Unable to renew certificate as server has a new host name

Bizzi-Body · April 29, 2016, 8:22am

Hi.

I’m hoping someone can help me.

I’m running a DigitalOcean Ubuntu / Wordpress template server. Everything is fine.

Recently I changed the host name from lists.bizzi-body.com to bizzi-body.com.

Now that I need to renew the LE certificate… I run ./letsencrypt-auto renew

LE responds…

We were unable to find a vhost with a ServerName or Address of lists.bizzi-body.com.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
Choices: ['bizzi-body.com.conf            | Multiple Names        |       |        ', 'default-ssl.conf               |                       | HTTPS | Enabled', '000-default.conf               |                       |       | Enabled', '000-default-le-ssl.conf        |                       | HTTPS | Enabled', 'bizzi-body.com-le-ssl.conf     | Multiple Names        | HTTPS | Enabled']
(The best solution is to add ServerName or ServerAlias entries to the VirtualHost directives of your apache configuration files.). Skipping.

Reading through that my thoughts are that LE is still looking for lists.bzzi-body.com - so the question is …

How can I tell LE that the host name has changed?

Biker · April 29, 2016, 9:15am

If you “change the name” of a server computer you conceptually remove one server computer from service and create another server computer.

You have a certificate for a server computer that “doesn’t exist any more”. You probably shouldn’t try to renew that certificate. I fail to see how this could be accomplished.

My approach would be to request a brand new certificate for the “new server” you have just “created” (through the name change), using the name of the new server. Visitors to your “new” server will then be served a certificate valid for “the new server”. (Even if this is served from the same computer hardware.)

Then you basically have two choices for the “old” certificate. You could (1) just let it expire when it reaches it’s expiration date or you could (2) revoke the certificate.

Since the LE certificates have a pretty short validity time frame, I would most likely let the old expire and die out on it’s own. Unless you have some real requirement to invalidate the old certificate.

Bizzi-Body · April 29, 2016, 9:44am

Thanks @Biker .

I have done this and had good and not so good outcome.

I ran ./letsencrypt-auto --apache -d bizzi-body.com

And received the message Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/bizzi-body.com-0001/fullchain.pem. Your cert will expire on 2016-07-28. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.

The LE app told me I could test the cert using https://www.ssllabs.com/ssltest/analyze.html?d=bizzi-body.com .

However. This test showed my the previous cert - that expires in few days time.

I restarted Apache - thinking maybe there is some caching going on and tested again.

Alas. While the LE app says I have a new cert - testing shows the server is still using the old cert.

Any ideas?

Bizzi-Body · April 29, 2016, 9:54am

I thought I would also add - after searching the forum of similar issues. The contents of 000-default-le-ssl.conf…

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/bizzi-body.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bizzi-body.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/bizzi-body.com/chain.pem
</VirtualHost>
</IfModule>

And I see there is also a bizzi-body.com-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin support@bizzi-body.com
        ServerName bizzi-body.com
        ServerAlias www.bizzi-body.com
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/bizzi-body.com-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bizzi-body.com-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/bizzi-body.com-0001/chain.pem
</VirtualHost>
</IfModule>

I’m wondering if I just need to copy the contents of bizzi-body.com-le-ssl.conf into 000-default

Bizzi-Body · April 29, 2016, 10:02am

Yip! Yip!

That did the trick.

I now have the new cert in place and it tests lovely.

Thanks @Biker - you got me pointed in the right direction. Cheers.

Biker · April 29, 2016, 10:05am

Glad you made it.

system · May 29, 2016, 10:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.