Files *-le-ssl.conf in sites-enabled

I'm wondering whether it was a certbot command that once created files with
*-le-ssl.conf, derived from the files being in that directory. I'm not sure whether I created them manually of whether an automatism created them. The latter seem more likely to me.
Anyway, these files are constructed a bit different inside, such that they configure the mod_ssl module:

<IfModule mod_ssl.c>
<VirtualHost *:443>

        DocumentRoot /var/www/de.mydomain.www
        ServerSignature Off
        Redirect permanent /

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

Yep. You've got it. :slightly_smiling_face:


So far, so good. But why weren't files with this name not generated for every file? Are they some relicts I can delete now? I have all my vhosts configured right.

Those other vhost conf files without a -le-ssl.conf file probably don't have TLS configured, probably because Certbot wasn't asked to. Certbot will only generate -le-ssl.conf files for vhosts it actually issues a certificate for. And if Certbot is instructed to only get a cert or certs for some hostnames, but not others, it will only add -le-ssl.conf files for the vhosts with issued certs.


As an additional note, that redirect statement is going to create a loop. It redirects back to itself


Thanks. I believe it was an error on my side when I handcrafted this example. It should have been - as it is really the case in all my vhosts -

        ServerSignature Off
        Redirect permanent /

Just one more question regarding this topic:

what circumstance decides that certbot is generating a *-le-ssl.conf rather than editing the existing .conf file? And:
Is the order of statements important (Include before or after the SSL lines?):

SSLCertificateFile /etc/letsencrypt/live/mydomain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf  <<<

Certbot should always generate a separate *-le-ssl.conf file when you use an installer as part of its command.

For example, the following line acquires a cert via http-01 challenge(s) satisfied via Apache, but does not install it:

cerbot --apache --cert-only

Whereas the following line also installs a newly acquired cert into Apache (and thus creates the *-le-ssl.conf files).


Unless there already are SSLCertificateFile/SSLCertificateKeyFile manually added to an existing HTTPS port 443 VirtualHost section, right? E.g., when a user has manually added such a section with snakeoil certs.

I believe in that scenario Certbot would update the SSLCertificateFile/SSLCertificateKeyFile directives with the new paths to /etc/letsencrypt/live/....


I haven't looked at the installer code, but you could be right.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.