How to SSL installation for new subdomain

Is that domain yours?

Are you still using it on that server?

show me the full output, not just the errors (use the </> button)

[root@qa-atm letsencrypt]# ./letsencrypt-auto renew --verbose --apache
Upgrading certbot-auto 0.33.1 to 1.3.0…
Replacing certbot-auto…
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/lnkjuv4.com.conf


Requested authenticator apache and installer apache
Var authenticator=apache (set by user).
Var installer=apache (set by user).
Should renew, less than 30 days before certificate expiry 2019-07-16 06:45:47 UTC.
Cert is due for renewal, auto-renewing…
Requested authenticator apache and installer apache
Apache version is 2.2.15
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f75bb1b7810>
Prep: True
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f75bb1b7810>
Prep: True
Selected authenticator <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f75bb1b7810> and installer <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f75bb1b7810>
Plugins selected: Authenticator apache, Installer apache
Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/50191541’, new_authzr_uri=None, terms_of_service=None), ff43518b0977b2587c383d06c3f368e6, Meta(creation_host=u’ip-172-16-8-15.ec2.internal’, creation_dt=datetime.datetime(2019, 1, 25, 6, 42, 23, tzinfo=)))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
Received response:
HTTP 200
Server: nginx
Date: Fri, 03 Apr 2020 13:22:44 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“HNpeI4ZUXqQ”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}
Renewing an existing certificate
Generating key (2048 bits): /etc/letsencrypt/keys/0004_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0004_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-v02.api.letsencrypt.org:443 “HEAD /acme/new-nonce HTTP/1.1” 200 0
Received response:
HTTP 200
Server: nginx
Date: Fri, 03 Apr 2020 13:22:45 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0102VEa3WuCaa_IjJ1Fi__sDG4ddARSBSU4WjAZi0_UHfL8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

Storing nonce: 0102VEa3WuCaa_IjJ1Fi__sDG4ddARSBSU4WjAZi0_UHfL8
JWS payload:
{
“identifiers”: [
{
“type”: “dns”,
“value”: “lnkjuv4.com
}
]
}
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJub25jZSI6ICIwMTAyVkVhM1d1Q2FhX0lqSjFGaV9fc0RHNGRkQVJTQlNVNFdqQVppMF9VSGZMOCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzUwMTkxNTQxIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJsbmtqdXY0LmNvbSIKICAgIH0KICBdCn0”,
“signature”: “NF9HBQ1wgIV1rH1bIFYRbyrz1KN_nE_8KkggHIE-mPM-oUWyl0Ys1sQQAStQCuLGtc1iJRxUYcMGn-t8ydsQBzGPMhXNjFk6Ekjdb0Kj24a_KeIZoDyDAZOmox6TJrqeoJG_RBn5BobpioILpFkC-TbL6IVyaKOrlYQwpazNXqLz0k1v9HQ7j345VYalOyU1UyFJlGgAH5em-NdqK_mjDu_9ev9DolyYPKAdoG_6IrsYuldFwK4wbpIf4tU82Tsb0_q9Z5NvDKF19Kg4yvARS98P9KsmfZFm2jPC-PXM40qYMCLyOHj-jJNusUBbPRYWbWEHNbK6GrPjsAfEjReVQw”
}
https://acme-v02.api.letsencrypt.org:443 “POST /acme/new-order HTTP/1.1” 201 341
Received response:
HTTP 201
Server: nginx
Date: Fri, 03 Apr 2020 13:22:45 GMT
Content-Type: application/json
Content-Length: 341
Connection: keep-alive
Boulder-Requester: 50191541
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Location: https://acme-v02.api.letsencrypt.org/acme/order/50191541/2877321230
Replay-Nonce: 0101RjtItOaBmJ6O16x7vU81VfKvuXK84BpSXuUE2jPrd_o
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“status”: “pending”,
“expires”: “2020-04-10T13:22:45.180844956Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “lnkjuv4.com
}
],
“authorizations”: [
https://acme-v02.api.letsencrypt.org/acme/authz-v3/3736872318
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/50191541/2877321230
}
Storing nonce: 0101RjtItOaBmJ6O16x7vU81VfKvuXK84BpSXuUE2jPrd_o
JWS payload:

Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/3736872318:
{
“protected”: “eyJub25jZSI6ICIwMTAxUmp0SXRPYUJtSjZPMTZ4N3ZVODFWZkt2dVhLODRCcFNYdVVFMmpQcmRfbyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzczNjg3MjMxOCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81MDE5MTU0MSIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “eT0QMi79qhA2c__LoWGx55dN3a1-aTpvkxyapgIMsJR1ssibvwZQArFLt2bFKghfn_RYoVC14gdKEtXtDnIr6jo5DdYkz-GN27QgicKMmM3QZCHTVQoyzGnJKvMG4f6nnKNJHOVE6-nXBRppza0KTvqLtyiH-ywEg97aCYY90UcboUrWKfp-vxFMWFR310dt7G7Nyvv0vNf9O2sP65C5A8zGe03KqidXVPYRwBcxjjaOX5ZzhlzIQpbrXMWp6E-iMZRowukHpQus8D71lG_kyIPK5cx75jhMWHU4El5cgltsdnYk2KDmg-JpnvejNKPyzUn2wIoKA7dfEPlqLfyStg”
}
https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/3736872318 HTTP/1.1” 200 789
Received response:
HTTP 200
Server: nginx
Date: Fri, 03 Apr 2020 13:22:45 GMT
Content-Type: application/json
Content-Length: 789
Connection: keep-alive
Boulder-Requester: 50191541
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0101yhDs8HUWM2PcO9QoF2CujUIsZ2HSWHmjaZc9ac79pU8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “lnkjuv4.com
},
“status”: “pending”,
“expires”: “2020-04-10T13:22:45Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/3736872318/XhQl9w”,
“token”: “DGYw81FjlStVtM-hpkRm6azXJLyGjnrvDsR0KxfkTrI”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/3736872318/04R4FA”,
“token”: “DGYw81FjlStVtM-hpkRm6azXJLyGjnrvDsR0KxfkTrI”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/3736872318/LGdBZQ”,
“token”: “DGYw81FjlStVtM-hpkRm6azXJLyGjnrvDsR0KxfkTrI”
}
]
}
Storing nonce: 0101yhDs8HUWM2PcO9QoF2CujUIsZ2HSWHmjaZc9ac79pU8
Performing the following challenges:
http-01 challenge for lnkjuv4.com
Adding a temporary challenge validation Include for name: lnkjuv4.com:443 in: /etc/httpd/conf.d/ssl.conf
Adding a temporary challenge validation Include for name: 172.16.8.118 in: /etc/httpd/conf/httpd.conf
Adding a temporary challenge validation Include for name: link1.aprsnd1.com in: /etc/httpd/conf/httpd.conf
Adding a temporary challenge validation Include for name: 52.44.195.201 in: /etc/httpd/conf/httpd.conf
Adding a temporary challenge validation Include for name: qa-api.juvlon.com in: /etc/httpd/conf/httpd.conf
Adding a temporary challenge validation Include for name: app7.e-juvlon.com in: /etc/httpd/conf/httpd.conf
writing a pre config file with text:
RewriteEngine on
RewriteRule ^/.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [L]

writing a post config file with text:
<Directory /var/lib/letsencrypt/http_challenges>
Order Allow,Deny
Allow from all

