openssl
Some openssl commands
check public key
First how to check if a key, csr and pem are matching.
The key is now an elliptic curve key, so the rsa command won't work.
Generic command for pub key
openssl pkey -pubout -in ../private/klopt.key
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPXguul5VF/IbohFuomdIg9DTi0zp
7USyCWVV/gVsFg9EJsmeek+N5QW88RU686ABgfyOHoQ9L9bUJqfy6VEuhQ==
-----END PUBLIC KEY-----
For the csr it is similar
CSR public key
openssl req -noout -pubkey -in klopt.csr
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPXguul5VF/IbohFuomdIg9DTi0zp
7USyCWVV/gVsFg9EJsmeek+N5QW88RU686ABgfyOHoQ9L9bUJqfy6VEuhQ==
-----END PUBLIC KEY-----
So these match !.
Now the pem key i found on servert1 did not match :
Certificate check
openssl x509 -noout -pubkey -in /etc/ssl/certs/WILDCARD_klopt_org.crt
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuWSQKKIFyfxrZPtJULuc
pjDCdQ09DwLiPhXccGzvhbrz+fGyf/fVVk5I1LuzTkAd9sRnqO8PvddF3dN0OZs+
xALflGT8qE1G2UuXzF+OUtGlTPttmP4G3j8lTM3VprOnXIXg5qz3u0iE+Kkl9mZh
uRWqihuxHo6yx6nPVDxZe6ry+qgiboD+ZJzQBBq9vHDd0hkxLsVLWTv+3cA8zxPE
kv3n5Rr5wMHa8JGKZHZKpgmKw9LYmKRHRWORRHSgM3nmquKwZwfwFJTtMXAuZxt0
gQYTMVunFjrK6FVmOen1qIshC9i0Ia4PBUCWYBqgSC9P5jWqrEO1/EDWnlroNhGi
swIDAQAB
-----END PUBLIC KEY-----
So this is what helped me find the correct one. In fact you can see what is wrong best by printing the expiration date as well:
Show dates
openssl x509 -noout -pubkey -in /etc/ssl/certs/WILDCARD_klopt_org.crt -dates
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuWSQKKIFyfxrZPtJULuc
pjDCdQ09DwLiPhXccGzvhbrz+fGyf/fVVk5I1LuzTkAd9sRnqO8PvddF3dN0OZs+
xALflGT8qE1G2UuXzF+OUtGlTPttmP4G3j8lTM3VprOnXIXg5qz3u0iE+Kkl9mZh
uRWqihuxHo6yx6nPVDxZe6ry+qgiboD+ZJzQBBq9vHDd0hkxLsVLWTv+3cA8zxPE
kv3n5Rr5wMHa8JGKZHZKpgmKw9LYmKRHRWORRHSgM3nmquKwZwfwFJTtMXAuZxt0
gQYTMVunFjrK6FVmOen1qIshC9i0Ia4PBUCWYBqgSC9P5jWqrEO1/EDWnlroNhGi
swIDAQAB
-----END PUBLIC KEY-----
notBefore=Feb 28 00:00:00 2022 GMT
notAfter=Mar 31 23:59:59 2023 GMT
So this is in fact the previous certificate. Something went wrong in unpacking or copying. Just do it all again.
redo copy
ls -lcrt ~/*.zip
-rw-r--r-- 1 kees kees 22265 Mar 30 2022 wildcard_klopt_org.zip
# so that seems an older one, after download it is changed to
-rw-r--r-- 1 kees kees 14990 May 18 10:35 wildcard_klopt_org.zip
# now unpack that and retry the check
unzip wildcard_klopt_org.zip
Archive: wildcard_klopt_org.zip
creating: Root Certificates/
creating: Linux/
creating: Windows/
inflating: Windows/WILDCARD_klopt_org.p7b
inflating: Linux/WILDCARD_klopt_org.ca-bundle
inflating: WILDCARD_klopt_org.crt
inflating: Root Certificates/Sectigo_ECC_Domain_Validation_Secure_Server_CA.crt
inflating: Root Certificates/USERTrust_ECC_Certification_Authority.crt
creating: Apache-Nginx/
inflating: Apache-Nginx/WILDCARD_klopt_org-fullchain.txt
creating: Plesk-cPanel-DirectAdmin/
inflating: Plesk-cPanel-DirectAdmin/WILDCARD_klopt_org-crt.txt
inflating: Plesk-cPanel-DirectAdmin/WILDCARD_klopt_org-cacrt.txt
check again
openssl x509 -noout -pubkey -in WILDCARD_klopt_org.crt -dates
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPXguul5VF/IbohFuomdIg9DTi0zp
7USyCWVV/gVsFg9EJsmeek+N5QW88RU686ABgfyOHoQ9L9bUJqfy6VEuhQ==
-----END PUBLIC KEY-----
notBefore=Mar 27 00:00:00 2023 GMT
notAfter=Apr 26 23:59:59 2024 GMT
That's the one we need !!
Now these steps will get the apache server running again.
copy-paste instructions
sudo cp WILDCARD_klopt_org.crt /etc/ssl/certs
sudo cp Apache-Nginx/WILDCARD_klopt_org-fullchain.txt /etc/ssl/WILDCARD_klopt_org.ca-bundle
sudo cp klopt.key /etc/ssl/private
And add these lines to the ssl conf files