Switching from Comodo to Letsencrypt

I've been using an (expensive) Comodo wildcard certificate for years because I was too lazy to figure out how to use Letsencrypt with the wildecard-DNS configuration. Last week I updated the certificate and saw they even raised the pricing and decided it was time to go full Letsencrypt and succeeded. -insert applause-

However, it seems I'm running 2 certificates now and I'm not sure how to remove the Comodo (which I haven't paid for yet) certificate and too afraid to break things by just 'deleting the shit out of stuff' (l33t h4x0r lingo).

Any help on cleaning my SSL mess would be greatly appreciated.

Right now I get this result on www.digicert.com/help/

My domain is: www.blokblok.nl (https://crt.sh/?q=blokblok.nl)

My web server is (include version): Apache

The operating system my web server runs on is (include version): CentOS 6 (yes, I know...)

I can login to a root shell on my machine (yes or no, or I don't know): Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Directadmin to add the Comodo certificate, but I used acme.sh to add the Letsencrypt wildcard certificate.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Acme version 3.0.5

You have a chaining issue:

The leaf cert being served was issued by Sectigo.
The chain being served with it was issued by Let's Encrypt.

SSL Server Test: www.blokblok.nl (Powered by Qualys SSL Labs)
openssl s_client -connect www.blokblok.nl:443 {-showcerts}


Here is a list of issued certificates crt.sh | www.blokblok.nl, the latest being 2023-01-12.
Let's Debug is showing an ERROR of Rate Limits https://letsdebug.net/www.blokblok.nl/1335077
Please using the Staging Environment while debugging this issue and after it is working switch over to the production environment.


The thing is, I don't know how to safely remove the Sectigo cert without breaking the Letsencrypt cert.

You don't need to, you need to serve a leaf cert with the proper chain.
That means you could:

  • serve the Sectigo cert and chain
  • serve an LE cert and chain.

I don't know what all certs are [left] available in your system to pick from.
But the Sectigo leaf cert is definitely there.
Finding the chain for it is simple and public information.
So that path is sure to work.


It looks like you successfully obtained 5 certificates which caused a rate-limit issue.

The first things to do are:

  • Determine WHERE those certificates are. Hopefully acme.sh saved them onto your machine.
  • Determine WHY you requested 5 duplicate certificates. This may have been due to manual usage from your confusion, but could be from a renewal script gone wrong.

The next thing to do is:

  • Examine your Apache2 configuration. Replace the configuration lines pointing to the Comodo scripts with lines that point to the active version of the LetsEncrypt certificates.

I'm not familiar with how acme.sh stores certificates. Certbot saves versioned files to an "Archive" directory, and symlinks them into a "live" directory; under this architecture, you would configure Apache to use the symlinks under "live". Again, I do not know how acme.sh stores the certificates.


Ok. This is the point where I confess to being a total n00b. I know my way around SSH a bit, but most of the time I have no idea what I'm doing and just follow tutorials online.

So when you say things like "you need to serve a leaf cert with the proper chain" or "serve the Sectigo cert and chain", I have no idea what you mean or what to do.

The Sectigo (Comodo?) is the one I want to remove because of the ridiculous price they want to charge me so I just want to keep the LE cert. But I have no idea how to remove the Sectigo cert.

I use Midnight Commander through my Putty connection to browse my server but I don't know what to look for and where to find it.

1 Like

Here is ACME CA Comparison - Posh-ACME
And ZeroSSL, I believe, is part of Sectigo give what is required for ZeroSSL's DNS CAA record Invalid CAA Records - ZeroSSL Help Center; but you want to make sure you are using ACME and not any other interface for the Free aspect.

1 Like

The reason I tried 5 times: I tried requesting a wildcard certificate and succeeded (I thought) every time but no wildcard. Apparently I forgot to put the '*.blokblok.nl' in the request (d'oh). But the last request was a success.

Acme.sh seems to put the certificates in the /root/acme.sh/blokblok.nl/ directory but I don't know if it also copies them to another location on the server.

"Examine your Apache2 configuration" makes my head spin and I have no idea where to start except google "Examine your Apache2 configuration".

1 Like

That sounds right.

That's a good start.
Here's another:
sudo apachectl -t -D DUMP_VHOSTS


Thanks for the hint. It brought me to this place: /usr/local/directadmin/data/users/admin/domains/
I'm guessing these are the certificated that were issues through Directadmin and thus the certificated I want to remove?

Can I safely remove the .cacert, .cert and .certcombined files and request a new certificate with acme.sh or will I really mess things up then?

Always make a backup of the files just for incase . . .


So I removed those, but apparently those were the LE certificates because now it only shows the Sectigo and I have no idea where to look for that one....

Try these links:

1 Like

Maybe they have more specific help on this matter.


I really appreciate the links, but I'm not a sysadmin and this is all way above my head. I think I'm gonna leave it as it is. The website works and shows the ssl-lock. That the most important thing to me. I have too much other things on my mind and can't spend days on becoming an expert on the subject.

I'm sorry to have wasted your time.


I have no idea what those certificates are.

You can use the following command to understand what is in a Certificate file:

openssl x509 -in {FILEPATH} -noout -text

I did that and found myself staring at the screen trying to understand what I'm looking at.


That appears to be this certificate crt.sh | 5975765793