I think I messed up here. I had a need to switch VPS servers and didn’t have a lot of time to do it. If I were to get any money back, I needed to cancel my VPS on the one company today. In my haste, I think I missed something. I think maybe I was supposed to revoke the SSL certificates from Let’s Encrypt before moving.
I moved to the new VPS. I just finished installing cPanel. I try going to the cPanel site, but I receive this message:
You cannot visit example.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later. Learn more.
How can I revoke the old SSL certificates and generate new SSL certificates on the new VPS so I don’t receive this message anymore? I did backup all my certificates before the VPS got destroyed. Can I just plop them in the /etc/letsencrypt directory and configure Apache to look for them? Or do I have to do something else?
The message is unrelated to revocation; it simply means that you have previously enabled the HSTS header (or maybe even used HSTS preloading), and your browser is remembering that from a previous visit. HSTS essentially tells browsers “never visit this site without HTTPS, and never let the user accept a self-signed certificate for this site”.
There’s no need to revoke the certificate you’ve used on your old servers unless you think it was compromised. You can just go ahead and get a new certificate, basically act like this is the first time you’re setting this up, Let’s Encrypt doesn’t mind. cPanel has native support for Let’s Encrypt in the latest version (I think it might be called AutoSSL?), so that’s probably your best option. (I do believe some web hosting companies disable that feature though.)
Thank you for the response. So, even though I told letsencrypt-auto to use the HSTS and to always redirect to the secure site, that had nothing to do with the actual cert or anything?
I cleared my browser's cache and can now access my site and WHM / cPanel. I thought the options I had passed to letsencrypt-auto, the --must-staple --redirect --hsts --uir --staple-ocsp were somehow telling the certificate to always use https, staple, etc. I didn't see how this was possible though, but I didn't know a lot (and still don't) about HTTPS and SSL certs. I thought maybe my Apache configuration file was being edited, or somehow, when the browser saw the domain name, it knew it was always supposed to go to the secure version. Thanks!