Replaced existing certificate but new LE certificate does appear on browser


#1

I have two domains. The first domain did not have a SSL certificate. The second domain already had a StartCom Class 1 Primary Intermediate Server CA certificate (expires in March).

I successfully installed a LetsEncrypt (–webroot) certificate for the first domain. When I went to the browser and clicked on View Certificate, it showed me that it had the LetsEncrypt certificate.

I went through the same process to install a certificate for my second domain. Everything seems okay on the server. However, when I went to the browser and clicked on View Certificate, it still shows the StartCom certificate. I have even renamed the folder that holds the StartCom files so that the Apache Virtual Host files can no longer access these StartCom files. Still, StartCom’s certificate shows up on the browser.

How do I replace my existing StartCom SSL certificate?


#2

Did you reload/restart Apache after the installation of the LE certificate for the second domain?


#3

Yes, both reloaded and restarted.


#4

Could you share the relevant vhost(s)?


#5

This is for the second domain:

  <VirtualHost *:80>
            ServerAdmin info@domain2.com
            ServerName domain2.com

        DocumentRoot /home/domain2/public_html
        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Order Deny,Allow
                Deny from all
        </Directory>
        <Directory /home/domain2/public_html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order Deny,Allow
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order Deny,Allow
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

<VirtualHost *:443>
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

        SSLCertificateFile /etc/letsencrypt/live/domain2.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/domain2.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/domain2.com/fullchain.pem

        ServerAdmin info@domain2.com
        ServerName domain2.com:443

        DocumentRoot /home/domain2/public_html
        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Order Deny,Allow
                Deny from all
        </Directory>
        <Directory /home/domain2/public_html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order Deny,Allow
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order Deny,Allow
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

#6

Is this all you have ? there should usually be an entry for each domain


#7

I posted the Virtual Host file for the second domain, which is the domain where the StartCom certificate is not getting replaced. Do you want to see the Virtual Host file for the domain that worked fine? If so, here it is:

<VirtualHost *:80>
        ServerName domain1.com
        ServerAlias www.domain1.com

        DocumentRoot /var/www/domain1.com/public_html
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/domain1.com/public_html/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>
<VirtualHost *:443>
        ServerName domain1.com
        ServerAlias www.domain1.com

        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

        SSLCertificateFile    /etc/letsencrypt/live/domain1.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/domain1.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/domain1.com/fullchain.pem

        DocumentRoot /var/www/domain1.com/public_html
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/domain1.com/public_html/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

I’ll add another one. A subdomain, sub to the the second domain, had a StartCom certificate as well. It had expired several months ago. I successfully got a LetsEncrypt certificate for this and it appeared on “View Certificate” on the browser. Here is the Virtual Host file for this subdomain:

<VirtualHost *:80>
        ServerAdmin info@domain2.com
        ServerName sub.domain2.com

        DocumentRoot /home/domain2/public_sub

        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Order Deny,Allow
                Deny from all
        </Directory>
        <Directory /home/domain2/public_sub/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order Deny,Allow
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order Deny,Allow
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

<VirtualHost *:443>
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

        SSLCertificateFile /etc/letsencrypt/live/sub.domain2.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/sub.domain2.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/sub.domain2.com/fullchain.pem

        ServerAdmin info@domain2.com
        ServerName sub.domain2.com:443

        DocumentRoot /home/domain2/public_sub

        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Order Deny,Allow
                Deny from all
        </Directory>
        <Directory /home/domain2/public_sub/>

        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Order Deny,Allow
                Deny from all
        </Directory>
        <Directory /home/domain2/public_sub/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order Deny,Allow
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order Deny,Allow
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

#8

I figured out the problem. I have a Virtual Host file called “default”. This was pointing to domain2 and the StartCom files. I disabled this “default” file and reloaded apache2. Everything works now.

Thanks everyone for your help.


#9

Just a quick question related to this.

Do I need to revoke my current certificate in order to replace it with one from Let’s Encrypt?


#10

I did not need to. You should simply point your Virtual Host files to the new LetsEncrypt files.