Hey everyone, I was struggling to get my apache configuration right, and in the process requested multiple security certificates with certbot. I was not aware of any kind of rate limiting, but now it seems i can not re-request new certificates. Is there any way i can get the old ones back? Or they uploaded somewhere?
I messed up at work and i really need this site back online asap.
First, there's a LetsEncrypt staging server to prevent this sort of problem. Always use certbot --test-cert first. Once you get a working configuration where it tells you that everything works except that you have an invalid certificate, and when you look at the certificate it's clearly from the LetsEncrypt staging server, then you can drop the --test-cert.
When you use the certonly method, you're expected to know how to install the certificates manually. If it offers you the option for Apache Web Server plugin, you're probably better off to use certbot --apache.
Yes, you should be able to use the ones from the archive folder. Find the one with the newest modification date and plug it into your apache config.
Indeed, I didn't notice the .nl domain. https://yachtcharterdedrait.nl/ responds correctly with a certificate issued early this morning. https://yachtcharterdedrait.com/ refuses connections. It looks like you need an alias in the apache config (though because you've been rate-limited, you probably won't get a new one with both domains this week!).
the certificates themselves yes but they're useless without the private keys
the private keys are generated on your server and should generally never exist anywhere except on your server
I usually don't even back mine up, since the risk of a backup being compromised is too high. I back up data that can't be easily replaced, but certificates CAN be easily replaced (unless you somehow mess up and rate-limit yourself...)
That depends on your backup strategy - how/where they are backed up and who has access to that.
I often backup private keys and API credentials onto a secure offline repository. For online backups, you can use asymmetrical encryption - having the webserver encrypt and upload the secrets using a Public Key for a Private Key kept offline.
Thank you all very much for the responses I continued messing around with the certificates yesterday, after i noticed that there were some old certificates in the "archive" folder. Those were not expired, and i made sure that the other references (symlinks?) to the certificates pointed to those. In the end, it worked again! Now to find out why it doesn't automatically renew