How to SSL installation for new subdomain

sir below is ssl.conf details is there need to change

Server Certificate:

Point SSLCertificateFile at a PEM encoded certificate. If

the certificate is encrypted, then you will be prompted for a

pass phrase. Note that a kill -HUP will prompt again. A new

certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/letsencrypt/live/lnkjuv4.com/cert.pem

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you’ve both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/letsencrypt/live/lnkjuv4.com/privkey.pem

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

SSLCertificateChainFile /etc/letsencrypt/live/lnkjuv4.com/chain.pem

point those to your new certificate.

run ./letsencrypt-auto certificates to see the right paths.

[root@qa-atm letsencrypt]# ./letsencrypt-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: lnkjuv4.com
Domains: lnkjuv4.com
Expiry Date: 2019-07-16 06:45:47+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/lnkjuv4.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/lnkjuv4.com/privkey.pem
Certificate Name: qa-api.juvlon.com
Domains: qa-api.juvlon.com
Expiry Date: 2020-07-02 12:08:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/qa-api.juvlon.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem


[root@qa-atm letsencrypt]#

SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem

you need those two lines. (you can remove all the rest.)

sir
is this ok

Server Certificate:

Point SSLCertificateFile at a PEM encoded certificate. If

the certificate is encrypted, then you will be prompted for a

pass phrase. Note that a kill -HUP will prompt again. A new

certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/fullchain.pem

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you’ve both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem

It looks fine.

I can give you encouragement, I can’t assume responsibilities for you.

thanks for your support sir
certificate renewed bit given below error


The certificate will expire in 89 days. Remind me

The hostname (qa-api.juvlon.com) is correctly listed in the certificate.

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

\ 128x128 Common name: qa-api.juvlon.com
SANs: qa-api.juvlon.com
Valid from April 3, 2020 to July 2, 2020
Serial Number: 033261fb9504f5d28594116058a1057d6242
Signature Algorithm: sha256WithRSAEncryption
Issuer: Let’s Encrypt Authority X3

did you use fullchain.pem?

it usually works, but you might need to use this instead:

SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/qa-api.juvlon.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem

fullchain.pem used

if i used below given error to reload apache

SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/cert.pem

Strange, very strange, check your apache config for other ssl-related settings

grep -ri ssl /etc/httpd

i had replace this 3 files in ssl.conf now showing ssl activates but when i use in browser its showing not secure.

