Replacing LE cert with a Wildcard from godaddy (newbie)

My web server is (include version): Apache2 (unsure of version)

The operating system my web server runs on is (include version):Ubuntu16.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

I’m really fresh to linux and took over a position recently that didnt leave any docs or help. So I really appreciate any help you can provide. The site was established long before I started and recently the SSL cert had expired. I didnt see any folders for Certbot and not sure what the process they had in place for renewal before. I managed to renew recently by running letsencrypt at the home folder and walked through the prompts for a 90day extension.

The company has a wildcard SSL cert from godaddy (* that should fit but I cant quite figure out how to replace the LE cert. When I download the cert from godaddy for apache its got 2 CRT files. I was curious of the process LE uses to setup certs so I have some questions that I couldnt seem to find direct answers for. Id be more than happy to provide more info just not sure entirely whats relevant just yet.

  1. Where are the actual certificates from LE saved and are PEM interchangeable with CRT extensions.

  2. Most walkthroughs make it seem as though you should just copy the cert issued by the CA to a folder then update a conf file on the server. I cant seem to figure out which conf file(s) LE has changed to point to their install.

  3. Is there a safe way to change from LE to a wildcard cert from another provider painlessly?

Hi @ceedo,

All of this installation is controlled by editing text files under /etc/apache2 (typically /etc/apache2/sites-available). The virtual hosts on the Apache server, including the certificate-related files they use, are controlled by directives in these text files.

If you used certbot --apache, then Certbot installed the certificates by creating new HTTPS virtual hosts under /etc/apache2/sites-available (their filenames will end in -le-ssl.conf). They will point at the certificate-related files in /etc/letsencrypt/live (which are really symbolic links to /etc/letsencrypt/archive).

Your new certificate files should be the same kind as the previous one; .crt versus .pem is just a naming convention and doesn’t mean that the file contains a different kind of thing. The smallest change you could make would be to save the GoDaddy cert files somewhere on the system and then edit the HTTPS virtualhost file to point to that certificate, chain, and private key instead of the Let’s Encrypt ones. This might be confusing to anyone who has to look at the configuration in the future because it would superficially appear to be using Let’s Encrypt, but not actually using it in practice. You could also perhaps rename the virtual host file slightly (like -ssl instead of -le-ssl) or, if you want to learn a bit more about Apache configuration, create your own virtual host file there that points at the new certificate files.

Remember that you will also need to have the private key that corresponds to your certificate in order to use it.

Thanks I really appreciate the info. It was setup before me and I dont think certbot was installed (not sure how to check either) But launching letsencrypt from the command line walks me through the 90 day renewal.

I grabbed a copy of the le-ssl.conf file and the original to see if i could reverse engineer the steps LE used to point to the SSL crts so I can change it with the wildcard. The original seems to be unchanged. The first virtualhost entry is for port 80 and no mention of SSL.

The starts with an which i assume is to check if the crt is present but not sure how to check. Then the conf goes through the typical points and the last few lines point to the fullchain.pem, privkey.pem and then an INCLUDE to options-ssl-apache.conf. So im not 100% what should stay or go when updating to use our own SSL files.

I do apologize for the entry level questions but they got me to a wall. And i do appreciate the direction

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.