<Location /.well-known/acme-challenge>
Order Allow,Deny
Allow from all

Creating backup of /etc/httpd/conf/httpd.conf
Creating backup of /etc/httpd/conf.d/ssl.conf
Waiting for verification…
JWS payload:
{
“type”: “http-01”,
“resource”: “challenge”
}
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/3736872318/XhQl9w:
{
“protected”: “eyJub25jZSI6ICIwMTAxeWhEczhIVVdNMlBjTzlRb0YyQ3VqVUlzWjJIU1dIbWphWmM5YWM3OXBVOCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMzczNjg3MjMxOC9YaFFsOXciLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTAxOTE1NDEiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “ewogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9”,
“signature”: “IywPsOWmZGZtk4Hh86VuEyA8IqCt6Cmcl2OyijVh42yJ2eSiPfPJd11DMvqJPhFTWfWSi1JIclIsROpSF6PkQpiC2H3IFhQeaSliJUggMXnL88IvrR_k7tQVrY2JmueRfRBbsjyrrtqG4MeiNSaPvM4OBDKeuFK8r4O9b6bSDbykmLX9W5M5o9Cbm-ue_F6_tKs9eET5q7oDLexAQpsMDy1K1jhphdFlru1Qj6uct6bv9tVLbTlowLbXmI0Qs2nWyq3CorCebk3NIfeytp7ZhBUTTxucRvj9KlPSzotcA8xvtnALB_5AWYbYMykXIav7gmcsrCNQ6S5nW1VOJHXBxg”
}
https://acme-v02.api.letsencrypt.org:443 “POST /acme/chall-v3/3736872318/XhQl9w HTTP/1.1” 200 185
Received response:
HTTP 200
Server: nginx
Date: Fri, 03 Apr 2020 13:22:48 GMT
Content-Type: application/json
Content-Length: 185
Connection: keep-alive
Boulder-Requester: 50191541
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”, https://acme-v02.api.letsencrypt.org/acme/authz-v3/3736872318;rel=“up”
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/3736872318/XhQl9w
Replay-Nonce: 0101OJMwEDlXyiESWlKcHGGDRa4USHlrwT00V0QvRmiGbfk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/3736872318/XhQl9w”,
“token”: “DGYw81FjlStVtM-hpkRm6azXJLyGjnrvDsR0KxfkTrI”
}
Storing nonce: 0101OJMwEDlXyiESWlKcHGGDRa4USHlrwT00V0QvRmiGbfk
JWS payload:

Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/3736872318:
{
“protected”: “eyJub25jZSI6ICIwMTAxT0pNd0VEbFh5aUVTV2xLY0hHR0RSYTRVU0hscndUMDBWMFF2Um1pR2JmayIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzczNjg3MjMxOCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81MDE5MTU0MSIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “sqeVvmbRMLyHYZyXOk51cwijCq_HXEBVu9RUxs0sHatu3V4kHuR-O5ifYyiBCW6Mz5So6Tnslwt1esD9oqBetC_Adgrlcu9XhwXr-JCfPMNbxYPz_7P4b4Ohmz4u7Ohj0IqUhpOOV9Qso-z_oG7oF9yFYB92__iwxHmBgNCYtrr_uRsXLW7MVwlyTyY9vCA09owQ0ttgBdNrKMC9sXJlCktn2pn390Hdi_-M6NAxykdPb-_HYwFqJEWIYicJ4WeHk5xBTvix54HhslCB3yqlp-_qjpQfwIk7JOW2TlIP9kflzf7hVQx4jnP-QYhjwj3ctCJZhcwpUkgx-zIxuox-aw”
}
https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/3736872318 HTTP/1.1” 200 583
Received response:
HTTP 200
Server: nginx
Date: Fri, 03 Apr 2020 13:22:49 GMT
Content-Type: application/json
Content-Length: 583
Connection: keep-alive
Boulder-Requester: 50191541
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0102Kwbn5E9luMntchEh58jDfxDGoqHye_nTJzF3Qv6GKKA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “lnkjuv4.com
},
“status”: “invalid”,
“expires”: “2020-04-10T13:22:45Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:dns”,
“detail”: “DNS problem: NXDOMAIN looking up A for lnkjuv4.com - check that a DNS record exists for this domain”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/3736872318/XhQl9w”,
“token”: “DGYw81FjlStVtM-hpkRm6azXJLyGjnrvDsR0KxfkTrI”
}
]
}
Storing nonce: 0102Kwbn5E9luMntchEh58jDfxDGoqHye_nTJzF3Qv6GKKA
Challenge failed for domain lnkjuv4.com
http-01 challenge for lnkjuv4.com
Reporting to user: The following errors were reported by the server:

Domain: lnkjuv4.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for lnkjuv4.com - check that a DNS record exists for this domain
Encountered exception:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Attempting to renew cert (lnkjuv4.com) from /etc/letsencrypt/renewal/lnkjuv4.com.conf produced an unexpected error: Some challenges have failed… Skipping.
Traceback was:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/renewal.py”, line 448, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1176, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/renewal.py”, line 306, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/client.py”, line 344, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/client.py”, line 391, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.


