.

Ok, finally my question. I followed the certbot installation instructions on a different server on my local domain. I found out I needed to open port 80 (which I did, and forwarded it to this second server). All installed ok and the dry run renewal went fine. If I install the certbot on my production box, how do I manage the Comodo license already installed? Do I need to do anything at all? I have multiple virtualhosts with different domains. Will these all get certificates? And can I then turn off port 80 forwarding or will this be needed for anything else?

I just can’t afford to lose user connectivity and a usable certificate. And I portforward all SSL traffic to my one production server through the firewall.

Thank you for considering my questions/rambling
-T

Osiris · February 13, 2020, 8:28pm

What do you mean with “manage”? I’m sure you’ve got it stored somewhere safely on your server. Nothing should happen with it.

certbot should detect all the virtualhosts if the Apache configuration is set up properly. If that’s the case and certbot indeed detects all virtualhosts, it should get a certificate for the hostnames you’ve selected, which can be a selection of the found hostnames or all hostnames, at your discretion. I.e., you could run certbot just once for all hostnames or run it multiple times and with each run you select a different selection of hostnames.

Please read: https://letsencrypt.org/docs/allow-port-80/

sprocket12 · February 13, 2020, 11:28pm

Thanks Osiris for the response. I think you have answered my questions.

When I said ‘manage’ I meant configuration changes. Would the Comodo cert still work if referenced in a site file? Do I need to remove references to it in any site file?

When I installed certbot on my test server, I saw no configuration changes in the site files. The original self-signed cert was still there.

-T

ZetaRevan · February 13, 2020, 11:44pm

With Apache, Certbot will create a new vhost config file if you specify --apache in your command to issue the Certificates. If you specified certonly then it just installs the files in /etc/letsencrypt/live/domain.tld.

Your COMODO certificate will stay on the server in whatever location it was saved to unless you manually delete it. It will continue to work until it expires.

One of the standard directory paths for Certificate files is /etc/pki/tls/certs /etc/pki/tls/private. You can confirm if you look at your current 443 vhost config file.

EDIT:
I believe if you already have a 443 vhost block, Certbot will detect it and update it accordingly. Personally, I would do a certonly & manually update the 443 vhost blocks to point to the LE certs.

The vhost config files should be the only files you should worry about pointing to the correct Cert. Also /etc/apache2/mods-enabled/ssl.conf

sprocket12 · February 13, 2020, 11:59pm

Thanks ZetaRevan. I’ll see what was installed and where. I’ll try the new cert further on my test box.

-T

Osiris · February 14, 2020, 6:35am

It depends on what options you give to certbot. With the right plugin, certbot can make configurational changes, but not everybody wants that. See the user guide: https://certbot.eff.org/docs/using.html