Switching from Comodo to Letsencrypt

Help
21

Yes. But how can I remove the certificate?

22

Have you tried @rg305 suggestion?

Here is Apache on CentOS 7 (6 must be tool old to be documented, making a guess here that 7 will be close enough) Certbot Instructions | Certbot

You can find information pertaining to https://httpd.apache.org/ here Apache HTTP Server Support - The Apache HTTP Server Project and here https://www.apachelounge.com/.

1 Like
23

No need; others may come across it some day.

2 Likes
24

I f*cked it up. The website isn't showing anymore now. :sob: I need to go to bed but have to fix this now.

image
image718×1461 69.7 KB

25
Rate Limit Current Status Domain
50 Certificates per Registered Domain per week OK (5 / 50 this week.) blokblok.nl
5 Duplicate Certificates per week Limit exceeded. Next issuable at 16 Jan 2023 05:38:42 UTC blokblok.nl, www.blokblok.nl
Summary generated at Let's Debug Toolkit .

Do you have any one of the 5 issued Let's Encrypt Certificates and the matching Private Key?
If NO then wait until 16 Jan 2023 05:38:42 UTC to use Let's Encrypt

If YES then keep the Private Key Private to yourself, let us know which Certificate and if you need to support older Androids.

1 Like
26

Thank you for still trying to help.

I have both .key and .cer files, so I assume that's a yes. I'm working with Putty and have no idea how to cut and paste text from and to Windows, so I can't paste the content of the blokblok.nl.cer.

image
image734×209 4.96 KB

PS
I managed to restore the Sectigo certificate for now so I'm going to best first now. Thinking straight is getting harder and harder :sweat_smile:

3 Likes
27

Now cat ~/.acme.sh/blokblok.nl/blokblok.nl.cer if it has something like

-----BEGIN CERTIFICATE-----
MIIDmTCCAoGgAwIBAgIRGA/qdiLb8Fg8OwrWRBfjE9gwDQYJKoZIhvcNAQELBQAw
OTELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA09SRzEcMBoGA1UEAwwTSW50ZXJtZWRp
YXRlIFJTQSBDQTAeFw0yMjA3MjYyMzU2NTJaFw0yMzA4MjcyMzU2NTJaMBcxFTAT
BgNVBAMMDEVkZ2VSb3V0ZXItNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMkZ1pVCFYSWDLX0DGd1eZTPERb35QdtpHBfbtVKoLnNwqbbXp9CEI7icw6J
LefMFtA3XNkxUfGyanbaSXYg9s9HiRm9PHl2+kYrvtcl59F0co7iygwXfgQ9OBTb
3qCs2JAQU4huVTugewgEpvq4ECl5YXKfTw0vaBi001tYGlaCdGw74qQmxVB0YEAR
gYpUle62PK4tQh/O9TMaJ9WFxiqYk4shJV6ntTxvTQt0t8TkYh3xQuEKjEmGd5bB
NQUMuuCWt4IIM3vw2PVX2S8PaFewP2Ps5BA42ly7n1bgSl6P8QzvUDwCA/rmfASA
xr0J1SV2eXZSnx13RE/GX5SQIXUCAwEAAaOBvTCBujAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFAuAKkUIylXQ2ZxW8YNo/Kv7G5YAMB8GA1UdIwQYMBaAFC5KAPD4uaaX
AIVMRoGK41QYrZ68MBcGA1UdEQQQMA6CDEVkZ2VSb3V0ZXItNDAiBgNVHSAEGzAZ
MAgGBmeBDAECATANBgsrBgEEAYLfEwEBATANBgkqhkiG9w0BAQsFAAOCAQEAIpR4
gLcMS+/t+18syJAocdPT62zfVaJSLQmFk8z2gHAmxpsbemuKBgT5rOI2zyOc6hEN
0n0xfB6wS/eEmtGIE11KxY/uUcTLZiE5tNOhe5Th8dEndTM5LLh7FdIDUjDKJoCu
mBWbflOum8Y89lqQjuaqC8kXIrczkUFKMNsbA8j7f1Hy9QyE0d4kOw9lbGmP/YCz
n7J1/mrO9UkkJ7QL7+g6EXBfUkmxZ4xk6fqSI6rHs3TNh47XrTpxq+NTgDZrm5Gg
AF++/6FRg9O3QyUYkyyvurPEaop3p/NpwcAX4vZgLFUyPaGT1o0dQQJKEVv99fU8
1SkqYmO/AeO9i2qNlw==
-----END CERTIFICATE-----