Processing /etc/letsencrypt/renewal/qa-api.juvlon.com.conf


Var authenticator=apache (set by user).
Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80
http://ocsp.int-x3.letsencrypt.org:80 “POST / HTTP/1.1” 200 527
OCSP response for certificate /etc/letsencrypt/archive/qa-api.juvlon.com/cert1.pem is signed by the certificate’s issuer.
OCSP certificate status for /etc/letsencrypt/archive/qa-api.juvlon.com/cert1.pem is: OCSPCertStatus.GOOD
Cert not yet due for renewal
Requested authenticator apache and installer apache
Selecting plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f75b55c1710>
Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no values loaded
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lnkjuv4.com/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/qa-api.juvlon.com/fullchain.pem expires on 2020-07-02 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lnkjuv4.com/fullchain.pem (failure)


Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1347, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1255, in renew
renewal.handle_renewal_request(config)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/renewal.py”, line 473, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: lnkjuv4.com
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up A for lnkjuv4.com - check
    that a DNS record exists for this domain

It looks like you’re fine.

But apache isn’t reloading for whatever reason, run systemctl reload httpd

This domain is expired, you can remove it.
(certbot certificates and then certbot delete --cert-name ...)

i had already run below command
service httpd restart
can run below now —
certbot certificates and then certbot delete --lnkjuv4.com

is require to change anything in ssl.conf

which path need to run this command
certbot certificates and then certbot delete --lnkjuv4.com

certbot delete --cert-name lnkjuv4.com

Check if this is your problem: New certificate installed - getting fails in the browser

[root@qa-atm letsencrypt]# certbot delete --lnkjuv4.com
-bash: certbot: command not found

ok. when I say certbot you need to type letsencrypt-auto. and do not replace --cert-name, type after it.

sir below is ssl.conf details is there need to change

Server Certificate:

Point SSLCertificateFile at a PEM encoded certificate. If

the certificate is encrypted, then you will be prompted for a

pass phrase. Note that a kill -HUP will prompt again. A new

certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/letsencrypt/live/lnkjuv4.com/cert.pem

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you’ve both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/letsencrypt/live/lnkjuv4.com/privkey.pem

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

SSLCertificateChainFile /etc/letsencrypt/live/lnkjuv4.com/chain.pem

point those to your new certificate.

run ./letsencrypt-auto certificates to see the right paths.

[root@qa-atm letsencrypt]# ./letsencrypt-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: lnkjuv4.com
Domains: lnkjuv4.com
Expiry Date: 2019-07-16 06:45:47+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/lnkjuv4.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/lnkjuv4.com/privkey.pem
Certificate Name: qa-api.juvlon.com
Domains: qa-api.juvlon.com
Expiry Date: 2020-07-02 12:08:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/qa-api.juvlon.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem


[root@qa-atm letsencrypt]#

SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem

you need those two lines. (you can remove all the rest.)

sir
is this ok

Server Certificate:

Point SSLCertificateFile at a PEM encoded certificate. If

the certificate is encrypted, then you will be prompted for a

pass phrase. Note that a kill -HUP will prompt again. A new

certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/fullchain.pem

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you’ve both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem

It looks fine.

I can give you encouragement, I can’t assume responsibilities for you.

thanks for your support sir
certificate renewed bit given below error


The certificate will expire in 89 days. Remind me

The hostname (qa-api.juvlon.com) is correctly listed in the certificate.

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

\ 128x128 Common name: qa-api.juvlon.com
SANs: qa-api.juvlon.com
Valid from April 3, 2020 to July 2, 2020
Serial Number: 033261fb9504f5d28594116058a1057d6242
Signature Algorithm: sha256WithRSAEncryption
Issuer: Let’s Encrypt Authority X3

did you use fullchain.pem?

it usually works, but you might need to use this instead:

SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/qa-api.juvlon.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem

fullchain.pem used

if i used below given error to reload apache

SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/cert.pem

Strange, very strange, check your apache config for other ssl-related settings

grep -ri ssl /etc/httpd

i had replace this 3 files in ssl.conf now showing ssl activates but when i use in browser its showing not secure.

