I’d like use letsencrypt to install a certificate on my VPS (Apache) so I can browse to an application securely (the application is “Adminer” which is similar to phpmyadmin). But I have a problem or two:
I think I attempted (somewhat unsuccessfully) to use certbot or letsencrypt to install a certificate a couple of months ago but wasn’t able to get it to work. Now I want to undo that installation (I’m on Ubuntu 14.04). Is there a “letsencrypt” command that I can use to list and delete all certificates installed by letsencrypt or certbot? If not, should I do this by searching a directory and removing certain files? If so, what directory should I look in and what files should I look for?
Last week I definitely did install a self-signed certificate using an “openssl” command. I’d like to uninstall it …is it as simple as removing the two files from the /etc/apache2/ssl/ directory? The command I used was this:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Hello Andrei …thanks for the reply…
Yes, I installed with apt-get. Hmmm… So you’re saying that “apt-get remove” will remove also all and any certificates that were installed with letsencrypt?
A) When you say “delete them”, I know the location of the ones installed by the openssl command but I don’t know the location of any others.
B) Yes, I’d like to learn all about the ssl config files but at this point I know nothing about their name, location or syntax.
I don’t think the apt-get remove will delete the certificates themselves.
All of the certificate-related files created by Certbot will be under /etc/letsencrypt (you could delete that directory when uninstalling the Debian package, if you’d like).
Certbot might also have modified your Apache configuration files (depending on how you ran it) and so some of your Apache configuration files could refer to things in /etc/letsencrypt. One way to check is running
grep -r /etc/letsencrypt /etc/apache2
If you want to see what certificates you currently have, you can run certbot certificates (only available in recent Certbot versions) or something like
for cert in /etc/letsencrypt/live/*/cert.pem; do echo Contents of $cert: openssl x509 -in "$cert" -text -noout echo
Okay so regarding my openssl, it looks like the config is at /usr/lib/ssl/openssl.cnf and there are 522 certificates in /usr/lib/ssl/certs/ …I suppose these are default certificates. Since I’m going to use letsencrpt can I just “apt-get remove openssl” and get rid of the certs also so as to eliminate that potential source of conflict? Does that sound like a good idea?
Hmmm…
Well if certbot relies on it then maybe the way to approach it would be to remove openssl entirely and remove all the default certificates -associated with openssl- that I can possibly identify …then simply re-install it.
There should be no harm in that ...right? (this might seem a little paranoid but I really do have a bit of a mess on my VPS from previous attempts to install a certificate)
OpenSSL is a default OS package on many operating systems and was written by completely separate people from Certbot years earlier in completely separate programming languages. There’s absolutely no benefit to uninstalling it.
Those are trusted root certificates for you to rely on when connecting to other machines, not certificates that you present to other people who connect to you. Let's Encrypt certificates are not an alternative to these; they're used for different purposes. This is important when using programs like curl, to allow them to verify the authenticity of their connections to web sites—and, I suspect, even for Certbot to let it check the authenticity of the ACME API endpoint on the other end.
Here’s what I did:
To start with a clean slate, I did “apt-get remove --purge letsencrypt”. This also removed /etc/letsencrypt/
I have 15 domains on the server. There were 15 domain-specific files under /etc/apache2/sites-available/ with names like example.com-le-ssl.conf . I definitely didn’t want those domains to be ssl-enabled so I got rid of them with:
suro rm /etc/apache2/sites-available/*ssl.conf
Now, after re-installing letsencrypt, when I try to run:
sudo letsencrypt --apache -d example.com -d subdomain.example.com
…I get an error saying:
Action ‘configtest’ failed … /etc/apache2/sites-enabled/example.com-le-ssl.conf: No such file or directory.
Obviously there’s some config file remaining somewhere that I didn’t remove because letsencrypt still knows about the example.com-le-ssl.conf
So what do I do now (this is what I was afraid of) ?
FIXED:
Here’s what was going on …all of these were symlinks:
/etc/apache2/sites-enabled/-le-ssl.conf
…the symlinks were pointing to
/etc/apache2/sites-available/-le-ssl.conf
I had deleted the actual files in sites-available but didn’t delete the symlinks in the sites-enabled/ directory. So I just had to delete them and it worked!