Using certbot --certonly and existing httpd.conf


#1

hello -

for a domain with a cert expiring tomorrow, currently the https.conf file looks like this:

SSLCertificateFile /home/domain.com/certs/domain_com.crt
SSLCertificateKeyFile /home/domain.com/certs/domain.com.PRIVATE_KEY.key
SSLCACertificateFile /home/domain.com/certs/domain_com.ca-bundle

when i ran certbot --apache certonly;

the following was returned to me:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/domain.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/domain.com/privkey.pem

i would like to start off simple and not modify the httpd.conf file if possible. so i am thinking the following commands might be run (example for the private key):

mv \
/home/domain.com/certs/domain.com.PRIVATE_KEY.key \
/home/domain.com/certs/domain.com.PRIVATE_KEY.key-RENAMED ;

ln -s \
/etc/letsencrypt/live/domain.com/privkey.pem \
/home/domain.com/certs/domain.com.PRIVATE_KEY.key ;

but does the fullchain.pem file contain both the public and the chain? would i need to manually edit the fullchain.pem file and save it as a separate crt file and a ca-bundle file?

thank you very much.


#2

Hi @edwardsmarkf, @schoen describes fullchain.pem in another post…

https://community.letsencrypt.org/t/solved-why-isnt-my-certificate-trusted/2479

If you take a look at it he stated:

I don’t believe that fullchain.pem references the ISRG root. I originally wrote the code that originally creates it and the definition of fullchain.pem was cert.pem and chain.pem in a single file.

Also if you want to make it “simple” you can comment out the ssl configuration in your httpd.conf and “include” a separate file with your custom ssl settings, etc. It might make it easier for one to maintain and keep track of.

As to the editing of the fullchain.pem file, I’ll leave that to the experts. That’s why we’re here!

Hope this helps a bit…
Rip


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.