Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[REV #4] Replace Let's Encrypt certbot by Apache 2.4 mod_md
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
geki
Advocate
Advocate


Joined: 13 May 2004
Posts: 2387
Location: Germania

PostPosted: Sat Mar 06, 2021 11:35 pm    Post subject: [REV #4] Replace Let's Encrypt certbot by Apache 2.4 mod_md Reply with quote

Well, if you are, like me, not so happy about the load of Python packages coming with the certbot tool and lately the funky portage notice about idna v3 being available but hold back because, yeah, being a dependency of outdated dev-python/requests package pulled by certbot/acme-client, then you, like me, may want to move to Apache 2.4 module md.

https://httpd.apache.org/docs/2.4/mod/mod_md.html

Requires Apache modules status, watchdog and md, obviously.

With that move I could ditch the http port, used for certbot webroot, and let Let's Encrypt work via https connection. No idea, if certbot's webroot could work with https, maybe yeah, but I was too lazy. :o

Since I like to read example configurations, here is mine, obfuscated.
_________________

Update #1
Comment out virtual host configuration for
- SSLCertificateFile
- SSLCertificateKeyFile

Update #2
Example to restart apache gracefully twice a month via cron.

Update #3
Missing Apache define for ssl operation: CACHE.

Update #4
Comment out static certificate and key file once loaded.
- Current files already on system from former certbot updates.
- If you keep these configuration parameters, md will not update the certificate.
- MDCertificateFile
- MDCertificateKeyFile
- MDRenewMode
_________________

When you are done with the configuration, do a non-graceful restart to have the Apache defines and all properly loaded once.

/etc/conf.d/apache2 snipped:
APACHE2_OPTS="-D SSL -D SSL_DEFAULT_VHOST -D CACHE -D PROXY -D STATUS"

-D PROXY is for php-fpm to handle php pages. :o

/etc/apache2/vhosts.d/00_default_ssl_vhost.conf snipped:
Protocols acme-tls/1

<Location "/md-status">
        SetHandler md-status
        Require local
</Location>

MDContactEmail <your acme contact address>
MDCertificateAgreement accepted
# be safe and create directory yourself
MDStoreDir /etc/ssl/apache2/md

<MDomain vhost_a vhost_b ...>
        MDStapling on
        MDRequireHttps permanent

        # Initialize once with current certificates, if avail
        # uncomment these once, start apache server instance,
        # check md-status site, if loaded properly,
        # stop again and comment these again
        #MDCertificateFile /etc/ssl/apache2/vhost.cert
        #MDCertificateKeyFile /etc/ssl/apache2/vhost.key
        #MDRenewMode always
</MDomain>

# moved from /etc/apache2/vhosts.d/00_default_vhost.conf
# since '-D DEFAULT_VHOST' is removed from /etc/conf.d/apache2
<Directory /var/www/*/htdocs>
  AllowOverride AuthConfig
  Require all granted
</Directory>

#
# comment out virtual host configuration managed by md now
#

# before
SSLCertificateFile /etc/ssl/apache2/vhost.cert
SSLCertificateKeyFile /etc/ssl/apache2/vhost.key

# after
#SSLCertificateFile /etc/ssl/apache2/vhost.cert
#SSLCertificateKeyFile /etc/ssl/apache2/vhost.key

Example to restart apache gracefully twice a month via cron.

crontab -e:
# minute | hour | dayOfMonth | month | dayOfWeek
59 23 1,15 * * /usr/sbin/apache2ctl -k graceful

_________________
hear hear
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum