-   Linux - Server (
-   -   Colleague thought /etc/pki/~ was redundant du to Letsencrypt, so they deleted it *Facepalm*, (

tenraek 09-13-2019 07:54 PM

Colleague thought /etc/pki/~ was redundant du to Letsencrypt, so they deleted it *Facepalm*,
As the title says, colleague thought that /etc/pki was redundant since we use /etc/letsencrypt/~ so they rm -dr'd the it.

So now (after removing his admin privileges) I'm trying to fix our SSLs.

I decided to go back to square one and removed the Letsencrypt directories with he hopes that if I reran Certbot that fix it, but it came up With the error "SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty"

I tried recreating it manually as well as tried resinstalling Open SSL, but that didn't;t work either.

Can any one tell me what the file and permissions for the path need to be, please and thank you.

here's the full output when I tru to rerun Certbot:


sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apachectl configtest.

AH00526: Syntax error on line 100 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apachectl configtest.\n\nAH00526: Syntax error on line 100 of /etc/httpd/conf.d/ssl.conf:\nSSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty\n",)

scasey 09-13-2019 08:51 PM

On my CentOS server, /etc/pki/* directories are 755 and files are 644.
Everything is owned by root.root

I take it you don't have a backup. Doesn't look like those files change very often.

vincix 09-17-2019 08:59 PM

If the whole directory has been deleted, then I'd simply try to copy it from a new Linux installation. It should work without any issues.
cp -a to preserve the permissions or rsync -a, something to that effect.

MensaWater 09-18-2019 10:21 AM

Ideally you should be doing regular backups and simply restore your most recent one of /etc/pki.

Failing that, you could do "yum reinstall" of the packages that create /etc/pki and its subdirectories.

On my CentOS7 running "rpm -qf /etc/pki /etc/pki/* /etc/pki/*/* |sort -u" outputs those packages as:

Note that any certificates (root, intermediate or your own domains) you had added after the initial install you'd have to re-add manually after re-install of the packages.

vincix 09-18-2019 05:02 PM

I wanted to say that I suggested copying the directory from a new OS instead of reinstalling the package, because the connection to the repositories might not be secure anymore (which might lead to additional configurations etc.), but then it occurred to me that at least the base repositories use http, not https.

All times are GMT -5. The time now is 08:50 PM.