Copy ACME.SH Generated Certificate files to Apache

donenam · January 28, 2021, 5:57pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
acme.sh --issue -d test.domain.com,*.test.domain.com --dns dns_cf

It produced this output:
Your cert is in /root/.acme.sh/test.domain.com/test.domain.com.cer
[Thu Jan 28 14:20:25 WAT 2021] Your cert key is in /root/.acme.sh/test.domain.com/test.domain.com.key
[Thu Jan 28 14:20:25 WAT 2021] v2 chain.
[Thu Jan 28 14:20:25 WAT 2021] The intermediate CA cert is in /root/.acme.sh/test.domain.com/ca.cer
[Thu Jan 28 14:20:25 WAT 2021] And the full chain certs is there: /root/.acme.sh/test.domain.com/fullchain.cer

My web server is (include version): Apache/2.4.46

The operating system my web server runs on is (include version): Cent OS * [v92.0.6]

My hosting provider, if applicable, is:Namecheap

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, WHM/Cpanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Am using ACME.SH

I created the certificate successfully using acme.sh but i dont know how touse the certificate
i read that i have to copy the certificate to apache folder, so i did this

i first created the path to where i want it to be>>
mkdir -pv /etc/letsencrypt/live/test.domain.com/
cd /etc/letsencrypt/live/test.domain.com/
touch cert.pem privkey.pem fullchain.pem

Then i followed the docs to copy the certs there
acme.sh --install-cert -d test.domain.com
--cert-file /etc/letsencrypt/live/test.domain.com/cert.pem
--key-file /etc/letsencrypt/live/test.domain.com/privkey.pem
--fullchain-file /etc/letsencrypt/live/test.domain.com/fullchain.pem
--reloadcmd "service apache2 force-reload"

the copy seems to be successful, but the last line showed an error
Failed to reload-or-try-restart apache2.service: Unit not found.
[Thu Jan 28 16:43:29 WAT 2021] Reload error for :

I still tried to add the cert path to my virtual host anyways, but my virtual host stopped working , so i removed it.

I was using certbot manual for it before, but i have alot of subdomains to input so i decided to switch to acme.sh, thanks

rg305 · January 28, 2021, 6:03pm

You would probably be better off (unless you have a ton of domains) just using the new default file path that acme.sh uses within the apache vhost configs.
The problem you speak about doesn't really seem to be covered by any of the steps shown.
Please show the output of:
apachectl -S

Let me also add that making folders and copying files into the /etc/letsencypt/ directories is a very bad idea. [making any manual adds/deletes/changes to it is asking for trouble]
If you ever want to go back to using certbot you will surely run into a bunch of problems.
Starting with certbot would expect files in the /live/ folder to be symlinks not actual files.

donenam · January 28, 2021, 6:11pm

oops, i didnt know that creating folders in that folder is bad, i guess i will delete it, is that okay?

Also, i have created over 5 SAN certs with certbot, containing 100aliases in each cert, thats 500 times to verify _acme_challenge manually, and i still need more certs like that, and i learnt i will need to do thge acme_challenge every 90days because am using DNS mode
thats why i researched about acme.sh

Acme.sh also said DO NOT use the certs files in ~/.acme.sh/ folder, they are for internal use only, the folder structure may change in the future.**

rg305 · January 28, 2021, 7:16pm

If you delete only what you created, then YES.

It seems like you have about 30 or so places to change where the cert files point to.
It should be simple enough to modify your code with a search/replace statement ("awk").
I would test one out first or create a new test domain for that purpose only.

Yes, I think you should probably create a dedicated folder path for all your new acme.sh generated certs (not anywhere near /etc/letsencyrpt/).

donenam · January 28, 2021, 8:25pm

That's what I first attempted
I created a folder "certificates" via Cpanel
And I created the required files too

Then I ran the command to copy acme.sh certificate to that exact cpanel user path
/home/user/certificates/test.domain.com/cert.pem

But it gave me the same error

rg305 · January 28, 2021, 9:34pm

You probably have a permissions problem...
Where the files are not accessible to the user running the service trying to access the files.
Are you familiar with:
chmod
chgrp
chown

If not, here is a primer: Unix File Access Permissions: Unix Chmod, Chown and Chgrp

jmorahan · January 28, 2021, 9:42pm

shouldn't that be "httpd" rather than "apache2" on centos?

donenam · January 29, 2021, 10:40am

i have changed it and reboot works now

donenam · January 29, 2021, 10:51am

the default permission for the files i created are 0644, could that be the issue?

Also i must mention that cert.pem and fullchain.pem file size are about 1kb
but privkey.pem (Key file) is empty 0bytes, and when i add it to virtual host config, it says file not found or empty.

danb35 · January 29, 2021, 11:04am

All of those file sizes are cause for concern IMO. The concern for privkey.pem is obvious and again reflects a permissions problem (check the permissions on the files in ~/.acme.sh/$FQDN), but I'd expect a cert to be larger than that too--my smallest cert, with only one SAN, is still 1.8 KB; other certs with more SANs are larger. fullchain.pem should be that size plus about 1.6 KB.

donenam · January 29, 2021, 12:24pm

yes, mine are similar too fullchain is 3.8kb and cert.pem is 1.8kb
I was rying to say that privkey.pem is empty
And my Apache server does not compile a virtual host with an empty privkey.pem, i have tried.

What has worked so far was copying contents of cert.pem into my Namecheap SSL CRT Generator, and it successfully registered the cert, but i will have to be doing this every 3months. and i have alot of SAN certs.

The problem now is why acme.sh generated an empty privkey.pem, because it would have automated the renewal process

danb35 · January 29, 2021, 12:35pm

...and the answer is likely, as I said above, a permissions problem.

donenam · January 29, 2021, 12:39pm

i created the files with "touch privkey.pem cert.pem fullchain.pem" without setting any permission

What permission should i change the empty privkey.pem file to , so that Apache can compile it

i checked the file that acme.sh generated themselves in the
/root/.acme.sh/test.domain.com/test.domain.com.key
and its empty too

rg305 · January 29, 2021, 2:33pm

Which is it: empty or not empty?
If really empty, then acme.sh is unable to make the files.
Delete them and start over.
If really do contain info, then your web server isn't able to read that info.

donenam · January 29, 2021, 4:17pm

thanks,
i deleted the previous cert folder and files i created using
cd /root/.acme.sh/
rm -rf test.domain.com

and i recreated the cert using the same process, and the privkey.pem is not empty anymore,
Thanks alot for all the suggestions. Issue Resolved

system · February 28, 2021, 4:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.