Apache SSL certificate renewal

Server
6

As you see the ucr command is only available on appliance installations.

In order to update your current SSL certificate, all you have to do is find where it is currently installed, replace the files and restart apache.

I’m assuming you have a simple apache setup, without a reverse-proxy for SSL offloading.

On a Debian/Ubuntu setup you can run (as root) apachectl -S to dump the current apache configuration, it should look similar to this:

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server cloud.domain.tld (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  is a NameVirtualHost
         default server cloud.domain.tld (/etc/apache2/sites-enabled/default-ssl.conf:2)

Look for the virtual host configuration for your ownCloud server on port 443 (SSL). In my case this is /etc/apache2/sites-enabled/default-ssl.conf and run the following grep on it:

root@ubuntu:~# grep "^\s*SSLCertificate.*File" /etc/apache2/sites-enabled/default-ssl.conf
                SSLCertificateFile /etc/ssl/domain.tld/fullchain.pem
                SSLCertificateKeyFile /etc/ssl/domain.tld/privkey.pem

There might also be a third variable SSLCertificateChainFile, which, depending on your new certificate also might need to be updated.

It is also possible that you DON’T have to update your key file, depending on how you created the new CSR. If you don’t have a new key, make sure that the current private key matches the certificate.

Make a backup of these files, and then replace the contents of the files with new certificate, new chain and new key respectively.

  1. Backup: cp /etc/ssl/domain.tld/fullchain.pem{,.bak}; cp /etc/ssl/domain.tld/privkey.pem{,.bak} (and the same for the SSLCertificateChainFile if it exists)
  2. You should be able to just use your (CLI) favorite editor to edit the certificate (nano, vim)
  3. Delete the old content
  4. Paste the new content
  5. Save the file
  6. Repeat steps 2-5 for key and chain (if needed)

Afterwards you can apply your new configuration by restarting apache:

root@ubuntu:~# apachectl -t # make sure your config is correct
Syntax OK
root@ubuntu:~# systemctl restart apache2 # don't run this if your syntax is not ok

Let me know should you have any problems

1 Like