What do I do with the Cert file?


#1

I’m using CentOS 6.7 and certbot doesn’t work in auto mode on it yet so I used the webroot method to get a certificate and it was successful. I now have cert file in /etc/letsencrypt/mydomain/fullchain.pem

Now what do I do with the certificate? How do I move my domain to https? I found a lot of tutorials on obtaining a certificate but nothing on using it. Am I missing something?


#2

Basically you just need to modify your web configuration. You don’t provide any information on what you are using though. Apache ? nginx ? do you have a control panel ? cpanel ? ISPconfig ? something else ?


#3

I’m using Apache. Can you provide a sample file. I saw this somewhere

<VirtualHost ip:443>
...
SSLCertificateFile    /etc/ssl/certs/domain.crt
SSLCertificateKeyFile /etc/ssl/private/domain.key
SSLCertificateChainFile /etc/ssl/certs/domain-intermediate.pem
...
</VirtualHost>

But that’s 3 files. i only got one. Do I just remove the crt and key line?


#4

You should have all the files in /etc/letsencrypt/live/domain

https://mozilla.github.io/server-side-tls/ssl-config-generator/ can provide a good example file for your configuration (depending if you want high security, and only the latest browsers, or a slightly lower security and allow older browsers to connect )


#5

In my live/domain folder, I have cert.pem, chain.pem, fullchain.pem and privkey.pem

But no .crt or .key file? I think I’m confused with the terminology here?

From mozilla’s site, I have this, so what would I be putting in the paths?

SSLCertificateFile      /path/to/signed_certificate
SSLCertificateChainFile /path/to/intermediate_certificate
SSLCertificateKeyFile   /path/to/private/key

Sorry for the trouble :sweat_smile:


#6

cert.pem is the certificate file
privkey.pem is the certificate key file
chain.pem and fullchain.pem are the chain file ( depending on your version of apache you need either the chain or fullchain )


#7

Ahh. I see. Thanks.

One last question: How do I find out if I need chain or fullchain for my version?


#8

on centos 6 the command

/usr/sbin/httpd -v

should tell you the version of apache you are running.

in Apache 2.2.x you would use

SSLCertificateChainFile /etc/letsencrypt/live/domain/chain.pem

in apache 2.4.x you would use

SSLCertificateFile /etc/letsencrypt/live/domain/fullchain.pem
and not use the SSLCertificateChainFile


#9

If you have Apache version 2.4.8 or newer you can set SSLCertificateFile to fullchain.pem and not have a SSLCertificateChainFile at all

If your Apache version is older than 2.4.8 then you must set SSLCertificateFile to cert.pem and set SSLCertificateChainFile to chain.pem

In both cases you also need SSLCertificateKeyFile to point to the private key privkey.pem

If you’re not sure what Apache version you have, use the older way, new Apache is backwards compatible, and you can switch to the new way when you know for sure you’ve upgraded to a new enough version.


#10

Thanks a ton @serverco. And thanks to @tialaramex as well for the explanation.

My version is 2.2 btw so I’ll be using chain.pem


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.