then it is a Certificate (and public) so it is ok to share it.

cat ~/.acme.sh/blokblok.nl/blokblok.nl.csr if it has something like

-----BEGIN CERTIFICATE REQUEST-----
MIIChjCCAW4CAQAwFzEVMBMGA1UEAwwMRWRnZVJvdXRlci00MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyRnWlUIVhJYMtfQMZ3V5lM8RFvflB22kcF9u
1Uqguc3Cptten0IQjuJzDokt58wW0Ddc2TFR8bJqdtpJdiD2z0eJGb08eXb6Riu+
1yXn0XRyjuLKDBd+BD04FNveoKzYkBBTiG5VO6B7CASm+rgQKXlhcp9PDS9oGLTT
W1gaVoJ0bDvipCbFUHRgQBGBilSV7rY8ri1CH871Mxon1YXGKpiTiyElXqe1PG9N
C3S3xORiHfFC4QqMSYZ3lsE1BQy64Ja3gggze/DY9VfZLw9oV7A/Y+zkEDjaXLuf
VuBKXo/xDO9QPAID+uZ8BIDGvQnVJXZ5dlKfHXdET8ZflJAhdQIDAQABoCowKAYJ
KoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxFZGdlUm91dGVyLTQwDQYJKoZIhvcN
AQELBQADggEBAENoF9iPTmvAcp6ULr21r03hWjMTVl0too67sVF1oDmjrw2fXc3o
Ght30bmyGhMlIefvZAlIGKO0pdSnl01f8npKu/RVqHH40xI2Wwi64hptuFwJ0cri
EyY88h0A34pw2xhJk00h+6TEwBr/oyTeEuQbOhOqqc70mSpJF/GzEaeA/eaQDO5z
MpBleLMvg41r6vZC7yBp/SU67OZqASyxMyLSdkpoxjZCmG7NKCVOf05QJYi7wIVf
dY3YhiORzHQBhyk0thG/buOE4ojtdaN+Mm/hcuKCjxaaJlBvoZW5DXUyVeBMaKVm
ETKrZ7dqtfOcoTElySW8pbX7+iqlpQ3yMZ8=
-----END CERTIFICATE REQUEST-----

then it is a Certificate Signing Request (and public) so it is ok to share it.

Now the important thing is the Private Key and the Certificate (CSR too) are a matched set.
So if you can openssl pkey -in blokblok.nl.key -pubout -out blokblok.nl.pub
Then cat ~/.acme.sh/blokblok.nl/blokblok.nl.pub if it has something like

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyRnWlUIVhJYMtfQMZ3V5
lM8RFvflB22kcF9u1Uqguc3Cptten0IQjuJzDokt58wW0Ddc2TFR8bJqdtpJdiD2
z0eJGb08eXb6Riu+1yXn0XRyjuLKDBd+BD04FNveoKzYkBBTiG5VO6B7CASm+rgQ
KXlhcp9PDS9oGLTTW1gaVoJ0bDvipCbFUHRgQBGBilSV7rY8ri1CH871Mxon1YXG
KpiTiyElXqe1PG9NC3S3xORiHfFC4QqMSYZ3lsE1BQy64Ja3gggze/DY9VfZLw9o
V7A/Y+zkEDjaXLufVuBKXo/xDO9QPAID+uZ8BIDGvQnVJXZ5dlKfHXdET8ZflJAh
dQIDAQAB
-----END PUBLIC KEY-----

then it is the Public Key (and public) associated with the Private Key you can then share blokblok.nl.pub

Given blokblok.nl.pub and blokblok.nl.cer we can tell if they are a match.

