How to switch from staging to production


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: enorugby.com

I ran this command: certbot --apache --force renewal

It produced this output:
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://enorugby.com and
https://www.enorugby.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=enorugby.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.enorugby.com

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): VestaCP

Sorry is this is a silly question, but I’m a bit new to this. I’ve been searching and can’t find a straightforward set of instructions. What is the proper process for switching from staging to production?
I ran certbot --staging to test my initial setup. Once that was working, I ran certbot --apache to setup the real SSL certificate. I also tried certbot --apache --force-renewal after reading a related post on this forum. Everything seems to run ok, but when I test my site at https://www.ssllabs.com/ssltest/analyze.html?d=enorugby.com, it says my certificate is not trusted. The Issuer is listed as Fake LE Intermediate X1, which I take to mean that it is still looking at my staging certificate. How do I change this? I’m worried that if I keep running certbot blindly, I’ll hit my rate limit.
Thanks.


#2

There’s probably a reference to the staging server somewhere.

Check the contents of /etc/letsencrypt/cli.ini if it exists and if that doesn’t give any reference to the staging server, try looking into the file /etc/letsencrypt/renewal/enorugby.com.conf (or www.enorugby.com.conf, depending on the “certificate name” which can be found with certbot certificates).

If you find any reference to the staging server in the server configuration variable, change it to the “real” live server:

server = https://acme-v02.api.letsencrypt.org/directory

Then, you can run certbot renew --force-renewal just once. If that gives you a valid certificate, you can continu to run certbot renew (without the --force-renewal!) in a daily cronjob.


#3

Hi @boredomisagift

you must clear the cache to get a new result.

All looks good:

Domainname Http-Status redirect Sec. G
http://enorugby.com/
142.93.205.0 301 https://enorugby.com/ 0.197 A
http://www.enorugby.com/
142.93.205.0 301 https://www.enorugby.com/ 0.200 A
https://enorugby.com/
142.93.205.0 200 2.334 B
https://www.enorugby.com/
142.93.205.0 200 2.083 B

Your certificate:

CN=enorugby.com
09.12.2018
09.03.2019
enorugby.com, www.enorugby.com - 2 entries

It’s only a caching problem.

Now SslLabs is ready, you have a Grade A.


#4

Aha, that did it! I tried Ctrl-F5 at the ssllabs.com site but had not tried clearing my browser cache. Thank you! This forum is incredibly helpful.


#5

No, it’s not your browser cache (may be sometimes, but not now).

SslLabs has an own cache:

So if you test your website with Ssllabs, then change something, then load Ssllabs again:

Ssllabs shows the old result.

I’ve checked your domain first with my own tool, all was good.

Then I followed your Ssllabs - link and clicked the “Clear cache” link.


#6

Ah, I see. Well, in this case, clearing my browser worked. I can see it being a SSLLabs cache issue with enorugby.com since I originally tested that one with the staging cert, but I also tried testing www.enorugby.com and got the same result. I didn’t check the latter until after running certbot with force renewal and restarting apache. Maybe it showed the same result because it’s the same IP address?


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.