logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Let's Encrypt for Apache :: mod_md-1.0.3 for 2.4.29

 
Post new topic   Reply to topic    Apache Forum Index -> News & Hangout



View previous topic :: View next topic  
Author Message
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2580
Location: Hilversum, NL, EU

PostPosted: Fri 13 Oct '17 11:01    Post subject: Let's Encrypt for Apache :: mod_md-1.0.3 for 2.4.29 Reply with quote

Let's Encrypt site: https://letsencrypt.org/

For 2.4.29 VC15 Windows

16 November : update mod_md to 1.0.3 for new MDCertificateAgreement, see post below
4 November : Update mod_ssl patch for OpenSSL 1.1.0g
23 October : Update mod_md to 1.0.1 and curl to 7.56.1
21 October : Now for 2.4.29


Download: www.apachelounge.com/download/VC15/modules/mod_md-VC15.zip
SHA1-SHA512 Checksums: : www.apachelounge.com/download/VC15/modules/mod_md-VC15.zip.txt

Change log mod_md: https://github.com/icing/mod_md/releases

Build with:
mod_md 1.0.3
httpd 2.4.29
curl(WinSSL) 7.56.1
Jansson-2.10
mod_ssl-v5 patch

# Install
Copy content bin folder to your apache/bin folder
Copy content modules folder to your apache/modules folder

# Add to your httpd.conf
LoadModule watchdog_module modules/mod_watchdog.so
LoadModule md_module modules/mod_md.so


# Configuration
see https://github.com/icing/mod_md/wiki and https://httpd.apache.org/docs/trunk/mod/mod_md.html

You need at least:
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
ManagedDomain .... .....


In the :443 VirtualHost(s), turn on mod_ssl:
SSLEngine on


Normally, certificates are valid for around 90 days and mod_md will renew them the earliest 30 days before they expire.

You can set for example every 10 days: MDRenewWindow 80d

When testing, consider the rate limits: https://letsencrypt.org/docs/rate-limits/

To get more insight what is going on, set: LogLevel info md:trace2 ssl:notice

If you need to experiment, configure :
MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory . Then no valid certificates are generated.

note: a2md.exe is a command line tool


Enjoy,

Steffen


Last edited by Steffen on Thu 16 Nov '17 19:09; edited 9 times in total
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2580
Location: Hilversum, NL, EU

PostPosted: Wed 01 Nov '17 11:51    Post subject: Reply with quote

Maybe you have already noticed that mod_md can now automatically stop/start Apache to activate after a (re)new.

See my discussion at https://github.com/icing/mod_md/issues/17

This resluted in a new directive MDNotifyCmd : https://httpd.apache.org/docs/trunk/mod/mod_md.html#mdnotifycmd

Now with a simple script you can do what you want.
For example I have now a .bat and mailsend in the Apache/folder:

Code:
MDNotifyCmd c:/apache24/bin/mod_md.bat


The script mod_md.bat stops/start Apache, kills fastcgi zombies, copy certificates to mail server and sends a mail:

Code:
@ECHO OFF

powershell -command "Start-Sleep -s 10"

Net stop <service-name>
 
powershell -command "Start-Sleep -s 10"

REM kill eventually zombie php-cgi.exe's when you run php with mod_fcgid
taskkill /F /T /IM php-cgi*

Net start <service-name>

REM copy certificates to mail server (in my case Surgemail)
xcopy <path to apache>\md\domains\<domain-name>pubcert.pem <path to surgemail>\ssl\surge_cert.pem /Y
xcopy <path to apache>\md\domains\<domain-name>privkey.pem <path to surgemail>\ssl\surge_priv.pem /Y


<path to apache>/bin/mailsend -q -f steffen@sland.nl -smtp sland.nl -user steffen@sland.nl -pass xxxxxx  -name "Steffen L" -t Steffen@sland.nl -sub "Lets Encrypt mod_md Notification" -M "Managed Domain(s) created/renewed:" -M "%~1" -M "%~2"  -M "%~3" -M "%~4" -M "."


Note:
The script is executed after ~24 hours when it is renewed

Note:
mailsend.exe , see https://github.com/muquit/mailsend/releases and https://github.com/muquit/mailsend/blob/master/doc/examples.mediawiki
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2580
Location: Hilversum, NL, EU

PostPosted: Thu 16 Nov '17 15:28    Post subject: Reply with quote

On 15 November letsencrypt has updated Subscriber Agreement to v1.2, see https://community.letsencrypt.org/t/updating-our-subscriber-agreement-to-v1-2-on-november-15-2017/45605

For new installs you need now in httpd.conf:

MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf

When you run in errors, wait for a fix, see https://www.apachelounge.com/viewtopic.php?p=36096
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2580
Location: Hilversum, NL, EU

PostPosted: Thu 16 Nov '17 19:11    Post subject: Reply with quote

Updated mod_md to version 1.0.3, solves issue with the new Agreement.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> News & Hangout
Page 1 of 1