below is grep file

Binary file /etc/httpd/conf/.httpd.conf.swo matches
Binary file /etc/httpd/conf/.httpd.conf.swp matches
/etc/httpd/conf/httpd.conf:<IfModule !mod_ssl.c>
/etc/httpd/conf/httpd.conf:LoadModule ssl_module modules/mod_ssl.so
/etc/httpd/conf/httpd.conf:# (e.g. :80) if mod_ssl is being used, due to the nature of the
/etc/httpd/conf/httpd.conf:# SSL protocol.
/etc/httpd/conf/httpd.conf:#Include /etc/letsencrypt/options-ssl-apache.conf
/etc/httpd/conf/httpd.conf:#SSLCertificateFile /etc/letsencrypt/live/lnkjuv4.com/cert.pem
/etc/httpd/conf/httpd.conf:#SSLCertificateKeyFile /etc/letsencrypt/live/lnkjuv4.com/privkey.pem
/etc/httpd/conf/httpd.conf:#SSLCertificateChainFile /etc/letsencrypt/live/lnkjuv4.com/chain.pem
/etc/httpd/conf/httpd.conf:SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
/etc/httpd/conf.d/ssl.conf:# This is the Apache server configuration file providing SSL support.
/etc/httpd/conf.d/ssl.conf:# directives see URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
/etc/httpd/conf.d/ssl.conf:# When we also provide SSL we have to listen to the
/etc/httpd/conf.d/ssl.conf:<IfModule !mod_ssl.c>
/etc/httpd/conf.d/ssl.conf:LoadModule ssl_module modules/mod_ssl.so
/etc/httpd/conf.d/ssl.conf:## SSL Global Context
/etc/httpd/conf.d/ssl.conf:## All SSL configuration in this context applies both to
/etc/httpd/conf.d/ssl.conf:## the main server and all SSL-enabled virtual hosts.
/etc/httpd/conf.d/ssl.conf:SSLPassPhraseDialog builtin
/etc/httpd/conf.d/ssl.conf:# Configure the SSL Session Cache: First the mechanism
/etc/httpd/conf.d/ssl.conf:SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
/etc/httpd/conf.d/ssl.conf:SSLSessionCacheTimeout 300
/etc/httpd/conf.d/ssl.conf:# SSL engine uses internally for inter-process synchronization.
/etc/httpd/conf.d/ssl.conf:SSLMutex default
/etc/httpd/conf.d/ssl.conf:# SSL library. The seed data should be of good random quality.
/etc/httpd/conf.d/ssl.conf:# block. So, if available, use this one instead. Read the mod_ssl User
/etc/httpd/conf.d/ssl.conf:SSLRandomSeed startup file:/dev/urandom 256
/etc/httpd/conf.d/ssl.conf:SSLRandomSeed connect builtin
/etc/httpd/conf.d/ssl.conf:#SSLRandomSeed startup file:/dev/random 512
/etc/httpd/conf.d/ssl.conf:#SSLRandomSeed connect file:/dev/random 512
/etc/httpd/conf.d/ssl.conf:#SSLRandomSeed connect file:/dev/urandom 512
/etc/httpd/conf.d/ssl.conf:# Use “SSLCryptoDevice” to enable any supported hardware
/etc/httpd/conf.d/ssl.conf:# accelerators. Use “openssl engine -v” to list supported
/etc/httpd/conf.d/ssl.conf:SSLCryptoDevice builtin
/etc/httpd/conf.d/ssl.conf:#SSLCryptoDevice ubsec
/etc/httpd/conf.d/ssl.conf:## SSL Virtual Host Context
/etc/httpd/conf.d/ssl.conf:# Use separate log files for the SSL virtual host; note that LogLevel
/etc/httpd/conf.d/ssl.conf:ErrorLog logs/ssl_error_log
/etc/httpd/conf.d/ssl.conf:TransferLog logs/ssl_access_log
/etc/httpd/conf.d/ssl.conf:# SSL Engine Switch:
/etc/httpd/conf.d/ssl.conf:# Enable/Disable SSL for this virtual host.
/etc/httpd/conf.d/ssl.conf:SSLEngine on
/etc/httpd/conf.d/ssl.conf:# SSL Protocol support:
/etc/httpd/conf.d/ssl.conf:# connect. Disable SSLv2 access by default:
/etc/httpd/conf.d/ssl.conf:#SSLProtocol all -SSLv2
/etc/httpd/conf.d/ssl.conf:SSLProtocol ALL -SSLV2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2
/etc/httpd/conf.d/ssl.conf:# SSL Cipher Suite:
/etc/httpd/conf.d/ssl.conf:# See the mod_ssl documentation for a complete list.
/etc/httpd/conf.d/ssl.conf:#SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
/etc/httpd/conf.d/ssl.conf:SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4”
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:#SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/fullchain.pem
/etc/httpd/conf.d/ssl.conf:#SSLCertificateKeyFile /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateChainFile at a file containing the
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf:#SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/cert.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/cert.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateChainFile /etc/letsencrypt/live/qa-api.juvlon.com/chain.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem
/etc/httpd/conf.d/ssl.conf:#SSLVerifyClient require
/etc/httpd/conf.d/ssl.conf:#SSLVerifyDepth 10
/etc/httpd/conf.d/ssl.conf:# With SSLRequire you can do per-directory access control based
/etc/httpd/conf.d/ssl.conf:# mixture between C and Perl. See the mod_ssl documentation
/etc/httpd/conf.d/ssl.conf:#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/
/etc/httpd/conf.d/ssl.conf:# and %{SSL_CLIENT_S_DN_O} eq “Snake Oil, Ltd.”
/etc/httpd/conf.d/ssl.conf:# and %{SSL_CLIENT_S_DN_OU} in {“Staff”, “CA”, “Dev”}
/etc/httpd/conf.d/ssl.conf:# SSL Engine Options:
/etc/httpd/conf.d/ssl.conf:# Set various options for the SSL engine.
/etc/httpd/conf.d/ssl.conf:# This exports two additional environment variables: SSL_CLIENT_CERT and
/etc/httpd/conf.d/ssl.conf:# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
/etc/httpd/conf.d/ssl.conf:# This exports the standard SSL/TLS related `SSL_*’ environment variables.
/etc/httpd/conf.d/ssl.conf:# This denies access when “SSLRequireSSL” or “SSLRequire” applied even
/etc/httpd/conf.d/ssl.conf:# This enables optimized SSL connection renegotiation handling when SSL
/etc/httpd/conf.d/ssl.conf:#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
/etc/httpd/conf.d/ssl.conf: SSLOptions +StdEnvVars
/etc/httpd/conf.d/ssl.conf: SSLOptions +StdEnvVars
/etc/httpd/conf.d/ssl.conf:# SSL Protocol Adjustments:
/etc/httpd/conf.d/ssl.conf:# The safe and default but still SSL/TLS standard compliant shutdown
/etc/httpd/conf.d/ssl.conf:# approach is that mod_ssl sends the close notify alert but doesn’t wait for
/etc/httpd/conf.d/ssl.conf:# o ssl-unclean-shutdown:
/etc/httpd/conf.d/ssl.conf:# SSL close notify alert is send or allowed to received. This violates
/etc/httpd/conf.d/ssl.conf:# the SSL/TLS standard but is needed for some brain-dead browsers. Use
/etc/httpd/conf.d/ssl.conf:# mod_ssl sends the close notify alert.
/etc/httpd/conf.d/ssl.conf:# o ssl-accurate-shutdown:
/etc/httpd/conf.d/ssl.conf:# SSL close notify alert is send and mod_ssl waits for the close notify
/etc/httpd/conf.d/ssl.conf:# alert of the client. This is 100% SSL/TLS standard compliant, but in
/etc/httpd/conf.d/ssl.conf:# this only for browsers where you know that their SSL implementation
/etc/httpd/conf.d/ssl.conf: nokeepalive ssl-unclean-shutdown
/etc/httpd/conf.d/ssl.conf:# The home of a custom SSL log file. Use this when you want a
/etc/httpd/conf.d/ssl.conf:# compact non-error SSL logfile on a virtual host basis.
/etc/httpd/conf.d/ssl.conf:CustomLog logs/ssl_request_log
/etc/httpd/conf.d/ssl.conf: “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”
You have mail in /var/spool/mail/root

may be now its secure i had used https://qa-api.juvlon.com

your certificate chain is fine now. check autorenewal (certbot renew --dry-run runs with no error and you have a crontab line for it) and you’re fine.

[root@qa-atm conf.d]# certbot renew --dry-run
-bash: certbot: command not found

as I said… commands can change names

sir sorry to say you but do not understand exact

letsencrypt-auto renew --dry-run is it ok??

it’s ok. if it runs with no errors you are halfway ok.

then you need to add a crontab line. see on the certbot website how.

thanks for your help

2 posts were split to a new topic: Help setting up certificate for wordpress

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.