geki
Advocate
Joined: 13 May 2004
Posts: 2387
Location: Germania
|
 Posted: Sat Mar 06, 2021 11:35 pm Post subject: [REV #4] Replace Let's Encrypt certbot by Apache 2.4 mod_md |
 |
|
Well, if you are, like me, not so happy about the load of Python packages coming with the certbot tool and lately the funky portage notice about idna v3 being available but hold back because, yeah, being a dependency of outdated dev-python/requests package pulled by certbot/acme-client, then you, like me, may want to move to Apache 2.4 module md.
https://httpd.apache.org/docs/2.4/mod/mod_md.html
Requires Apache modules status, watchdog and md, obviously.
With that move I could ditch the http port, used for certbot webroot, and let Let's Encrypt work via https connection. No idea, if certbot's webroot could work with https, maybe yeah, but I was too lazy. 
Since I like to read example configurations, here is mine, obfuscated.
_________________
Update #1
Comment out virtual host configuration for
- SSLCertificateFile
- SSLCertificateKeyFile
Update #2
Example to restart apache gracefully twice a month via cron.
Update #3
Missing Apache define for ssl operation: CACHE.
Update #4
Comment out static certificate and key file once loaded.
- Current files already on system from former certbot updates.
- If you keep these configuration parameters, md will not update the certificate.
- MDCertificateFile
- MDCertificateKeyFile
- MDRenewMode
_________________
When you are done with the configuration, do a non-graceful restart to have the Apache defines and all properly loaded once.
| /etc/conf.d/apache2 snipped: | | APACHE2_OPTS="-D SSL -D SSL_DEFAULT_VHOST -D CACHE -D PROXY -D STATUS" |
-D PROXY is for php-fpm to handle php pages.
| /etc/apache2/vhosts.d/00_default_ssl_vhost.conf snipped: | Protocols acme-tls/1
<Location "/md-status">
SetHandler md-status
Require local
</Location>
MDContactEmail <your acme contact address>
MDCertificateAgreement accepted
# be safe and create directory yourself
MDStoreDir /etc/ssl/apache2/md
<MDomain vhost_a vhost_b ...>
MDStapling on
MDRequireHttps permanent
# Initialize once with current certificates, if avail
# uncomment these once, start apache server instance,
# check md-status site, if loaded properly,
# stop again and comment these again
#MDCertificateFile /etc/ssl/apache2/vhost.cert
#MDCertificateKeyFile /etc/ssl/apache2/vhost.key
#MDRenewMode always
</MDomain>
# moved from /etc/apache2/vhosts.d/00_default_vhost.conf
# since '-D DEFAULT_VHOST' is removed from /etc/conf.d/apache2
<Directory /var/www/*/htdocs>
AllowOverride AuthConfig
Require all granted
</Directory>
#
# comment out virtual host configuration managed by md now
#
# before
SSLCertificateFile /etc/ssl/apache2/vhost.cert
SSLCertificateKeyFile /etc/ssl/apache2/vhost.key
# after
#SSLCertificateFile /etc/ssl/apache2/vhost.cert
#SSLCertificateKeyFile /etc/ssl/apache2/vhost.key |
Example to restart apache gracefully twice a month via cron.
| crontab -e: | # minute | hour | dayOfMonth | month | dayOfWeek
59 23 1,15 * * /usr/sbin/apache2ctl -k graceful |
_________________
hear hear |
|
Documentation, Tips & Tricks