below is grep file

Binary file /etc/httpd/conf/.httpd.conf.swo matches
Binary file /etc/httpd/conf/.httpd.conf.swp matches
/etc/httpd/conf/httpd.conf:<IfModule !mod_ssl.c>
/etc/httpd/conf/httpd.conf:LoadModule ssl_module modules/mod_ssl.so
/etc/httpd/conf/httpd.conf:# (e.g. :80) if mod_ssl is being used, due to the nature of the
/etc/httpd/conf/httpd.conf:# SSL protocol.
/etc/httpd/conf/httpd.conf:#Include /etc/letsencrypt/options-ssl-apache.conf
/etc/httpd/conf/httpd.conf:#SSLCertificateFile /etc/letsencrypt/live/lnkjuv4.com/cert.pem
/etc/httpd/conf/httpd.conf:#SSLCertificateKeyFile /etc/letsencrypt/live/lnkjuv4.com/privkey.pem
/etc/httpd/conf/httpd.conf:#SSLCertificateChainFile /etc/letsencrypt/live/lnkjuv4.com/chain.pem
/etc/httpd/conf/httpd.conf:SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
/etc/httpd/conf.d/ssl.conf:# This is the Apache server configuration file providing SSL support.
/etc/httpd/conf.d/ssl.conf:# directives see URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
/etc/httpd/conf.d/ssl.conf:# When we also provide SSL we have to listen to the
/etc/httpd/conf.d/ssl.conf:<IfModule !mod_ssl.c>
/etc/httpd/conf.d/ssl.conf:LoadModule ssl_module modules/mod_ssl.so
/etc/httpd/conf.d/ssl.conf:## SSL Global Context
/etc/httpd/conf.d/ssl.conf:## All SSL configuration in this context applies both to
/etc/httpd/conf.d/ssl.conf:## the main server and all SSL-enabled virtual hosts.
/etc/httpd/conf.d/ssl.conf:SSLPassPhraseDialog builtin
/etc/httpd/conf.d/ssl.conf:# Configure the SSL Session Cache: First the mechanism
/etc/httpd/conf.d/ssl.conf:SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
/etc/httpd/conf.d/ssl.conf:SSLSessionCacheTimeout 300
/etc/httpd/conf.d/ssl.conf:# SSL engine uses internally for inter-process synchronization.
/etc/httpd/conf.d/ssl.conf:SSLMutex default
/etc/httpd/conf.d/ssl.conf:# SSL library. The seed data should be of good random quality.
/etc/httpd/conf.d/ssl.conf:# block. So, if available, use this one instead. Read the mod_ssl User
/etc/httpd/conf.d/ssl.conf:SSLRandomSeed startup file:/dev/urandom 256
/etc/httpd/conf.d/ssl.conf:SSLRandomSeed connect builtin
/etc/httpd/conf.d/ssl.conf:#SSLRandomSeed startup file:/dev/random 512
/etc/httpd/conf.d/ssl.conf:#SSLRandomSeed connect file:/dev/random 512
/etc/httpd/conf.d/ssl.conf:#SSLRandomSeed connect file:/dev/urandom 512
/etc/httpd/conf.d/ssl.conf:# Use “SSLCryptoDevice” to enable any supported hardware
/etc/httpd/conf.d/ssl.conf:# accelerators. Use “openssl engine -v” to list supported
/etc/httpd/conf.d/ssl.conf:SSLCryptoDevice builtin
/etc/httpd/conf.d/ssl.conf:#SSLCryptoDevice ubsec
/etc/httpd/conf.d/ssl.conf:## SSL Virtual Host Context
/etc/httpd/conf.d/ssl.conf:# Use separate log files for the SSL virtual host; note that LogLevel
/etc/httpd/conf.d/ssl.conf:ErrorLog logs/ssl_error_log
/etc/httpd/conf.d/ssl.conf:TransferLog logs/ssl_access_log
/etc/httpd/conf.d/ssl.conf:# SSL Engine Switch:
/etc/httpd/conf.d/ssl.conf:# Enable/Disable SSL for this virtual host.
/etc/httpd/conf.d/ssl.conf:SSLEngine on
/etc/httpd/conf.d/ssl.conf:# SSL Protocol support:
/etc/httpd/conf.d/ssl.conf:# connect. Disable SSLv2 access by default:
/etc/httpd/conf.d/ssl.conf:#SSLProtocol all -SSLv2
/etc/httpd/conf.d/ssl.conf:SSLProtocol ALL -SSLV2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2
/etc/httpd/conf.d/ssl.conf:# SSL Cipher Suite:
/etc/httpd/conf.d/ssl.conf:# See the mod_ssl documentation for a complete list.