1 Like
28

~/.acme.sh/blokblok.nl/fullchain.cer is a few certificates with the first being blokblok.nl.cer followed by the Let's Encrypt signing server R3 certificate which has this content

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

Here is an online tool CSR Decoder and Certificate Decoder to view the contents of a Certificate or CSR, you can input the above starting with -----BEGIN CERTIFICATE----- through and including -----END CERTIFICATE----- and see the results are indeed the Let's Encrypt immediate R3 signing server's certificate.

1 Like
29

The look to be working but with
Chain issues Incorrect order, Extra certs
but working
https://www.ssllabs.com/ssltest/analyze.html?d=blokblok.nl

30

Ok; so the one that say blokblok.nl.key I am assuming is the Private Key, DO NOT SHARE!

So first cat ~/.acme.sh/blokblok.nl/blokblok.nl.key if it has something like then it is a Private Key.

-----BEGIN PRIVATE KEY-----
<lines of ASCII Upper, lower, and numbers>
-----END PRIVATE KEY-----
31

PuTTY Documents are here PuTTY Documentation Page
And https://winscp.net/ is a Windows GUI SCP that you can import credentials from PuTTY so you can copy back and forth from Windows to Unix (or linux).

1 Like
32

You should almost never remove a Certificate.

Instead, you should tell Apache - or other services - to use a different Certificate.

5 Likes
33

Thank you all for believing in me :sweat_smile:

I'm awake and fresh and my family allows me an hour to continue this quest.
First off, thank you Bruce, for pointing me towards WinSCP. This makes life a lot easier for me!

So what I've found so far is there are three places with certificates (as far as I can tell)

  • /root/.acme.sh/blokblok.nl/ (hidden folder)
    • blokblok.nl.cer
    • blokblok.nl.conf
    • blokblok.nl.csr
    • blokblok.nl.csr.conf
    • blokblok.nl.key
    • ca.cer
    • fullchain.cer
  • /usr/local/directadmin/data/users/admin/domains/
    • blokblok.nl.cacert
    • blokblok.nl.cert
    • blokblok.nl.cert.combined
    • blokblok.nl.conf
    • blokblok.nl.csr_info
    • blokblok.nl.cust_httpd
    • blokblok.nl.key
  • /usr/local/directadmin/data/.lego/certificates/
    • blokblok.nl.crt
    • blokblok.nl.issuer.crt
    • blokblok.nl.json
    • blokblok.nl.key

I'm confused by the fact that all certificated have a different extension (cer, cert and crt). But maybe there's a logical reason for that.

The file blokblok.nl.conf in /domains/ holds the following lines:

SSLCACertificateFile=/usr/local/directadmin/data/users/admin/domains/blokblok.nl.cacert
SSLCertificateFile=/usr/local/directadmin/data/users/admin/domains/blokblok.nl.cert.combined
SSLCertificateKeyFile=/usr/local/directadmin/data/users/admin/domains/blokblok.nl.key

Could this be the lines telling Apache which certificate to use?

The content of /root/.acme.sh/blokblok.nl/fullchain.cer

-----BEGIN CERTIFICATE-----
MIIFKzCCBBOgAwIBAgISBLI9qL2QlZNFyyY58iYXbOO9MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzAxMTMyMDM5NTVaFw0yMzA0MTMyMDM5NTRaMBYxFDASBgNVBAMT
C2Jsb2tibG9rLm5sMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn5wg
bAo6sLOFRn7qYEyznSjFBfbMn01GCrJU3tEwDJna0rNFFJFmHoDLB24igCu7LIbv
3kBDp6vkse5O/wrc3d+qHVdVNYMJUmLswXGvujX2BXJOzCkO+cVwfdVgIp/DwTdb
/EGUbWXqxRwS3sVczU+Yn3usEqvu7HosoHYUSGDSF893XEBZmGLqNqdOUug2f+Ic
OLlM/TPqLvwbEAnMV1UPdNf7m6HhOjApJAHJ8VBf4521nlQh2OPQC1cdJUqembSo
LlA0vy7P60emA2pc4HskVtO6fuas8w5D67fSud98BVMYeOkIVgbz5B2ztkWcppLu
Y+8gwEIFvG7FTAG5uQIDAQABo4ICVTCCAlEwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBS8sDYM1SvU0Uo2MJpwkfu4rOtV5DAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDm
H6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5v
LmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAl
BgNVHREEHjAcgg0qLmJsb2tibG9rLm5sggtibG9rYmxvay5ubDBMBgNVHSAERTBD
MAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8v
Y3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AHoy
jFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABha0TNj8AAAQDAEgwRgIh
AK/Qd4k18zZOpy5oGiik1o3oVswO6JYLeLnLO9sDofQOAiEA23b2i2mxuZ1SmrYm
fcdBMUsdGRB0UQ+8G4mDd4bnPwYAdQDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp
4Xd9bQa9bgAAAYWtEzZRAAAEAwBGMEQCIG+CEUsMY4Wgjn8i7wQ/WaIKC++qayUw
vOcspkgAeuyhAiA3yIxVq2qfNo3YG9ydSALXsbfNNfs2CB1QWYO54KNvTjANBgkq
hkiG9w0BAQsFAAOCAQEApwdL7uTPcVqLMsgxQV7VDP6HqaP9gAV7/ihYuJ4Fm3K1
h3qmZbOORuWE9HiDxtKDKGYUZgaEPP5gQb2lIX8zmv4DlCeudDMp0cVdRxct9S31
k3ecMXJbCAbfg2n92aep0EADggSNiNrwEZ61EHa1c59GNRRiTOo4aLRUhfp6UGMq
+oxMcEuOKh2+6T6wskvLFVesOfreQOk+53r/rg731w21nvo7uoB8HQW/JXFIcxXV
jd5Z0gofYVASeRdTQGIbpJF9Kf6Dgor5BQY5F0QUbI5WU5Gwn+45t/fczeSFqkuK
dSVzKCykStivulcfBEFqNS1o78qCmbA0Cc24nb4TEQ==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

The content of /root/.acme.sh/blokblok.nl/blokblok.nl.cer

-----BEGIN CERTIFICATE-----
MIIFKzCCBBOgAwIBAgISBLI9qL2QlZNFyyY58iYXbOO9MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzAxMTMyMDM5NTVaFw0yMzA0MTMyMDM5NTRaMBYxFDASBgNVBAMT
C2Jsb2tibG9rLm5sMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn5wg
bAo6sLOFRn7qYEyznSjFBfbMn01GCrJU3tEwDJna0rNFFJFmHoDLB24igCu7LIbv
3kBDp6vkse5O/wrc3d+qHVdVNYMJUmLswXGvujX2BXJOzCkO+cVwfdVgIp/DwTdb
/EGUbWXqxRwS3sVczU+Yn3usEqvu7HosoHYUSGDSF893XEBZmGLqNqdOUug2f+Ic
OLlM/TPqLvwbEAnMV1UPdNf7m6HhOjApJAHJ8VBf4521nlQh2OPQC1cdJUqembSo
LlA0vy7P60emA2pc4HskVtO6fuas8w5D67fSud98BVMYeOkIVgbz5B2ztkWcppLu
Y+8gwEIFvG7FTAG5uQIDAQABo4ICVTCCAlEwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBS8sDYM1SvU0Uo2MJpwkfu4rOtV5DAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDm
H6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5v
LmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAl
BgNVHREEHjAcgg0qLmJsb2tibG9rLm5sggtibG9rYmxvay5ubDBMBgNVHSAERTBD
MAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8v
Y3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AHoy
jFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABha0TNj8AAAQDAEgwRgIh
AK/Qd4k18zZOpy5oGiik1o3oVswO6JYLeLnLO9sDofQOAiEA23b2i2mxuZ1SmrYm
fcdBMUsdGRB0UQ+8G4mDd4bnPwYAdQDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp
4Xd9bQa9bgAAAYWtEzZRAAAEAwBGMEQCIG+CEUsMY4Wgjn8i7wQ/WaIKC++qayUw
vOcspkgAeuyhAiA3yIxVq2qfNo3YG9ydSALXsbfNNfs2CB1QWYO54KNvTjANBgkq
hkiG9w0BAQsFAAOCAQEApwdL7uTPcVqLMsgxQV7VDP6HqaP9gAV7/ihYuJ4Fm3K1
h3qmZbOORuWE9HiDxtKDKGYUZgaEPP5gQb2lIX8zmv4DlCeudDMp0cVdRxct9S31
k3ecMXJbCAbfg2n92aep0EADggSNiNrwEZ61EHa1c59GNRRiTOo4aLRUhfp6UGMq
+oxMcEuOKh2+6T6wskvLFVesOfreQOk+53r/rg731w21nvo7uoB8HQW/JXFIcxXV
jd5Z0gofYVASeRdTQGIbpJF9Kf6Dgor5BQY5F0QUbI5WU5Gwn+45t/fczeSFqkuK
dSVzKCykStivulcfBEFqNS1o78qCmbA0Cc24nb4TEQ==
-----END CERTIFICATE-----

