I had to reissue certificate, and it is using old one


#1

I had to reissue a certificate using acme because I had a problem automatically renewing using another method.

I was able to reissue the certificate. And it appears all is well with the new certificate, but the old one expired and now the site is inaccessible. (https://www.hubsocialpub.com/).

Is there a way to tell which certificates were installed by acme? I can see httpd-le-ssl.conf file points to a shortcut which points to certificates in an archive file, but how can I tell if those are the correct certificates? Where does acme typically store the certificates?

Also, I believe it took these lines out of the httpd-le-ssl.conf file…do I need these?
SSLCertificateChainFile “/etc/httpd/ssl/letsencrypt.pem”
SSLCACertificatePath “/etc/httpd/ssl/”
SSLCACertificateFile “/etc/httpd/ssl/letsencrypt.pem”

I believe the new certifcate, created with acme is current based on the following command:
[ec2-user@ip-10-0-1-160 ~]$ sudo /home/ec2-user/.acme.sh/acme.sh --list
Main_Domain KeyLength SAN_Domains Created R enew
hubsocialpub.com “” *.hubsocialpub.com Thu Oct 11 12:26:43 UTC 2018 M on Dec 10 12:26:43 UTC 2018

if this helps - apachectl returns the following:
[ec2-user@ip-10-0-1-160 ~]$ sudo apachectl -S
VirtualHost configuration:
*:80 hubsocialpub.com (/etc/httpd/conf/httpd.conf:43)
*:443 is a NameVirtualHost
default server ip-10-0-1-160.ec2.internal (/etc/httpd/conf.d/ssl.conf:5 6)
port 443 namevhost ip-10-0-1-160.ec2.internal (/etc/httpd/conf.d/ssl.co nf:56)
port 443 namevhost hubsocialpub.com (/etc/httpd/conf/httpd-le-ssl.conf: 2)
alias www.hubsocialpub.com
wild alias *.hubsocialpub.com
ServerRoot: “/etc/httpd”
(everything else is using defaults

Thanks a lot!

Ken


#2

I found the certs in /etc/httpd/ssl/, and adjusted C:\Users\Ken\AppData\Local\Temp\scp58735\etc\httpd\conf\httpd-le-ssl.conf to look like the below, and it works!

<VirtualHost :443>
DocumentRoot “/var/www/html”
ServerName “hubsocialpub.com
ServerAlias “www.hubsocialpub.com” "
.hubsocialpub.com"
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/httpd/ssl/hubsocialpub.com-cert.pem
SSLCertificateKeyFile /etc/httpd/ssl/hubsocialpub.com-key.pem
SSLCertificateChainFile “/etc/httpd/ssl/letsencrypt.pem”
SSLCACertificatePath “/etc/httpd/ssl/”
SSLCACertificateFile “/etc/httpd/ssl/letsencrypt.pem”


#3

That command is for the intermediate certificate of Let’s Encrypt. It depends if you need it. If your Apache version is below 2.4.8 you’d need a SSLCertificateChainFile besides the SSLCertificateFile and SSLCertificateKeyFile, respectively the end leaf certificate and private key.

These directives are for client authentication with x509 certificates. Let’s Encrypt doesn’t issue certificates which can be used for this purpose. It shouldn’t be needed.

Further more, in gneral: those SSL directives in httpd-le-ssl.conf, were those added by acme.sh? Because just issuing the certificates with acme.sh doesn’t install them.

Please take a look at the different acme.sh Wiki pages, such as this one: https://github.com/Neilpang/acme.sh/wiki/Deploy-ssl-certs-to-apache-server


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.