Localhost (self-signed) cert superseding LetsEncrypt cert

Fixed. Turns out my server did not recognize the ECC cert. I reissued RSA by including --keylength 2048 in the acme issue command, and things seems to be working now.

that command doesn't inject certificate to webserver config: you need to edit apache config file to look at cert on acme.sh

2 Likes

Working. See above.

So, was the problem solved?

This says "no":
SSL Server Test: build.they.do (Powered by Qualys SSL Labs)

As with all things Apache [in this forum], I prefer to start troubleshooting with the output of:

sudo apachectl -t -D DUMP_VHOSTS

2 Likes

The site is now using a "localhost" [self-signed cert]:

-----BEGIN CERTIFICATE-----
MIICpDCCAYwCCQDpNQQHh1GikDANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
b2NhbGhvc3QwHhcNMTIxMjI4MjIwNzA3WhcNMjIxMjI2MjIwNzA3WjAUMRIwEAYD
VQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDX
zMBYH+XqLS1jZh0LTQrdtkHGC2ZUXr2jQXP+6vnojVaWO4qgHFyRtpoR3sItZaYH
NtiHt/5WI78WazVXv8JzfR3EEV2au3EjTLH6pEUQnD1Xhp2ch+Yu2U8qAByjJvUe
wzZVS3YIQV8/at8hxH/MKa7ul7u5LYZyqWukTcVK5ndcvW20Ps6JybcTUl0PuxcB
Nw5645GRUSKG6pIG1e+uGDU0ANHcagvHQMot32tDUVjqk58wnlBKcnWylCYDI3z9
ogANiUhITzFOP62hhnqCLipE7jdCuEyMJXcHgeRiBoyQSgI21/eln+q5ci51aZlL
+5jSeWTMho6iQyF1SK1jAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAM2F1ZMVjzNn
H3nfugGusiwQCMas7et7wQOsv2TsVosjo7neG8QfoR9R2bm25kMFMx5MaHdO/OWc
iqi3abhaRDzgbSVrXbzV6K/rN9MiAGXP6kPPu767E964iOniG4cipIla7taUmVUn
lUEMeN5EMJLMNfRza0Eo7BgRayUtLaAxn6tRdCFvY84qY/4ofhi/NI9YtGJdV3WV
gafWli3hqIBWg5139YOiNGGpCesLwP6SUrb9NgGJ5ABq44ampeEnWovqxmeQIOPi
4EnXLKamtffJwkrwF1cEDwvV8CyXuROxdNOSb85pQGrE7lD3aeJQ8FBKb5FDUpBq
a3eYG+qH038=
-----END CERTIFICATE-----
subject=CN = localhost
issuer=CN = localhost

And has DH issues:

curl -Iik https://build.they.do/
curl: (35) error:0A00018A:SSL routines::dh key too small
2 Likes