The content of /root/.acme.sh/blokblok.nl/blokblok.nl.csr

-----BEGIN CERTIFICATE REQUEST-----
MIICsjCCAZoCAQAwFjEUMBIGA1UEAxMLYmxva2Jsb2submwwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCfnCBsCjqws4VGfupgTLOdKMUF9syfTUYKslTe
0TAMmdrSs0UUkWYegMsHbiKAK7sshu/eQEOnq+Sx7k7/Ctzd36odV1U1gwlSYuzB
ca+6NfYFck7MKQ75xXB91WAin8PBN1v8QZRtZerFHBLexVzNT5ife6wSq+7seiyg
dhRIYNIXz3dcQFmYYuo2p05S6DZ/4hw4uUz9M+ou/BsQCcxXVQ901/uboeE6MCkk
AcnxUF/jnbWeVCHY49ALVx0lSp6ZtKguUDS/Ls/rR6YDalzgeyRW07p+5qzzDkPr
t9K533wFUxh46QhWBvPkHbO2RZymku5j7yDAQgW8bsVMAbm5AgMBAAGgVzBVBgkq
hkiG9w0BCQ4xSDBGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAlBgNV
HREEHjAcggtibG9rYmxvay5ubIINKi5ibG9rYmxvay5ubDANBgkqhkiG9w0BAQsF
AAOCAQEAiUThsxeZv0bRR1ugD7xRN/i2xovtEg3FvxXrR9KZlej9cjeT7v8YYRkE
Z2XqNM/yi6bOG0xxMClXh0wsiAUIQo9Y9ir+PwM3q2KfZE4j38RmoV19dTJepI9u
aex19rbjuFewKil06KtbwV/MxeLMFVoe08zqTkSy5UYX9ulQoXU76ziotcrVARqY
F8FW0J8CJGTcXkIUdeeiKplzoGzKUE/+LJ1xUIGE6x70qmiFLSJnXZiHEECr9Ilm
EGY0v4qcDTPQE2ynaK/W/JGkKbRBMJC20eOsu91JucPETwizg/98xhZTuGG/l0OU
n05uOO2A5w9YPVGx7Lkuyk/Lj8KsIg==
-----END CERTIFICATE REQUEST-----

@Bruce5051
I created the public key for /root/.acme.sh/blokblok.nl/blokblok.nl.pub

