How to proceed after creating certificates?


#1

I got the certificate but how do I proceed?

My domain is: rm.supportform.se

I ran this command: certbot certonly --authenticator standalone --pre-hook “apachectl -k stop” --post-hook “apachectl -k start”

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): rm.supportform.se
Running pre-hook command: apachectl -k stop
Error output from apachectl:
[Mon Sep 17 22:29:22.203629 2018] [so:warn] [pid 20767] AH01574: module dav_module is already loaded, skipping

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for rm.supportform.se
Waiting for verification…
Cleaning up challenges
Running post-hook command: apachectl -k start
Error output from apachectl:
[Mon Sep 17 22:29:27.524210 2018] [so:warn] [pid 20786] AH01574: module dav_module is already loaded, skipping

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/rm.supportform.se/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/rm.supportform.se/privkey.pem
    Your cert will expire on 2018-12-16. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Hi,

Next step, you’ll need to install the certificate into the apache virtual host…

Just P.S. You could actually use certbot -i apache instead of standalone to install the certificates to corresponding virtual hosts.

Thank you


#3

Even better: just use --apache, so it also will be the authenticator, not just the installer :wink:

@ouaburst You could use certbot --apache --cert-name rm.supportform.se to install the certificate into Apache. It should tell you you already have a certificate for that hostname and will ask you if you just want to install the certificate. You can choose just installing the existing certificate.
If that works (if not, tell us here), you can use certbot renew for future renewals. But I think Debian has a systemd timer or cronjob in its package. If a cronjob or systemd timer exist, you won’t have to worry about running certbot renew manually.


#4

Still doesn’t work:

https://www.ssllabs.com/ssltest/analyze.html?d=rm.supportform.se

Gives: Assessment failed: Unable to connect to the server


root@redmine ~# certbot --apache --cert-name rm.supportform.se
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/rm.supportform.se.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/redmine.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1


Congratulations! You have successfully enabled https://rm.supportform.se

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=rm.supportform.se

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/rm.supportform.se/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/rm.supportform.se/privkey.pem
    Your cert will expire on 2018-12-16. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

root@redmine ~# service apache2 restart


#5

Could a firewall block port 443?


#6

Hi @ouaburst

check

ss -ntlp

to see, if your server works on port 443.


#7

I enabled port 443 in the firewall and it works now.

Thanks for the help.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.