Trouble installing previously obtained certificate

My domain is:

iconcierge.net.au

I ran this command:

certbot certonly --manual --cert-name wild.iconcierge.net.au -d *.iconcierge.net.au

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for iconcierge.net.au

---

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?

---

(Y)es/(N)o: y

---

Please deploy a DNS TXT record under the name
_acme-challenge.iconcierge.net.au with the following value:

WVcrivUeDkqJpWlFuAgI2i8m4a9HjqEslrsf7LC0TQU

Before continuing, verify the record is deployed.

---

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/wild.iconcierge.net.au/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/wild.iconcierge.net.au/privkey.pem
  Your cert will expire on 2020-04-20. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew all of your certificates, run
  "certbot renew"

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
  Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

My web server is (include version):

Apache(i think)

The operating system my web server runs on is (include version):

Ubuntu, 4.4.0-165.generic

I can login to a root shell on my machine (yes or no, or I don't know):

Yes, through sudo

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No... I interact with it via PuTTY

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.31.0

VERY happy, I managed to obtain the cert, which was a nightmare finding access to my DNS records etc, but I got there..over the moon!

However, I only obtained the certs, rather than installed them, and now I am a bit lost as to how to install previously obtained certs? I have red the documentation about 15 times but am still lost. I hate asking for help unless I need it, but I'm hoping for some direction with this one... much appreciated.

Progress is being made though, starting to see the power in certbot/lets encrypt(though it can be a bit overwhelming to understand)...

Certs can be used for a varied number of things.
So, it depends on your need(s): Web Server, E-Mail server, SFTP, etc.
Each will have its' own way of handling certs.
And even within each of those, there are different "brands" and they all come with their own "unique set of instructions".

So to answer your question:

We would need some specifics on your use case(s) before anyone can give you proper advice.
[that said, most of such advice will probably have little or nothing to do with LetsEncrypt - so be prepared to be directed elsewhere for more appropriate help with your need(s)]

So, let's begin with:
How would you like to use your cert(s)?

So, it depends on your need(s): Web Server, E-Mail server, SFTP, etc.

How would you like to use your cert(s)?

Literally just need SSL to work for HTTPS requests for website access.

It has to be a wildcard(for this particular domain) as we have dozens of subdomains running on the main domain; some get added and some get removed fairly frequently...so the wild card does seem appropriate...

Is this the kind of info you meant?

Thank you for the help rg, you've been a lifesaver several times on this forum!

That is a step in that direction.
Web Server with HTTPS.

When you say:

You should understand that a wildcard can only replace letters and numbers.
That is it won't contain a period.
So:
*.domain.com
can be used by (for example):
anyname123.domain.com
but not by
any123.name.domain.com

that said, and presuming all your subdomains "fit" into your wildcard cert.

You will need to setup vhost configs for each individually hosted document root.
That is, you might want a few "similar" names to serve the exact same content.
They can be combind/grouped into one single vhost config.
[using servername/serveralias]

But any name(s) not serving that same content will need an additional vhost config (usually within individual files).

For this you should understand how Apache (presuming that is your web server) operates.
Where it expects config files to be placed and loaded.
How to start and stop the web server.
How to use an editor (like: VIM or NANO).

If you have never done so, perhaps an "HTML 101" book/class would be a good start.

That is it won’t contain a period.

Yup, all are just "example.iconcierge.net.au"

I should note, there was a previous wildcard cert but it went bust/broke and I was hoping this would be a way around it to get those sites up and running again; and then just remove the old cert...

This seems like its not as simple as just 'install the already obtained cert and everything will work again'... which I was hoping for...

I ran certbot certificates so you can have a look at my current situation and perhaps hint me in the right direction forwards...

