How to cancel one of the certificates

robc1 · June 20, 2022, 2:17pm

Main issue: I want to cancel my ssl from letsencrypt (date: 17.06) and just leave rapid ssl. How can I do it?

My domain is:

I ran this command:
$ acme.sh --set-default-ca --server letsencrypt
$ acme.sh --issue -d begravningstjanst.se --apache --keylength ec-256
(plus I update ssl config in http)
$ service httpd graceful

It produced this output:
Chrome said ssl its ssl is not valid
Main issue: Critical Is not a Certification Authority

Ssl details:

Common Name (CN)	begravningstjanst.se
Organization (O)
Organizational Unit (OU)
Common Name (CN)	R3
Organization (O)	Let's Encrypt
Organizational Unit (OU)
Issued On	Friday, June 17, 2022 at 1:34:52 PM
Expires On	Thursday, September 15, 2022 at 1:34:51 PM

My web server is (include version):
Apache

The operating system my web server runs on is (include version):
Centos

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
acme.sh v3.0.5

Krist0fer · June 20, 2022, 2:23pm

I have similar issue, anyone have a solution for this?

MikeMcQ · June 20, 2022, 2:27pm

Go to your Apache config and change these lines to point to your RapidSSL cert instead. Then, restart Apache and it will be using that cert. There is no need to delete any other cert.

SSLCertificateFile  
SSLCertificateChainFile
SSLCertificateKeyFile

rg305 · June 20, 2022, 2:33pm

Once you are no longer using the LE cert, you might want to remove it from acme-sh.
[so that it will no longer auto-renew]

For that, use:
acme.sh --remove --domain begravningstjanst.se --ecc

robc1 · June 20, 2022, 2:47pm

Thank you for quick respone,
I just try that = I've update three lines of config (SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile) to only use rapid ssl files. I restart server with command service httpd graceful.
Then I inspect ssl certificate in FF and I have two certs: 1) correct - Rapid ssl and 2) is not correct - from Let's Encrypt.
I just want to use rapidssl. I dont see anything in config related to Let's Encrypt... is there any other place where I should look for?

rg305 · June 20, 2022, 2:50pm

Try to "find it", with:
grep -Ri SSLCertificateFile /etc/apache2/
grep -Ri SSLCertificateFile /etc/httpd/

MikeMcQ · June 20, 2022, 2:54pm

Your server is sending out only your RapidSSL cert. Maybe FF has an old chain cached?

See this SSL Decoder site

But, note the name in your cert does not match your domain name so will result in an error in many browsers. It is sending cert for *.timecut.se ??

robc1 · June 20, 2022, 3:01pm

Thank you soo much.
I've use these commands. No apache2 folder only httpd exists. It show all of the ssl files wiith links to all cert files. There are only 4 lines (two with current rapid ssl and old commented out Let's Encrypt).
I checkout other folders...

robc1 · June 20, 2022, 3:02pm

Wow, thats very important. Thank you for link.
Common name is not correct, thats true. Where this "common name" field come from??

MikeMcQ · June 20, 2022, 3:03pm

it was the domain name used to get the certificate

robc1 · June 20, 2022, 3:06pm

when I create cert in rapis ssl I put begravningstjanst.se. Order in rapis ssl said it is common name begravningstjanst.se. I even need to prove that domain name is valid in rapid ssl site.
so probably its related to apache config... but how?? (if not I will see the issue in rapid ssl admin page)

Osiris · June 20, 2022, 3:11pm

Most common issues are probably:

Incorrect file used in directives;
Not reloading services after making changes to configuration.

robc1 · June 20, 2022, 3:22pm

I checked the certificate and common name on the certificate is fine.

robc1 · June 20, 2022, 3:28pm

Oh, I found out that when I change config for ssl from <VirtualHost *:80> into <VirtualHost *:443> it starts said valid common name

Osiris · June 20, 2022, 3:30pm

This sounds so wrong on so many levels.

MikeMcQ · June 20, 2022, 9:41pm

I agree with Osiris that sounds very wrong. Besides, your site is still sending wrong certs.

This SSL Decoder test site shows you send two certificates. One is a "leaf" for Let's Encrypt and one for DigiCert. This is not valid. Some browsers may make a lucky guess and say it is good but you should correct this.

Your Apache certificate config is wrong. If you want help please show the results of this command.

apachectl -t -D DUMP_VHOSTS

robc1 · June 21, 2022, 7:16am

the Result contains default server timecut.se plus only config for ssl port 443 namevhost begravningstjanst.se and port 443 namevhost www.begravningstjanst.se.
I did not find any additional entries
is it possible that acme.sh has added entries to the config?

MikeMcQ · June 21, 2022, 1:32pm

Please show the entire results. That is only the first step to fixing your config.

robc1 · June 21, 2022, 1:36pm

can we talk on prv? I dont want to show it to public.

robc1 · June 21, 2022, 1:39pm

maybe discord/skype/email?