I’ve run out of options and can’t seem to find the answer I need, so hopefully somebody here can be of assistance.
I run letsencrypt on a server I own, with several domains hosted from there. I am using a single cert for every domain at once, and am renewing certs via letsencrypt-auto. At some point a few months ago, I tried to add a new domain, was working with a new registrar, and messed up my DNS. As I couldn’t get a cert for the domain, I did something at that time, which i think might have been to revoke the existing cert.
I installed a new certificate, and part of what I did during/after the revoke was to remove letsencrypt completely and start again. I realize now the error of my ways, but I don’t have a backup that goes that far back, and I don’t think it would matter if I did.
My server is currently supplying two certificates, one of which is valid and one of which is revoked. I let the revoked one expire, thinking that would remove the SSL errors, but it did not.
Looking at ssllabs for the various domains, I am getting two certs listed, but I can’t for the life of me figure out if the revoked one is still lurking somewhere on the machine. I don’t think it is, but that’s what I need to know.
Here is a domain with an “A” rating that is still sending two certs:
Here is a domain with a “T” rating that is sending the two certs but in reverse order so the revoked one is coming through first:
And here’s a third domain that was probably the cause of this trouble, which is showing an “A” rating but a cert mismatch as it is not listed in the set of domains for the bad certificate:
My web server is (include version): apache2
The operating system my web server runs on is (include version): ubuntu 16.04.9
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
My understanding is that the certs are maintained on the CA level, which means I might be SOL. How can I get rid of this revoked cert in favor of the one that actually works and is trusted? Is that even possible? I have looked at every key and pem file on my server and can’t find anything with the same value as the revoked cert is sending.
I feel as though I’m out of options. Any help somebody can provide would be great.