Using Certbot with certonly -- updating Apache Configs


My rating went down to B? :open_mouth:

Also DNS CAA is marked orange :frowning:


Like this?


I tried to restart the server after adding those lines :open_mouth:


t was unable to enforce protocol order since we never gave it any protocol order.
what you needed was cipher odering
Just change

SSLHonorCipherOrder On
and include


That’s how it looks now. I already restarted apache2 and tested it again but I still get A-


OK that seems correct.
But the A- also shows:

TLS 1.2 (server has no preference)

I think we are overlooking the fact that there are other files at play.
The configuration is spread over several files.
There is probably a conflicting setting in one of those other files.
like ssl.conf or something.

ls -l /etc/apache2/conf-enabled/.conf
ls -l /etc/apache2/sites-enabled/
ls -l /etc/apache2/sites-enabled/000-default*

try moving
SSLHonorCipherOrder On


do they have permission 777?!?


reorder to this order:
SSLEngine On
SSLCertificateFile public.key
SSLCertificateKeyFile private.key
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
SSLCipherSuite …
SSLHonorCipherOrder On

restart apache
check ssllabs score
if unchanged, then show:


those are all standard files

that conflicts and seems to override with your settings in the other conf file
vitualHost *:443>
ServerAdmin admin@localhost

Leave your updated config and change this other file to
ServerName localhost:443
(this config should really never get used - it’s only there when your IP gets https connections for unknown FQDNs or directly to the IP)

we may be getting close to the daily posting limit per thread - if blocked from additional posting, you can contact me directly. But I think this should end this issue.


leave it.
restart apache
check ssllabs


Nobody mentioned this so far, but not installing in Apache is usually a consequence of running with certonly. If you do want Certbot to try to install in Apache for you, don’t use certonly, since the “only” means “only obtain a certificate, don’t try to install it”.


also worthwhile pointing out that mozilla publishes templates of good configs



This might help. As root there is a directory called /etc/letsencrypt/live on your server. In there there should be a file called renew. In that file there is a simple key that you may need. I am not sure but if your certs haven’t expired (after 90 days) you might find a way. I asked a security expert and he verified that letsencrypt certificates can be trusted so I am gonna continue to use them. Also on a Mac the only way it seems to get a cert working is to use something like let’s encrypt does using keytool. Trust me an Enterprise Tech call using anything GUI failed and the alternate method they suggested using server failed too but keytool worked


Hi @MarcLisevich,

I don’t think that your advice is very relevant to @Belph’s original situation, and might be mixing up a few different issues. I’m glad that you got your own setup working properly; if you’d like to talk more about how that worked in your configuration, I would suggest starting a new topic.


Don’t usually relpy to replies but I thought that file might help one can always dismiss when off topic as I briefly scanned and no one had mentioned it. You didn’t so let me stay on topic and ask: is it because I have to renew manually?


Hi @MarcLisevich,

First, I think you might have confused /etc/letsencrypt/live and /etc/letsencrypt/renewal. The contents of /etc/letsencrypt/live are subdirectories referring to particular certificates that you have and each one of those currently has only four files, privkey.pem, cert.pem, chain.pem, and fullchain.pem

Second, the keytool utility is used for editing Java keystores (JKS), which is important when using Tomcat and some other Java-related server environments. However, there is nothing particularly macOS-specific about this; you would also likely use keytool with Tomcat on Linux, while you don’t need to use keytool for Apache on macOS. People who aren’t using Tomcat or Java servers don’t need to use keytool as part of their certificate setup or renewal process.

Whether or not you have to renew manually depends on how you originally got your certificate. It might not be that uncommon for Tomcat users to do so, but many other people’s environments can renew just by running certbot renew or certbot-auto renew, and can often do so automatically from a periodic job run from cron or systemd, without needing any human intervention at all.

I don’t think this is relevant to @Belph’s situation because @Belph was using Apache on Debian.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.