How to cancel one of the certificates

Main issue: I want to cancel my ssl from letsencrypt (date: 17.06) and just leave rapid ssl. How can I do it?

My domain is:

I ran this command:
$ acme.sh --set-default-ca --server letsencrypt
$ acme.sh --issue -d begravningstjanst.se --apache --keylength ec-256
(plus I update ssl config in http)
$ service httpd graceful

It produced this output:
Chrome said ssl its ssl is not valid
Main issue: Critical Is not a Certification Authority

Ssl details:

Common Name (CN) begravningstjanst.se
Organization (O)
Organizational Unit (OU)
Common Name (CN) R3
Organization (O) Let's Encrypt
Organizational Unit (OU)
Issued On Friday, June 17, 2022 at 1:34:52 PM
Expires On Thursday, September 15, 2022 at 1:34:51 PM

My web server is (include version):
Apache

The operating system my web server runs on is (include version):
Centos

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
acme.sh v3.0.5

I have similar issue, anyone have a solution for this?

Go to your Apache config and change these lines to point to your RapidSSL cert instead. Then, restart Apache and it will be using that cert. There is no need to delete any other cert.

SSLCertificateFile  
SSLCertificateChainFile
SSLCertificateKeyFile 
3 Likes

Once you are no longer using the LE cert, you might want to remove it from acme-sh.
[so that it will no longer auto-renew]

For that, use:
acme.sh --remove --domain begravningstjanst.se --ecc

4 Likes

Thank you for quick respone,
I just try that = I've update three lines of config (SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile) to only use rapid ssl files. I restart server with command service httpd graceful.
Then I inspect ssl certificate in FF and I have two certs: 1) correct - Rapid ssl and 2) is not correct - from Let's Encrypt.
I just want to use rapidssl. I dont see anything in config related to Let's Encrypt... is there any other place where I should look for?

1 Like

Try to "find it", with:
grep -Ri SSLCertificateFile /etc/apache2/
grep -Ri SSLCertificateFile /etc/httpd/

3 Likes

Your server is sending out only your RapidSSL cert. Maybe FF has an old chain cached?

See this SSL Decoder site

But, note the name in your cert does not match your domain name so will result in an error in many browsers. It is sending cert for *.timecut.se ??

3 Likes

Thank you soo much.
I've use these commands. No apache2 folder only httpd exists. It show all of the ssl files wiith links to all cert files. There are only 4 lines (two with current rapid ssl and old commented out Let's Encrypt).
I checkout other folders...

2 Likes

Wow, thats very important. Thank you for link.
Common name is not correct, thats true. Where this "common name" field come from??

2 Likes

it was the domain name used to get the certificate

4 Likes

when I create cert in rapis ssl I put begravningstjanst.se. Order in rapis ssl said it is common name begravningstjanst.se. I even need to prove that domain name is valid in rapid ssl site.
so probably its related to apache config... but how?? (if not I will see the issue in rapid ssl admin page)

1 Like

Most common issues are probably:

  • Incorrect file used in directives;
  • Not reloading services after making changes to configuration.
4 Likes

I checked the certificate and common name on the certificate is fine.

Oh, I found out that when I change config for ssl from <VirtualHost *:80> into <VirtualHost *:443> it starts said valid common name

This sounds so wrong on so many levels.

4 Likes

I agree with Osiris that sounds very wrong. Besides, your site is still sending wrong certs.

This SSL Decoder test site shows you send two certificates. One is a "leaf" for Let's Encrypt and one for DigiCert. This is not valid. Some browsers may make a lucky guess and say it is good but you should correct this.

Your Apache certificate config is wrong. If you want help please show the results of this command.

apachectl -t -D DUMP_VHOSTS
4 Likes

the Result contains default server timecut.se plus only config for ssl port 443 namevhost begravningstjanst.se and port 443 namevhost www.begravningstjanst.se.
I did not find any additional entries :frowning:
is it possible that acme.sh has added entries to the config?

Please show the entire results. That is only the first step to fixing your config.

3 Likes

can we talk on prv? I dont want to show it to public.

maybe discord/skype/email?