Which files to use when switching from StartCom to LE?

Hi there. It’s great to have this vivid support community for Let’s Encrypt.

I run several domains in VM’s on Ubuntu 16.04 and have already installed Certbot successfully via command line as root user.

I used certbot --apache which ran through almost successfully, but gave me a little headache:

Here is the output conclusion:

Created an SSL vhost at /var/www/conf.d/mymaindomain.net-le-ssl.conf
Deploying Certificate for mymaindomain.net to VirtualHost /var/www/conf.d/mymaindomain.net-le-ssl.conf
Unsupported filesystem layout. sites-available/enabled expected.

IMPORTANT NOTES:

• Unable to install the certificate
• Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/apps4me.net/fullchain.pem. Your cert will
  expire on 2017-09-20. To obtain a new or tweaked version of this
  certificate in the future, simply run certbot again with the
  "certonly" option. To non-interactively renew all of your
  certificates, run “certbot renew”
  […]

For my various domains, I maintain different domain conf files in /var/www/conf.d/, which used to define the StartCom certificate files like this:

  SSLCertificateFile /var/www/ssl/class2.wildcard.ssl.crt
  SSLCertificateKeyFile /var/www/ssl/myname.ssl.key
  SSLCertificateChainFile /var/www/ssl/sub.class2.server.ca.pem
  SSLCACertificateFile /var/www/ssl/ca.class2.pem

In /etc/letsencrypt/live/mymaindomain.net/, I see four symbolic links which point to the relevant .pem files in …/archive/mymaindomain/.

Now I wonder which of the four StartCom files should be replaced by which files generated by the Certbot. I don’t see any *.crt or *.key files in /etc/letsencrypt/.

What am I missunderstanding? Thanks in advance.

SSLCertificateFile /etc/letsencrypt/live/mymaindomain.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mymaindomain.net/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/mymaindomain.net/chain.pem

SSLCACertificateFile is related to client certificates; it's not necessary.

With Apache 2.4.8 or newer, this can be simplified:

SSLCertificateFile /etc/letsencrypt/live/mymaindomain.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mymaindomain.net/privkey.pem

Be sure to point to /etc/letsencrypt/live/. If you use the real files in /etc/letsencrypt/archive/, Apache will continue to use the old files after the certificate is renewed, and your site will go down after it eventually expires.

There are several popular file extensions for certificates and keys. .pem is, well, one of them. In any case, what really matters is what the files contain; they're all the same format.

Thank you so much for your quick and perfect reply. It works like a charme. All domains are up and running in secure HTTPS mode again, with the free LE certificate. Time for a big donation.

Now I will have to figure out how to renew the certificate chain in about 90 days, right?

Just run cerbot renew in a cronjob every day. It will automatically renew your certificate 30 days before it expires.

Thank you for your hint, Patches.
As my ISP already informed me, installing Certbot on my Ubuntu server has already installed such a cronjob in /etc/cron.d/certbot - so I think I will have to wait until August 21 or 22 to see if it works as expected. My test using certbot renew --dry-run was fine.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.