/etc/httpd/conf.d/ssl.conf:#SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
/etc/httpd/conf.d/ssl.conf:SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4”
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:#SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/fullchain.pem
/etc/httpd/conf.d/ssl.conf:#SSLCertificateKeyFile /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateChainFile at a file containing the
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf:#SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/cert.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/cert.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateChainFile /etc/letsencrypt/live/qa-api.juvlon.com/chain.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem
/etc/httpd/conf.d/ssl.conf:#SSLVerifyClient require
/etc/httpd/conf.d/ssl.conf:#SSLVerifyDepth 10
/etc/httpd/conf.d/ssl.conf:# With SSLRequire you can do per-directory access control based
/etc/httpd/conf.d/ssl.conf:# mixture between C and Perl. See the mod_ssl documentation
/etc/httpd/conf.d/ssl.conf:#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/
/etc/httpd/conf.d/ssl.conf:# and %{SSL_CLIENT_S_DN_O} eq “Snake Oil, Ltd.”
/etc/httpd/conf.d/ssl.conf:# and %{SSL_CLIENT_S_DN_OU} in {“Staff”, “CA”, “Dev”}
/etc/httpd/conf.d/ssl.conf:# SSL Engine Options:
/etc/httpd/conf.d/ssl.conf:# Set various options for the SSL engine.
/etc/httpd/conf.d/ssl.conf:# This exports two additional environment variables: SSL_CLIENT_CERT and
/etc/httpd/conf.d/ssl.conf:# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
/etc/httpd/conf.d/ssl.conf:# This exports the standard SSL/TLS related `SSL_*’ environment variables.
/etc/httpd/conf.d/ssl.conf:# This denies access when “SSLRequireSSL” or “SSLRequire” applied even
/etc/httpd/conf.d/ssl.conf:# This enables optimized SSL connection renegotiation handling when SSL
/etc/httpd/conf.d/ssl.conf:#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
/etc/httpd/conf.d/ssl.conf: SSLOptions +StdEnvVars
/etc/httpd/conf.d/ssl.conf: SSLOptions +StdEnvVars
/etc/httpd/conf.d/ssl.conf:# SSL Protocol Adjustments:
/etc/httpd/conf.d/ssl.conf:# The safe and default but still SSL/TLS standard compliant shutdown
/etc/httpd/conf.d/ssl.conf:# approach is that mod_ssl sends the close notify alert but doesn’t wait for
/etc/httpd/conf.d/ssl.conf:# o ssl-unclean-shutdown:
/etc/httpd/conf.d/ssl.conf:# SSL close notify alert is send or allowed to received. This violates
/etc/httpd/conf.d/ssl.conf:# the SSL/TLS standard but is needed for some brain-dead browsers. Use
/etc/httpd/conf.d/ssl.conf:# mod_ssl sends the close notify alert.
/etc/httpd/conf.d/ssl.conf:# o ssl-accurate-shutdown:
/etc/httpd/conf.d/ssl.conf:# SSL close notify alert is send and mod_ssl waits for the close notify
/etc/httpd/conf.d/ssl.conf:# alert of the client. This is 100% SSL/TLS standard compliant, but in
/etc/httpd/conf.d/ssl.conf:# this only for browsers where you know that their SSL implementation
/etc/httpd/conf.d/ssl.conf: nokeepalive ssl-unclean-shutdown
/etc/httpd/conf.d/ssl.conf:# The home of a custom SSL log file. Use this when you want a
/etc/httpd/conf.d/ssl.conf:# compact non-error SSL logfile on a virtual host basis.
/etc/httpd/conf.d/ssl.conf:CustomLog logs/ssl_request_log
/etc/httpd/conf.d/ssl.conf: “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”
You have mail in /var/spool/mail/root

may be now its secure i had used https://qa-api.juvlon.com