Using Certbot with certonly -- updating Apache Configs


Aloha lads,

I’m tried to installed a SSL-certificate via certbot and just let him do his thing BUT although I get the message with something like: congrats… successfully install… expires on the DATE

but now if I try go to my website it still is http. I read that certbot maybe did not update/add the paths for apache2 but I don’t know how to do that.

Debian 8 Jessie


used certbot automated

I’m sorry if you lack some information to help I’ll add if you tell me what you need :>


if you change the URL from http to https, is the site also there?


without https it’s working just fine:


Could it be that I have to add something to sites-available to make it work?

LoadModule ssl_module modules/

    Listen 443
    <VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile "/path/to/"
        SSLCertificateKeyFile "/path/to/"

^something like this?^


Seems like the site is available now but it uses my selfsigned certificate instead of the one certbot made. How can I change this?

Also! How can I make the http version unavailable for public? so if people only enter manually that they get to https instantly without having to type it themselves? Now if you go for you get to the http version which now is “empty”


You need to find the conf file that serves the secure site (:443)
There you can modify which cert file is used.

That can be done with a redirection statement.
You need to find the conf file that serves the regular site (:80)
There you can insert a redirect statement like this:
Redirect “/” “

or for more than just redirection to the main https start page:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI}

or maybe this could also do the trick:
SSLOptions +StrictRequire


I actually edited the 80 file to 443 and did not make a new one. Can I put both the redirect 80 > 443 and the 443 both in the same conf?

Where does certbot save the files by default?


Okay I managed to do it like this:

<VirtualHost *:443>
    DocumentRoot /var/www/website/
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/apache.crt
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key

<VirtualHost *:80>
    Redirect /

Now I only have to know where certbot saves the files so I can set them as path. I assume I have to set the path in this exact document:

SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

I can’t manage to find where those files are stored :confused:


That’s the output of the comment “find /-name *.key”


find / -name *.pem


That’s only the stuff with letsencrypt in the path :open_mouth:


/etc/letsencrypt/live/ = private key file
/etc/letsencrypt/live/ = public cert with intermediates

They should be symbolic links that auto-update to the latest file whenever it renews.

yee website be saying ney no longer!


Updated it to:

but after restarting apache2 it still says ney :frowning:

<VirtualHost *:443>
    ServerAdmin myemail
    DocumentRoot /var/www/
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/

Alias /phpmyadmin "/usr/share/phpmyadmin/"
<Directory "/usr/share/phpmyadmin/">
     Order allow,deny
     Allow from all
     Require all granted


<VirtualHost *:80>
    Redirect /

That’s the complete file

BTW should I edit the phpmyadmin thing? If I read “allow from all” I get a bad feeling


I did not change anything! I assume it used old cache I think I did not ctrl-F5 :confused:

I thank you so much for helping me! People like you are awesome


That problem seems to be from the server lack of cipher preference ordering:
(shows A- now, but you can get A+ easily)

try adding this to the :443 part:
It’s a very basic starting point.
You can read up on that and later decide for yourself which ciphers you would like to serve and in which order.
SSLOpenSSLConfCmd DHParameters
If using DHE ciphers.
SSLOpenSSLConfCmd Curves
as well.

openssl ciphers
will show all ciphers available on that version of openssl

openssl ciphers ECDH:DH:!ADH:!aNULL:!AESCCM:!DSS:!eNULL:!SEED:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
will show the ciphers available with those restrictions.

Have fun!


I don’t get the Cipher thing tbh “AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA” Does chain different encrypt methods?


Okay added it. How can I view my A status?


Your site is already doing this (which includes those four ciphers):

TLS 1.2 (server has no preference)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 2048 bits FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 2048 bits FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256