Join the community today
Become a Member

Letsencrypt Changing from staging to live cert

Discussion in 'Domains, DNS, Email & SSL Certificates' started by duderuud, Apr 21, 2021.

  1. duderuud

    duderuud New Member

    27
    8
    3
    Dec 5, 2020
    The Netherlands
    Ratings:
    +15
    Local Time:
    11:18 AM
    1.19.10
    MariaDB 10.4
    I recently changed the webserver host and had troubles getting a live LE certificate working with Cloudflare.

    I now got it working with a staging certificate (afaik) and the CF setting to Full (instead of Full strict).

    I'm struggling to change the staging cert to a live cert so I can change the CF setting back to Full strict.

    I tried to use acmetool.sh acme-menu to issue a Live HTTPS Default certificate but that returns a "domain not changed/skipped" error so it seems the staging certificate is in the way of a live certificate.

    Do I somehow need to force a reissue of a live certificate?

     
  2. eva2000

    eva2000 Administrator Staff Member

    46,649
    10,590
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,435
    Local Time:
    7:18 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    how did you issue the staging Letsencrypt SSL cert ? exact steps and/or commands used ? if it was manual acme.sh run, you can try with --force flag
     
  3. duderuud

    duderuud New Member

    27
    8
    3
    Dec 5, 2020
    The Netherlands
    Ratings:
    +15
    Local Time:
    11:18 AM
    1.19.10
    MariaDB 10.4
    No, I used the add new vhost option in the main menu.
    (Deleted the vhost after issuing a live cert failed and started again).
     
  4. eva2000

    eva2000 Administrator Staff Member

    46,649
    10,590
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,435
    Local Time:
    7:18 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    In that case, try acmetool.sh add reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. Though haven't tested it for staging Letsencrypt only self-signed SSL, but I think it would work the same.

    When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain.com live
    

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf
     
  5. duderuud

    duderuud New Member

    27
    8
    3
    Dec 5, 2020
    The Netherlands
    Ratings:
    +15
    Local Time:
    11:18 AM
    1.19.10
    MariaDB 10.4
    The reissue worked like a charme. I just had to restart Nginx to get rid of the CF certificate error.

    Thanks!
     
  6. eva2000

    eva2000 Administrator Staff Member

    46,649
    10,590
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,435
    Local Time:
    7:18 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Great to hear :D