Please help me start with a clean slate

I’d like use letsencrypt to install a certificate on my VPS (Apache) so I can browse to an application securely (the application is “Adminer” which is similar to phpmyadmin). But I have a problem or two:

  • I think I attempted (somewhat unsuccessfully) to use certbot or letsencrypt to install a certificate a couple of months ago but wasn’t able to get it to work. Now I want to undo that installation (I’m on Ubuntu 14.04). Is there a “letsencrypt” command that I can use to list and delete all certificates installed by letsencrypt or certbot? If not, should I do this by searching a directory and removing certain files? If so, what directory should I look in and what files should I look for?
  • Last week I definitely did install a self-signed certificate using an “openssl” command. I’d like to uninstall it …is it as simple as removing the two files from the /etc/apache2/ssl/ directory? The command I used was this:
    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Please advise.
Thanks,
Patrick

hi patrick

how did you install letsencrypt

if you used apt-get then you can use apt-get remove

have a look at certbot install instruction https://certbot.eff.org/

in terms of removing a certificate you can do one of two things

A) delete them
B) update ssl configs to point to new certs

Andrei

Hello Andrei …thanks for the reply…
Yes, I installed with apt-get. Hmmm… So you’re saying that “apt-get remove” will remove also all and any certificates that were installed with letsencrypt?
A) When you say “delete them”, I know the location of the ones installed by the openssl command but I don’t know the location of any others.
B) Yes, I’d like to learn all about the ssl config files but at this point I know nothing about their name, location or syntax.

Thanks again,
Patrick

I don’t think the apt-get remove will delete the certificates themselves.

All of the certificate-related files created by Certbot will be under /etc/letsencrypt (you could delete that directory when uninstalling the Debian package, if you’d like).

Certbot might also have modified your Apache configuration files (depending on how you ran it) and so some of your Apache configuration files could refer to things in /etc/letsencrypt. One way to check is running

grep -r /etc/letsencrypt /etc/apache2

If you want to see what certificates you currently have, you can run certbot certificates (only available in recent Certbot versions) or something like

for cert in /etc/letsencrypt/live/*/cert.pem; do echo Contents of $cert: openssl x509 -in "$cert" -text -noout echo

you would also probably want to clear out the letsencrypt logs

which can be found here: \var\log\letsencrypt

Thanks for this advice!

Okay so regarding my openssl, it looks like the config is at /usr/lib/ssl/openssl.cnf and there are 522 certificates in /usr/lib/ssl/certs/ …I suppose these are default certificates. Since I’m going to use letsencrpt can I just “apt-get remove openssl” and get rid of the certs also so as to eliminate that potential source of conflict? Does that sound like a good idea?

hi patrick

no need. leave them alone and leave openssl alone

:smiley:

certbot relies on it

Hmmm…
Well if certbot relies on it then maybe the way to approach it would be to remove openssl entirely and remove all the default certificates -associated with openssl- that I can possibly identify …then simply re-install it.

 There should be no harm in that ...right?  (this might seem a little paranoid but I really do have a bit of a mess on my VPS from previous attempts to install a certificate)

OpenSSL is a default OS package on many operating systems and was written by completely separate people from Certbot years earlier in completely separate programming languages. There’s absolutely no benefit to uninstalling it.

Those are trusted root certificates for you to rely on when connecting to other machines, not certificates that you present to other people who connect to you. Let's Encrypt certificates are not an alternative to these; they're used for different purposes. This is important when using programs like curl, to allow them to verify the authenticity of their connections to web sites—and, I suspect, even for Certbot to let it check the authenticity of the ACME API endpoint on the other end.

HELP!!

Here’s what I did:
To start with a clean slate, I did “apt-get remove --purge letsencrypt”. This also removed /etc/letsencrypt/

I have 15 domains on the server. There were 15 domain-specific files under /etc/apache2/sites-available/ with names like example.com-le-ssl.conf . I definitely didn’t want those domains to be ssl-enabled so I got rid of them with:
suro rm /etc/apache2/sites-available/*ssl.conf

Now, after re-installing letsencrypt, when I try to run:
sudo letsencrypt --apache -d example.com -d subdomain.example.com
…I get an error saying:
Action ‘configtest’ failed … /etc/apache2/sites-enabled/example.com-le-ssl.conf: No such file or directory.

Obviously there’s some config file remaining somewhere that I didn’t remove because letsencrypt still knows about the example.com-le-ssl.conf

So what do I do now (this is what I was afraid of) ?

This has brought down Apache on my entire VPS!

FIXED:
Here’s what was going on …all of these were symlinks:
/etc/apache2/sites-enabled/-le-ssl.conf
…the symlinks were pointing to
/etc/apache2/sites-available/
-le-ssl.conf

I had deleted the actual files in sites-available but didn’t delete the symlinks in the sites-enabled/ directory. So I just had to delete them and it worked!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.