[CentOS] letsencrypt error

Sat Feb 6 10:17:26 UTC 2021
Tony Mountifield <tony at softins.co.uk>

In article <CABr8-B4dhv7CMrWVoj2UYAi1MOZkpR8FFUfHqLwH4ZTtAXxBoA at mail.gmail.com>,
Jerry Geis <jerry.geis at gmail.com> wrote:
> Hi Tony,
> Thanks for the suggestion https://github.com/srvrco/getssl was not aware of
> that.
> I got so close... It says it loaded the certificate the files are there - I
> edited /etc/httpd/conf.d/ssl.conf and set the two paths to the right file.
> restrated httpd - all seemed good - but when I goto my site it did not work.
> So I re-ran with -f option and I get:
> Registering account
> Verify each domain
> Verifying rsd.layeredsolutionsinc.com
> rsd.layeredsolutionsinc.com is already validated
> Verification completed, obtaining certificate.
> Requesting Finalize Link
> Requesting Order Link
> Requesting certificate
> Full certificate saved in /root/.getssl/XX/fullchain.crt
> Certificate saved in /root/.getssl/XX/rsd.layeredsolutionsinc.com.crt
> /root/.getssl/XX/XX.crt didn't match server
> getssl: XX - rsa certificate obtained but certificate on server is
> different from the new certificate
> So close...
> Any thoughts on that are appreciated.   Idid searching and those issues
> dont seem to relate to my case.

Hi Jerry, you need to explore the configuration files. They are in .getssl/getssl.cfg
and .getssl/<domain>/getssl.cfg

First, in .getssl/<domain>/getssl.cfg you need to tell it where to copy the certificate
and key for the web server. They should match what you have in /etc/httpd/conf.d/ssl.conf
Here are my entries as an example:

# Location for all your certs, these can either be on the server (full path name)
# or using ssh /sftp as for the ACL
DOMAIN_CERT_LOCATION="/etc/pki/tls/certs/your.domain.name.crt" # this is domain cert
DOMAIN_KEY_LOCATION="/etc/pki/tls/private/your.domain.name.key" # this is domain key
CA_CERT_LOCATION="/etc/pki/tls/certs/chain.crt" # this is CA cert

Then secondly, in the global config .getssl/getssl.cfg you need to tell it how to
restart the web server to pick up the new certs, which it will do before testing
whether the new certificate is served correctly:

# The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="/usr/sbin/apachectl graceful"

I think these are the only changes I made from the defaults.


Tony Mountifield
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org