A little help please as newish to certs and the problems and can not find theanswer here (maybe missed it)
I run a server at server.watchet.net and have run a certbot certificate for the server. However, the server is still looking in etc/ssl/certs for the certificate and I still can not find where it is being called from (not any .conf file as grepped for hours!)
So, I was just going to replace manaully the certificate in the etc/sll/certs folder with a letencrypt one - but - The files I have in this folder are ca-bundle.crt // ca-bundle.trust.crt // localhost.crt - so I guess the localhost.crt is the main file.
My question is how if possible do I use a letsencrypt certificate to replace the .crt file?
The server.watchet.net certificates are there but if you use say firefox to view https://server.watchet.net then you will see it is looking at the certs mentioned above as there is a makefile with exactly the same text in it to make a self signed cert - which I do not want!
PS. messages crossed. There are 20 certs on the server all working properly. Ditto for the s.w.n as installed fine and no errors. All there in renewals etc when needed.
Problem is server is looking at these other files instead of reading the virtualhost entry in httpd.conf showing port 443 for ssl
<Directory /var/www/html>
Options +Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/server.watchet.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server.watchet.net/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/server.watchet.net/chain.pem
is in httpd.conf
=======================
ssl.conf though has
Server Certificate:
Point SSLCertificateFile at a PEM encoded certificate. If
the certificate is encrypted, then you will be prompted for a
pass phrase. Note that a kill -HUP will prompt again. A new
certificate can be generated using the genkey(1) command.
<Directory /var/www/html>
Options +Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/server.watchet.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server.watchet.net/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/server.watchet.net/chain.pem
<Directory /var/www/html>
Options +Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/server.watchet.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server.watchet.net/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/server.watchet.net/chain.pem
seeems to be missing out brackets etc
so starts with IfModule mod_ssl.c
and after the ssl lines end IfModule end Virtualhost
there is also an end virtual host at the very bottom
if that does not complain, systemctl reload apache (or however it’s called on centos, httpd maybe?) don’t do this if the previous command complains, apache will stop.
Already tried a lot of different configurations, some broke apache some didn’t but still did not sort anything out (I run an ftp client the root and edit files that way as easier than vi etc. ) then constantly restart apache to see what works and what doesn’t.
All is happy at the moment but Dovecott was using this fake cert so managed to reconfigure that to use the main server.watchet.net cert so that bit solved.
However, the https:// to the server still shows accessing the cert in the pki folder and grepping everywhere the ONLY file that refers to that cert is the ssl.conf file.
Somehow I have to creat the pair of certs for this location so that the server and localhost are served