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn5wgbAo6sLOFRn7qYEyz
nSjFBfbMn01GCrJU3tEwDJna0rNFFJFmHoDLB24igCu7LIbv3kBDp6vkse5O/wrc
3d+qHVdVNYMJUmLswXGvujX2BXJOzCkO+cVwfdVgIp/DwTdb/EGUbWXqxRwS3sVc
zU+Yn3usEqvu7HosoHYUSGDSF893XEBZmGLqNqdOUug2f+IcOLlM/TPqLvwbEAnM
V1UPdNf7m6HhOjApJAHJ8VBf4521nlQh2OPQC1cdJUqembSoLlA0vy7P60emA2pc
4HskVtO6fuas8w5D67fSud98BVMYeOkIVgbz5B2ztkWcppLuY+8gwEIFvG7FTAG5
uQIDAQAB
-----END PUBLIC KEY-----
1 Like
34

That is the way Apache loads certs, so, I'd say: Yes.

It would be helpful to show:
ls -l /root/.acme.sh/blokblok.nl/

I guess you could try changing:

To:

SSLCACertificateFile=/root/.acme.sh/blokblok.nl/blokblok.nl.issuer.crt
SSLCertificateFile=/root/.acme.sh/blokblok.nl/blokblok.nl.crt
SSLCertificateKeyFile=/root/.acme.sh/blokblok.nl/blokblok.nl.key
3 Likes
35

Using the CSR Decoder and Certificate Decoder (thanks again @Bruce5051 ) I figured out the certificated in the /usr/local/directadmin/data/users/admin/domains/ directory are the ones by Sectigo.

2 Likes
36

I had changed it to

SSLCACertificateFile=/usr/local/directadmin/data/.lego/certificates/blokblok.nl.issuer.crt
SSLCertificateFile=/usr/local/directadmin/data/.lego/certificates/blokblok.nl.crt
SSLCertificateKeyFile=/usr/local/directadmin/data/.lego/certificates/blokblok.nl.key

which didn't work, but after changing the paths in /usr/local/directadmin/data/users/admin/httpd.conf and restarting httpd, the LE certificated loaded instead of the Sectigo. Hurrah!

But somehow it doesn't use the wildcard certificate. I also tried:

SSLCACertificateFile=/root/.acme.sh/blokblok.nl/blokblok.nl.issuer.crt
SSLCertificateFile=/root/.acme.sh/blokblok.nl/blokblok.nl.crt
SSLCertificateKeyFile=/root/.acme.sh/blokblok.nl/blokblok.nl.key

which gave the same results (also changed in the httpd.conf file).

I'm a lot wiser but now I don't understand why the wildcard cert isn't working. When I requested the cert using

acme.sh --issue --server letsencrypt --dns dns_cf -d blokblok.nl -d '*.blokblok.nl'

it worked like a charm without errors, but it seems to use the certificates I requested earlier without the wildcard.

37

My time is up for today. Family first.
For now I've reverted back to the wildcard Sectigo so the site still works.

I'll try creating a new wildcard certificate after 16 Jan 2023 05:38:42 UTC and report back.

3 Likes
38

I had another half hour to spare and tried out this in the blokblok.nl.conf

SSLCertificateFile /root/.acme.sh/blokblok.nl/fullchain.cer
SSLCertificateKeyFile /root/.acme.sh/blokblok.nl/blokblok.nl.key

after creating a proper chain here: What's My Chain Cert?

Then added this to the httpd.conf

	SSLCertificateFile /root/.acme.sh/blokblok.nl/fullchain.cer
	SSLCertificateKeyFile /root/.acme.sh/blokblok.nl/blokblok.nl.key

and now it works!!

I'm not sure if it all will hold after changing stuff with Directadmin but I know what to change now. I want to thank you guys so much. I really couldn't have done it without your expert help. Hope you have a great weekend with zero bugs, errors and crashes!

4 Likes
39

Here is a Quick Chain Checker

2 Likes
40

Advice from a fellow sysadmin noob: maybe you can use the function in Directadmin to request and issue the Let's Encrypt certificate? A quick search online gives me the impression Directadmin has core functionality for that. If you use that, it will probably also fix apache configuration etcetera.