How to fix my Lets Encrypt cert so that it's not self signed

schmitty42 · March 4, 2019, 8:48pm

I’m using Acme.sh for making certs

server: Linux/Apache 2.4.35

on https://github.com/Neilpang/acme.sh page, I’ve been using section “6. Use Apache mode”

acme.sh --issue --apache -d example.com -d www.example.com -d cp.example.com

to make the certificate, and I’m ending up with a self-signed certificate.

Is there a general rule or setting I need to have in place to make sure that LE is set to sign them instead of my own domain?

Update: I’ve also tried using domain API to automatically issue a cert, with a production key, using the command:

acme.sh --issue --dns dns_gd -d example.com -d www.example.com

What am I doing wrong?

My domain is: prodecksupply.com

I ran this command:
acme.sh --issue --dns dns_gd -d prodecksupply.com -d prodecksupply.com

It produced this output:
[Mon Mar 4 13:18:09 MST 2019] Domains have changed.
[Mon Mar 4 13:18:09 MST 2019] Multi domain=‘DNS:prodecksupply.com,DNS:prodecksupply.com’
[Mon Mar 4 13:18:09 MST 2019] Getting domain auth token for each domain
[Mon Mar 4 13:18:09 MST 2019] Getting webroot for domain=‘prodecksupply.com’
[Mon Mar 4 13:18:09 MST 2019] Getting new-authz for domain=‘prodecksupply.com’
[Mon Mar 4 13:18:10 MST 2019] The new-authz request is ok.
[Mon Mar 4 13:18:10 MST 2019] Getting webroot for domain=‘prodecksupply.com’
[Mon Mar 4 13:18:10 MST 2019] Getting new-authz for domain=‘prodecksupply.com’
[Mon Mar 4 13:18:11 MST 2019] The new-authz request is ok.
[Mon Mar 4 13:18:11 MST 2019] prodecksupply.com is already verified, skip dns-01.
[Mon Mar 4 13:18:11 MST 2019] prodecksupply.com is already verified, skip dns-01.
[Mon Mar 4 13:18:11 MST 2019] Verify finished, start to sign.
[Mon Mar 4 13:18:13 MST 2019] Cert success.

[Mon Mar 4 13:18:13 MST 2019] Your cert is in /home/.acme.sh/prodecksupply.com/prodecksupply.com.cer
[Mon Mar 4 13:18:13 MST 2019] Your cert key is in /home/.acme.sh/prodecksupply.com/prodecksupply.com.key
[Mon Mar 4 13:18:13 MST 2019] The intermediate CA cert is in /home/.acme.sh/prodecksupply.com/ca.cer
[Mon Mar 4 13:18:13 MST 2019] And the full chain certs is there: /home/.acme.sh/prodecksupply.com/fullchain.cer

My web server is (include version):Apache Version 2.4.35

The operating system my web server runs on is (include version): Linux 2.6.32-954.3.5.lve1.4.58.el6.x86_64

My hosting provider is: godaddy.com

YES I can login to a root shell on my machine

YES, I’m using a control panel to manage my site
Name and version of the control panel: cPanel Version 70.0 (build 51)

The version of my client is acme.sh v2.8.1

stevenzhu · March 4, 2019, 8:50pm

Hi,

You are using cPanel with acme.sh, which means you’ll need to instruct acme.sh to install the certificate after installation.

Please follow this guide to proceed.

Thank you

JuergenAuer · March 4, 2019, 8:54pm

Hi @schmitty42

that happens if you have different vHost definitions, so the ACME-client changes the wrong configuration.

CN=prodecksupply.deckandbasement.com
	03.10.2017
	03.10.2018
152 days expired	prodecksupply.deckandbasement.com, 
mail.prodecksupply.com, prodecksupply.com, 
www.prodecksupply.com, 
www.prodecksupply.deckandbasement.com - 5 entries

looks like your website uses the default vHost, not the certificate acme.sh has created.

But: If you have cPanel, isn't there an integrated solution? It may be impossible to install a certificate outside of your cPanel.

schmitty42 · March 4, 2019, 9:49pm

They don’t have any sort of simple/built-in/easy-setup utility that I’ve been able to find, but they will allow certificate additions if I create the certs and keys them outside the server. Still looking into this.

schoen · March 4, 2019, 10:14pm

Probably your certificate import simply isn't taking effect for some reason. You can confirm that the certificate file generated by acme.sh is not self-signed with a command like

openssl x509 -text -noout -in /home/.acme.sh/prodecksupply.com/prodecksupply.com.cer

stevenzhu · March 4, 2019, 11:04pm

Hi,

You’ve issued the certificate, but have not install it via command line.

The command you show above will not install the certificate to cPanel by default. Check out the guide I posted before and see the bottom section to ask acme.sh to install it…

Thank you

system · April 3, 2019, 11:04pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Acme.sh can't get a certificate because the existing certificate is self signed Help	6	7687	March 17, 2017
Issue creating certificate using acme.sh DNS made Help	6	1290	August 15, 2018
Copy ACME.SH Generated Certificate files to Apache Help	15	2226	February 28, 2021
Can't get certificate Help	8	1028	August 1, 2023
Create certificate by acme.sh / certbot Help	8	1395	January 13, 2020

How to fix my Lets Encrypt cert so that it's not self signed

Related topics