Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Quickly obtain multiple Letsencrypt certificates
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3918

PostPosted: Fri Oct 15, 2021 12:00 pm    Post subject: Quickly obtain multiple Letsencrypt certificates Reply with quote

Hi Guys
Suppose you have many domains or dyndns(Dynu etc) domains.
You wish to obtain ssl certs for them.
A quick approach is
Code:

emerge -av apache certbot

NOTE: If you are using residential internet you have to port-forward the 80 port from your router to the ip of your lan host.
Also plz make sure that all your domains are dns-resolvable to your machine.
Edit
Code:

/etc/apache2/vhosts.d/00_default_vhost.conf   #### UPDATED: by mistake it was 00_default_ssl_vhost.conf  before ####

and after the ServerName directive add as many ServerAlias directives as the number of your domains.
Something like this
Code:

ServerName localhost
ServerAlias dom1.com
ServerAlias dom2.com
ServerAlias dom3.com
ServerAlias www.dom3.com


etc.
Make sure that (any) /var/www/localhost/htdocs/index.html is present.
Start apache
and run
Code:

certbot certonly --webroot -w /var/www/localhost/htdocs -d dom1.com -d dom2.com -d dom3.com -d www.dom3.com

etc
Let certbot do its magick and you will have an
/etc/letsencrypt
directory containing all your certs.
Then comment out the ServerAlias directives but keep them in place to be used when updating the certs.
Also remember to close the 80 port on your router.

Easy and quick.
_________________
:)
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3446

PostPosted: Fri Oct 15, 2021 9:35 pm    Post subject: Reply with quote

Since it's about generating certificates rather than using them with apache:
Letsencrypt's certbot has --standalone mode too. Doesn't require assistance from any webserver.

Also, it is even possible to run certbot side by side with apache if you change it's port with an undocumented option --http-01-port <custom port number>. The challenge will still arrive on port 80, but you can proxy that.
Why would you want to use proxy instead of apache webroot? Well, some people run apache behind a proxy for performance, some run multiple applications on a single machine, some want that cert for postfix+dovecot and could do without any http server at all, and some configure apache for their customers who tend to break things by moving documents' roots into "more convenient" paths.
Oh, and apache can act as a reverse proxy too. Just in case you wanted to setup a default vhost that will pass challenges to certbot and redirect everything else to https. This will still be more user-resistant solution than --webroot :)
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3918

PostPosted: Fri Oct 15, 2021 10:27 pm    Post subject: Reply with quote

szatox
Thanks so much for your input.
Yes I was thinking that after generating the certificates one would use them with ssl vhosts either in apache or nginx or as you very nicely mentioned in postfix/dovecot.
I didnt know about certbot "standalone mode"
I will look into it.
Quote:

Just in case you wanted to setup a default vhost that will pass challenges to certbot and redirect everything else to https.

You mean the vhost is defined as <VirtualHost *:80> and then it uses mod_rewrite to redirect to https?
But if you have multiple?

Thanks a lot.
_________________
:)
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3446

PostPosted: Sun Oct 17, 2021 1:54 pm    Post subject: Reply with quote

Quote:
You mean the vhost is defined as <VirtualHost *:80> and then it uses mod_rewrite to redirect to https?
But if you have multiple?
Regexp.
I do that with haproxy, I use it to terminate SSL on port 443 and split traffic on port 80. Everything with path .well-known/acme-challenge or whatever it is goes to standalone certbot, and everything else receives a redirect to https. There is no validation, I just substitute the protocol in the original request and hand it back a the new Location.

I'm sure you can do that with apache alone, using mod_rewrite, mod_proxy, and maybe some variables. It can act as a proxy, as a reverseproxy, and it does support regexps too. I'm just more familiar with haproxy than apache's mod_proxy and I already use it anyway, so there is no reason for me to do that inside apache's configuration - even though there is nothing wrong with this approach either.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum