Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

changing from "staging" to "normal" #99

Closed
klausph opened this issue Jul 30, 2018 · 3 comments
Closed

changing from "staging" to "normal" #99

klausph opened this issue Jul 30, 2018 · 3 comments

Comments

@klausph
Copy link

@klausph klausph commented Jul 30, 2018

hi. mod_md solves more problems, than make new ;-)
here's my problem: yesterday I have changed from "staging" to "normal".

heres some info about configuration:
MDCertificateAuthority https://acme-v01.api.letsencrypt.org/directory
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
MDStoreDir /etc/apache2/md
MDomain xxx.de...

but in /etc/apache2/md//domains/vufindnet.de/md.json
I will find:
{
"name": "xxx.de",
"domains": [
"xxx.de",
"www.xxx.de"
],
"contacts": [
"mailto:xxx@t-online.de"
],
"transitive": 1,
"ca": {
"account": "ACME-.letsencrypt.org-0002",
"proto": "ACME",
"url": "https://acme-v01.api.letsencrypt.org/directory",
"agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
},
"cert": {
"url": "https://acme-staging.api.letsencrypt.org/acme/cert/faf373f8402698c99842ac285246e13d14d6",
"expires": "Sun, 28 Oct 2018 06:02:49 GMT",
"validFrom": "Mon, 30 Jul 2018 06:02:49 GMT"
},
"state": 2,
"drive-mode": 1,
"renew-window": "33%",
"renew": false,
"must-staple": false
}

please, attention. above we read:
"cert": {
"url": "https://acme-staging.api.letsencrypt.org/acme/cert/faf373f8402698c99842ac285246e13d14d6",
"staging" WHY?

is it all normal?
I'm not in staging-modus!
thanks and yours, klaus

@icing

This comment has been minimized.

Copy link
Owner

@icing icing commented Jul 31, 2018

The url in "cert" is where the certificate was retrieved from. If the cert is still valid, mod_md will not retrieve a new one from the "normal" endpoint right away.

If you remove the cert/pkey for the domain in the file system and reload the server, the new endpoint will be used.

It can be debated if a change in ACME url should trigger an immediate cert renew. There are pros and cons to it.

@klausph

This comment has been minimized.

Copy link
Author

@klausph klausph commented Jul 31, 2018

thanks for the good advice!

not only for me, I repeat:

I have to remove (in ubuntu)
/etc/apache2/md/domains/*/md.json
and than a graceful restart of apache2

great it works!
thanks a lot!

@icing

This comment has been minimized.

Copy link
Owner

@icing icing commented Jul 31, 2018

There are several ways to do this:

  1. Remove the complete directory for a domain underneath domains
  2. or just remove the certificates+keys: rm /etc/apache2/md/domains/*/*.pem
  3. or move it underneath /etc/apache2/md/archive/ :

and then graceful restart.

@icing icing closed this Oct 11, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.