Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: SSL Zen failed to provide all 3 cert files (cabundle.crt wouldn't download)
It produced this output: Failed verification... HOW DO I GET MY CERTS SINCE cft.sh shows I DO have them! (and I've exceeded the # of certs that can be issued...so clearly I do have a cert, I just can't get it).
My web server is (include version): Apache
The operating system my web server runs on is (include version): Linux Mint 19.1
My hosting provider, if applicable, is: SELF
I can login to a root shell on my machine (yes or no, or I don't know): YES
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO (other than Wordpress -- fredcolclough.com/wpadmin)
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot fails.
While I don't know what to suggest to fix the problem with SSL Zen, as long as you still have your private keys saved in files, you can use their timestamps to pair them with your certificates here:
There's a download link "Download Certificate: PEM" on the left on each certificate's page. Be sure that the page says "Leaf certificate" and not "Precertificate" at the top. The certificates are listed in pairs (leaf certificate then precertificate).
You can construct the "full chain" by downloading this intermediate certificate and adding it after your certificate in your certificate file:
Alternatively (for now), you can download this intermediate certificate instead of the previous two and add it after your certificate in your certificate file:
The "CA Bundle" is either the first two intermediate certificates I mentioned (together) or the last intermediate certificate I mentioned (alone). Either way will work.
To be honest, I first recommend that you create another certificate that covers bothfredcolclough.comandwww.fredcolclough.com instead of just fredcolclough.com. As it currently stands, your existing certificates will create a security hole. The crt.sh link I gave you above will be updated to include your new, expanded certificate within minutes of it being issued.
The SSL ZEN plugin wouldn't let me add the 'www.' cert! So I went ahead without it. Plus I'm locked out of creating new certs because I didn't realize it was actually issuing them when it said "verification failed", so I have like a dozen... locked out for a week it appears.
If you need a "full chain" certificate file, it needs to include your certificate (also known as the end-entity or leaf certificate) as well as any intermediate certificates necessary to verify your certificate. There are currently two options there: the first two intermediate certificates together that I mentioned above or the last intermediate certificate alone that I mentioned above. If you remove your certificate from the top of a "full chain" certificate file then that file is known as a "chain" certificate file or CA bundle file.
You have five certificates, of that I can assure you. If you click the crt.sh link I gave you above, it will look like you have ten. Every other certificate in that list is a precertificate, which is of no use to you.
In Apache2, you usually only need to specify the SSLCertificateFile with the full chain file as the parameter and the SSLCertificateKeyFile with the private key file as the parameter. The SSLCertificateChainFile directive is obsolete. If you have an older Apache2 version, specify the SSLCertificateFile with the leaf certificate file (with only your certificate) as the parameter and the SSLCertificateChainFile with a CA bundle file as the parameter.
SSLCertificateFile : This is your primary SSL certificate file (certificate.crt)
SSLCertificateChainFile : This is your CA-Bundle file (cabundle.crt)
SSLCertificateKeyFile : This is your private key file (privatekey.pem)
and I'm missing the CA-bundle...I can simply combine: lets-encrypt-r3.pem with isrg-root-x1-cross-signed.pem? And call it "cabundle.cert"? Then complete the apache instructions?
I have the added problem of my server suddenly stopped booting to the GUI.... so terminal is all I have. So I've been 'wget'ing the files you've posted since I can't launch a file explorer.
I put the files where they're supposed to be... and made the edits in the apache2 instructions....still no go. Not sure where I went awry.
I am having some difficulty with verbiage, as it's changing. The files you posted:
letsencrypt-r3.pem Is this what you're calling the "private key"? And which apache file is it?
isrg-root-x1-cross-signed.pem Which apache file is it?
The private key should be alone in a file provided by SSL Zen. Of all the files mentioned, the private key is the only one that you must keep secret. If you don't have it somewhere already, you will need to create a new certificate. That's why I said before that your certificate (or more specifically the public key in it) and the private key must match for anything to work.
4511952634.pem is your SSLCertificateFile
letsencrypt-r3.pem followed by isrg-root-x1-cross-signed.pem in a single file is your SSLCertificateChainFile