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/iconcierge.net.au.conf produced an unexpected error: expected /etc/letsencrypt/live/iconcierge.net.au/cert.pem to be a symlink. Skipping.
Revocation status for /etc/letsencrypt/live/apps.itourism.com.au/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/iconcierge.net.au-0001/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/iconcierge.net.au-0002/cert.pem is unknown

---

Found the following certs:
Certificate Name: apps.itourism.com.au
Domains: apps.itourism.com.au
Expiry Date: 2019-10-07 06:04:03+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/apps.itourism.com.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/apps.itourism.com.au/privkey.pem
Certificate Name: blank_iconcierge.net.au
Domains: iconcierge.net.au
Expiry Date: 2020-03-05 19:06:23+00:00 (VALID: 43 days)
Certificate Path: /etc/letsencrypt/live/blank_iconcierge.net.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/blank_iconcierge.net.au/privkey.pem
Certificate Name: cairnstoursandtravel.com
Domains: cairnstoursandtravel.com
Expiry Date: 2020-04-11 10:47:05+00:00 (VALID: 80 days)
Certificate Path: /etc/letsencrypt/live/cairnstoursandtravel.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cairnstoursandtravel.com/privkey.pem
Certificate Name: cairnstoursandtravel
Domains: www.cairnstoursandtravel.com cairnstoursandtravel.com cairnstoursandtravel.com.au cairnstravelandtours.com cairnstravelandtours.com.au www.cairnstoursandtravel.com.au www.cairnstravelandtours.com www.cairnstravelandtours.com.au
Expiry Date: 2020-03-04 09:18:09+00:00 (VALID: 42 days)
Certificate Path: /etc/letsencrypt/live/cairnstoursandtravel/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cairnstoursandtravel/privkey.pem
Certificate Name: iconcierge.net.au-0001
Domains: *.iconcierge.net.au apps.itourism.com.au
Expiry Date: 2020-01-12 01:17:49+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/iconcierge.net.au-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/iconcierge.net.au-0001/privkey.pem
Certificate Name: iconcierge.net.au-0002
Domains: *.iconcierge.net.au apps.itourism.com.au
Expiry Date: 2020-01-12 01:18:41+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/iconcierge.net.au-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/iconcierge.net.au-0002/privkey.pem
Certificate Name: visitorcentre.com.au
Domains: visitorcentre.com.au apps.itourism.com.au australianvisitorcentres.com.au australiawidetours.com australiawidetours.com.au ausvc.com.au bestaustraliantours.com.au bestofaustraliatravelcentres.com.au bestofvictoria.com.au lastminutetickets.net.au thesvc.com.au www.australianvisitorcentres.com.au www.australiawidetours.com www.australiawidetours.com.au www.ausvc.com.au www.bestaustraliantours.com.au www.bestofaustraliatravelcentres.com.au www.bestofvictoria.com.au www.lastminutetickets.net.au www.thesvc.com.au www.visitorcentre.com.au
Expiry Date: 2020-04-14 01:51:00+00:00 (VALID: 83 days)
Certificate Path: /etc/letsencrypt/live/visitorcentre.com.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/visitorcentre.com.au/privkey.pem
Certificate Name: wild.iconcierge.net.au
Domains: *.iconcierge.net.au
Expiry Date: 2020-04-20 22:01:32+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/wild.iconcierge.net.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/wild.iconcierge.net.au/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/iconcierge.net.au.conf

So you want to replace the other certs currently in use with the wildcard cert?
[as well as use it for and future sites that “fit”]

No... well yes but no.

See these 2 certs:

Certificate Name: iconcierge.net.au-0001
Domains: *.iconcierge.net.au apps.itourism.com.au
Expiry Date: 2020-01-12 01:17:49+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/iconcierge.net.au-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/iconcierge.net.au-0001/privkey.pem
Certificate Name: iconcierge.net.au-0002
Domains: *.iconcierge.net.au apps.itourism.com.au
Expiry Date: 2020-01-12 01:18:41+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/iconcierge.net.au-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/iconcierge.net.au-0002/privkey.pem

These were already up and running when I took this role, but when bust since then..

I am just trying to get those sites back on SSL(ignore the apps.itourism.com.au domain, i have that running elsewhere for the time being while I work the rest of this mess out)...

So I am guessing vhosts etc are all already created etc..

