View previous topic :: View next topic |
Author |
Message |
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3924
|
Posted: Fri Oct 15, 2021 12:00 pm Post subject: Quickly obtain multiple Letsencrypt certificates |
|
|
Hi Guys
Suppose you have many domains or dyndns(Dynu etc) domains.
You wish to obtain ssl certs for them.
A quick approach is
Code: |
emerge -av apache certbot
|
NOTE: If you are using residential internet you have to port-forward the 80 port from your router to the ip of your lan host.
Also plz make sure that all your domains are dns-resolvable to your machine.
Edit
Code: |
/etc/apache2/vhosts.d/00_default_vhost.conf #### UPDATED: by mistake it was 00_default_ssl_vhost.conf before ####
|
and after the ServerName directive add as many ServerAlias directives as the number of your domains.
Something like this
Code: |
ServerName localhost
ServerAlias dom1.com
ServerAlias dom2.com
ServerAlias dom3.com
ServerAlias www.dom3.com
|
etc.
Make sure that (any) /var/www/localhost/htdocs/index.html is present.
Start apache
and run
Code: |
certbot certonly --webroot -w /var/www/localhost/htdocs -d dom1.com -d dom2.com -d dom3.com -d www.dom3.com
|
etc
Let certbot do its magick and you will have an
/etc/letsencrypt
directory containing all your certs.
Then comment out the ServerAlias directives but keep them in place to be used when updating the certs.
Also remember to close the 80 port on your router.
Easy and quick. _________________
|
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3477
|
Posted: Fri Oct 15, 2021 9:35 pm Post subject: |
|
|
Since it's about generating certificates rather than using them with apache:
Letsencrypt's certbot has --standalone mode too. Doesn't require assistance from any webserver.
Also, it is even possible to run certbot side by side with apache if you change it's port with an undocumented option --http-01-port <custom port number>. The challenge will still arrive on port 80, but you can proxy that.
Why would you want to use proxy instead of apache webroot? Well, some people run apache behind a proxy for performance, some run multiple applications on a single machine, some want that cert for postfix+dovecot and could do without any http server at all, and some configure apache for their customers who tend to break things by moving documents' roots into "more convenient" paths.
Oh, and apache can act as a reverse proxy too. Just in case you wanted to setup a default vhost that will pass challenges to certbot and redirect everything else to https. This will still be more user-resistant solution than --webroot |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3924
|
Posted: Fri Oct 15, 2021 10:27 pm Post subject: |
|
|
szatox
Thanks so much for your input.
Yes I was thinking that after generating the certificates one would use them with ssl vhosts either in apache or nginx or as you very nicely mentioned in postfix/dovecot.
I didnt know about certbot "standalone mode"
I will look into it.
Quote: |
Just in case you wanted to setup a default vhost that will pass challenges to certbot and redirect everything else to https.
|
You mean the vhost is defined as <VirtualHost *:80> and then it uses mod_rewrite to redirect to https?
But if you have multiple?
Thanks a lot. _________________
|
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3477
|
Posted: Sun Oct 17, 2021 1:54 pm Post subject: |
|
|
Quote: | You mean the vhost is defined as <VirtualHost *:80> and then it uses mod_rewrite to redirect to https?
But if you have multiple? | Regexp.
I do that with haproxy, I use it to terminate SSL on port 443 and split traffic on port 80. Everything with path .well-known/acme-challenge or whatever it is goes to standalone certbot, and everything else receives a redirect to https. There is no validation, I just substitute the protocol in the original request and hand it back a the new Location.
I'm sure you can do that with apache alone, using mod_rewrite, mod_proxy, and maybe some variables. It can act as a proxy, as a reverseproxy, and it does support regexps too. I'm just more familiar with haproxy than apache's mod_proxy and I already use it anyway, so there is no reason for me to do that inside apache's configuration - even though there is nothing wrong with this approach either. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|