Replace ssl certificate

[abletec]

For a long while now, I've had songatmidnight.org. I recently decided (because of some difficulties w/Gmail marking messages as spam when they werent) to acquire songatmidnight.com & make songatmidnight.org a pointer to it. But I had secured the .com version prior to making that decision. Now any attempts I make to install a replacement cert that includes the .org domain fail, because, of course, there's already a cert in place. CPanel had a feature where I could just uninstall, but DA doesn't seem to have such. Workarounds?

I've tried changing the renewal time as suggested in the article about troubleshooting ssl errors, but it didn't seem to help. I also tried using letsencrypt.sh to revoke the cert, that didn't help either. This is really irritating, & a simple feature to uninstall a script could really cut down on the irritation, cuz I'm sure I'm not the only one who has need of it.

I've been rather hesitant to just wholesale delete the cert files.

Any assistance appreciated.

 

[Richard G]

to acquire songatmidnight.com & make songatmidnight.org a pointer to it.

That won't help you for a bit with the issue you are experiencing. If Gmail marks messages as spam then it is only from that domain (or the complete server) and not from some other domain, even if it's the same name with different .tld.

So don't know as to why the SSL is giving troubles, maybe it's related somehow.
As for the SSL problem, what you could do as a workaround, is to just add songatmidnight.com as a domainname and request a certificat for it. Once that is done and certificate is valid, then add it as a pointer.
There might be a better way, as far as I know, the DA system will request certificates automatically.

Anyway, as said, this will not solve your problem with Gmail, because that is not "otherdomain" related.
What does give issues with Gmail is that if no proper rDNS/PTR record is set for your hostname.
And at this moment, your ip is not pointing to your hostname, so fix that first and most likely your Gmail issues will disappear already.

As for the SSL for pointers, maybe somebody else can help with that.

 

[abletec]

Richard, I already have a cert for songatmidnight.com. It just didn't
have the pointer because I decided to do all that later. In other
words, I solved the gmail problem by taking songatmidnight.org out of
the equation. songatmidnight.com works beautifully. But when I go to
songatmidnight.org, it gives a cert error, obviously.

My DNS records are in place, including PTR records. I think the spam marking arose from the fact that I had a bunch of bogus sign ups to the site. Thus, confirmatory emails were being sent to nonexistent email addresses. That situation has now been remedied & then some. I've got that site locked up tighter than a frog's tusch, & that's watertight lol.

The problem is that I can't replace the old cert that didn't have the domain pointer w/a new cert that does.

I appreciate the help. Why is it so bleepin hard to remove a cert in DA?

That won't help you for a bit with the issue you are experiencing. If Gmail marks messages as spam then it is only from that domain (or the complete server) and not from some other domain, even if it's the same name with different .tld.

So don't know as to why the SSL is giving troubles, maybe it's related somehow.
As for the SSL problem, what you could do as a workaround, is to just add songatmidnight.com as a domainname and request a certificat for it. Once that is done and certificate is valid, then add it as a pointer.
There might be a better way, as far as I know, the DA system will request certificates automatically.

Anyway, as said, this will not solve your problem with Gmail, because that is not "otherdomain" related.
What does give issues with Gmail is that if no proper rDNS/PTR record is set for your hostname.
And at this moment, your ip is not pointing to your hostname, so fix that first and most likely your Gmail issues will disappear already.

As for the SSL for pointers, maybe somebody else can help with that.

 

[Richard G]

My DNS records are in place, including PTR records.

Sorry to say but they are not.

[root@server: ~]# nslookup 209.141.41.22
22.41.141.209.in-addr.arpa      name = 41.141.209.in-addr.arpa.

Authoritative answers can be found from:

Unless it's still synching, but I doubt that because the .org domain had the same issue.

As for the other spam reason, yes that can indeed be also a cause. We never send confirmation messages because in the past we had a couple of times spammers abusing the system that way.

The problem is that I can't replace the old cert that didn't have the domain pointer w/a new cert that does.

That one I don't quite understand. I thought newer certificates always overwrite older or are added and used. I also had some non wildcard and wildcard certificates, but always the one created the latest was used. I never had to create an ssl certificate for a pointer, but then also, a pointer is a pointer, I never use that to send mail, it just points to another domain and gets ssl automatically.

I appreciate the help. Why is it so bleepin hard to remove a cert in DA?

Good question. I wouldn't know, maybe because normally this isn't needed or very seldom. One can change the setting to disable ssl or change the certificate to another option so LE does not work either anymore. But most likely will not remove the certificate. Never tested that myself to be true. Only used the revoke options via SSH once. Created a new cert and ready.