OK then “find” the vhost configs that use those cert files and replace it with the new one.
Try:
grep -Eri 'net.au-000|fullchain' /etc/apache2/
[please show the output]

output:

/etc/apache2/sites-available/http.conf: SSLCertificateFile /etc/letsencrypt/live/blank_iconcierge.net.au/fullchain.pem
/etc/apache2/sites-available/http.conf: SSLCertificateFile /etc/letsencrypt/live/iconcierge.net.au-0002/fullchain.pem
/etc/apache2/sites-available/http.conf: SSLCertificateKeyFile /etc/letsencrypt/live/iconcierge.net.au-0002/privkey.pem
/etc/apache2/sites-available/http.conf: SSLCertificateFile /etc/letsencrypt/live/visitorcentre.com.au/fullchain.pem
/etc/apache2/sites-available/http.conf:SSLCertificateFile /etc/letsencrypt/live/visitorcentre.com.au/fullchain.pem
/etc/apache2/sites-available/http.conf:SSLCertificateFile /etc/letsencrypt/live/visitorcentre.com.au/fullchain.pem
/etc/apache2/sites-available/http.conf:SSLCertificateFile /etc/letsencrypt/live/visitorcentre.com.au/fullchain.pem
/etc/apache2/sites-available/http.conf:SSLCertificateFile /etc/letsencrypt/live/visitorcentre.com.au/fullchain.pem
/etc/apache2/sites-available/http.conf:SSLCertificateFile /etc/letsencrypt/live/visitorcentre.com.au/fullchain.pem
/etc/apache2/sites-available/http.conf:SSLCertificateFile /etc/letsencrypt/live/visitorcentre.com.au/fullchain.pem
/etc/apache2/sites-available/http.conf:SSLCertificateFile /etc/letsencrypt/live/visitorcentre.com.au/fullchain.pem
/etc/apache2/sites-available/http.conf:SSLCertificateFile /etc/letsencrypt/live/visitorcentre.com.au/fullchain.pem
/etc/apache2/sites-available/http.conf:SSLCertificateFile /etc/letsencrypt/live/visitorcentre.com.au/fullchain.pem
/etc/apache2/sites-available/http.conf:SSLCertificateFile /etc/letsencrypt/live/visitorcentre.com.au/fullchain.pem

Let's have a look at that file.
[at least the virtualhost part that contains the "net.au-000"]

sure thing!

Listen 80
Listen 443

<VirtualHost *:80>

ServerAlias *.iconcierge.net.au
ServerAlias iconcierge.net.au

DocumentRoot /var/www/html/iconcierge/app

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R,L]

RewriteCond %{SERVER_NAME} =*.iconcierge.net.au
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

RewriteCond %{SERVER_NAME} =iconcierge.net.au
RewriteRule ^ https://www.iconcierge.net.au/ [END,NE,R=permanent]

<VirtualHost *:443>

<Directory /var/www/html/>
    Options -Indexes
    Require all granted
  AllowOverride All
</Directory>

ServerAlias iconcierge.net.au

DocumentRoot /var/www/html/iconcierge/app

SSLEngine on

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/blank_iconcierge.net.au/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/blank_iconcierge.net.au/privkey.pem

<VirtualHost *:443>

<Directory /var/www/html/>
    Options -Indexes
    Require all granted
  AllowOverride All
</Directory>

ServerAlias *.iconcierge.net.au

DocumentRoot /var/www/html/iconcierge/app

SSLEngine on

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/iconcierge.net.au-0002/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/iconcierge.net.au-0002/privkey.pem

Modify these two lines:

to be:
SSLCertificateFile /etc/letsencrypt/live/wild.iconcierge.net.au/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wild.iconcierge.net.au/privkey.pem

save the config
restart apache
test it out
delete the unused and expired cert(s)
thank me
look back and laugh
go on with your life
...

thank me
look back and laugh
go on with your life

thank you, immensely.

Do you have cashapp or something, I owe you a beer!

Seriously though mate, thank you, it works...

I don’t feel like I’ve done enough to deserve one… but if you feel like Buying me a I won’t stop you!
Although I would much rather prefer that you donate that money to LE
Either way:
-Cheers from Miami

I shall do both mate

Cheers

A true gentleman!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.