In article CABr8-B4dhv7CMrWVoj2UYAi1MOZkpR8FFUfHqLwH4ZTtAXxBoA@mail.gmail.com, Jerry Geis jerry.geis@gmail.com wrote:
Hi Tony,
Thanks for the suggestion https://github.com/srvrco/getssl was not aware of that. I got so close... It says it loaded the certificate the files are there - I edited /etc/httpd/conf.d/ssl.conf and set the two paths to the right file. restrated httpd - all seemed good - but when I goto my site it did not work. So I re-ran with -f option and I get:
Registering account Verify each domain Verifying rsd.layeredsolutionsinc.com rsd.layeredsolutionsinc.com is already validated Verification completed, obtaining certificate. Requesting Finalize Link Requesting Order Link Requesting certificate Full certificate saved in /root/.getssl/XX/fullchain.crt Certificate saved in /root/.getssl/XX/rsd.layeredsolutionsinc.com.crt /root/.getssl/XX/XX.crt didn't match server getssl: XX - rsa certificate obtained but certificate on server is different from the new certificate
So close... Any thoughts on that are appreciated. Idid searching and those issues dont seem to relate to my case.
Hi Jerry, you need to explore the configuration files. They are in .getssl/getssl.cfg and .getssl/<domain>/getssl.cfg
First, in .getssl/<domain>/getssl.cfg you need to tell it where to copy the certificate and key for the web server. They should match what you have in /etc/httpd/conf.d/ssl.conf Here are my entries as an example:
---- # Location for all your certs, these can either be on the server (full path name) # or using ssh /sftp as for the ACL DOMAIN_CERT_LOCATION="/etc/pki/tls/certs/your.domain.name.crt" # this is domain cert DOMAIN_KEY_LOCATION="/etc/pki/tls/private/your.domain.name.key" # this is domain key CA_CERT_LOCATION="/etc/pki/tls/certs/chain.crt" # this is CA cert ----
Then secondly, in the global config .getssl/getssl.cfg you need to tell it how to restart the web server to pick up the new certs, which it will do before testing whether the new certificate is served correctly:
---- # The command needed to reload apache / nginx or whatever you use RELOAD_CMD="/usr/sbin/apachectl graceful" ----
I think these are the only changes I made from the defaults.
Cheers Tony