View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Don't delete a certificate for a domain via Certbot!
Log in to Ask a Question

Don't delete a certificate for a domain via Certbot!

I used Certbot to delete a SSL certificate on a domain I no longer use but still had an Apache2 virtual host for.

DON'T DO THIS

I hosed the entire server after a restart of Apache. By deleting the certificate it deleted a file that Apache checks on startup or restart etc. I had to comment out two lines in the Apache 'sites-available' directory for that domain.

Without Apache working Certbot also would not work.

There is probably a better way to fix this, but I could not find it after almost an hour of searching.

Talk about a massive point of failure!

That one file killed Apache2 which of course killed every one of my domains.

3 Replies

DON'T DO THIS

What you shouldn't do is install certs with

sudo certbot --apache -d domain.com

You should shut down your web server and then install the cert with

sudo certbot certonly --standalone -d domain.com

Do the apache2 glue yourself. This is as simple as adding the following:

Include /etc/letsencrypt/options-ssl-apache.conf
#
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem

in your VirtualHost configuration. The chain file configuration is important…without this a standard browser will still complain that the CA is untrusted.

Then start up your web server again.

If you want the urls domain.com and www.domain.com to be equivalent, you would acquire the cert like this:

sudo certbot certonly --standalone -d domain.com,www.domain.com

-- sw

P.S. You may have to install a null VirtualHost at your web root for this to work:

<VirtualHost _default_:80>
</VirtualHost>

This is a small price to pay for not giving certbot the ability to nuke your web server configuration, IMHO.

Thanks, Steve.

On my next server your instructions above is how I will do things. I didn't know about the "certonly" option.

If you want the urls domain.com and www.domain.com to be equivalent, you would acquire the cert like this:

sudo certbot certonly --standalone -d domain.com,www.domain.com

I use the same cert for my mail server too -- for ssmtp, submission and imaps -- so I use

sudo certbot certonly --standalone -d domain.com,www.domain.com,mail.domain.com

When you install the certbot packages with apt, there's a systemd timer job for renewal that gets set up too…so you don't have to worry about setting up a cron job to do this.

-- sw

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct