logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Let's Encrypt for Apache :: mod_md

 
Post new topic   Reply to topic    Apache Forum Index -> Apache Building & Member Downloads



View previous topic :: View next topic  
Author Message
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2603
Location: Hilversum, NL, EU

PostPosted: Fri 13 Oct '17 11:01    Post subject: Let's Encrypt for Apache :: mod_md Reply with quote

Let's Encrypt site: https://letsencrypt.org/

16 November : update mod_md to 1.0.3 for new MDCertificateAgreement, see post below
4 November : Update mod_ssl patch for OpenSSL 1.1.0g
23 October : Update mod_md to 1.0.1 and curl to 7.56.1
21 October : Now for 2.4.29


Download: Removed, with 2.4.30+ included in Apache download


Change log mod_md: https://github.com/icing/mod_md/releases

Build with:
mod_md 1.0.3
httpd 2.4.29
curl 7.56.1
Jansson-2.10
mod_ssl-v5 patch

# Install
Copy content bin folder to your apache/bin folder
Copy content modules folder to your apache/modules folder

# Add to your httpd.conf
LoadModule watchdog_module modules/mod_watchdog.so
LoadModule md_module modules/mod_md.so


# Configuration
see https://github.com/icing/mod_md/wiki and http://httpd.apache.org/docs/2.4/mod/mod_md.html

You need at least:
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
ManagedDomain .... .....


In the :443 VirtualHost(s), turn on mod_ssl:
SSLEngine on


Normally, certificates are valid for around 90 days and mod_md will renew them the earliest 30 days before they expire.

You can set for example every 10 days: MDRenewWindow 80d

When testing, consider the rate limits: https://letsencrypt.org/docs/rate-limits/

To get more insight what is going on, set: LogLevel info md:trace2 ssl:notice

If you need to experiment, configure :
MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory . Then no valid certificates are generated.

note: a2md.exe is a command line tool


Enjoy,

Steffen


Last edited by Steffen on Thu 16 Nov '17 19:09; edited 9 times in total
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2603
Location: Hilversum, NL, EU

PostPosted: Wed 01 Nov '17 11:51    Post subject: Reply with quote

Maybe you have already noticed that mod_md can now automatically stop/start Apache to activate after a (re)new.

See my discussion at https://github.com/icing/mod_md/issues/17

This resluted in a new directive MDNotifyCmd : https://httpd.apache.org/docs/trunk/mod/mod_md.html#mdnotifycmd

Now with a simple script you can do what you want.
For example I have now a .bat and mailsend in the Apache/folder:

Code:
MDNotifyCmd c:/apache24/bin/mod_md.bat


The script mod_md.bat stops/start Apache, kills fastcgi zombies, copy certificates to mail server and sends a mail:

Code:
@ECHO OFF

powershell -command "Start-Sleep -s 10"

Net stop <service-name>
 
powershell -command "Start-Sleep -s 10"

REM kill eventually zombie php-cgi.exe's when you run php with mod_fcgid
taskkill /F /T /IM php-cgi*

Net start <service-name>

REM copy certificates to mail server (in my case Surgemail)
xcopy <path to apache>\md\domains\<domain-name>pubcert.pem <path to surgemail>\ssl\surge_cert.pem /Y
xcopy <path to apache>\md\domains\<domain-name>privkey.pem <path to surgemail>\ssl\surge_priv.pem /Y


<path to apache>/bin/mailsend -q -f steffen@sland.nl -smtp sland.nl -user steffen@sland.nl -pass xxxxxx  -name "Steffen L" -t Steffen@sland.nl -sub "Lets Encrypt mod_md Notification" -M "Managed Domain(s) created/renewed:" -M "%~1" -M "%~2"  -M "%~3" -M "%~4" -M "."


Note:
The script is executed after ~24 hours when it is renewed

Note:
mailsend.exe , see https://github.com/muquit/mailsend/releases and https://github.com/muquit/mailsend/blob/master/doc/examples.mediawiki
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2603
Location: Hilversum, NL, EU

PostPosted: Thu 16 Nov '17 15:28    Post subject: Reply with quote

On 15 November letsencrypt has updated Subscriber Agreement to v1.2, see https://community.letsencrypt.org/t/updating-our-subscriber-agreement-to-v1-2-on-november-15-2017/45605

For new installs you need now in httpd.conf:

MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf

When you run in errors, wait for a fix, see https://www.apachelounge.com/viewtopic.php?p=36096
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2603
Location: Hilversum, NL, EU

PostPosted: Thu 16 Nov '17 19:11    Post subject: Reply with quote

Updated mod_md to version 1.0.3, solves issue with the new Agreement.
Back to top
ether



Joined: 16 May 2011
Posts: 3

PostPosted: Thu 18 Jan '18 23:55    Post subject: Download missing Reply with quote

The download link leads to a 404. Any help?
Back to top
puertoblack2003



Joined: 31 Jul 2009
Posts: 68

PostPosted: Fri 19 Jan '18 6:54    Post subject: Re: Download missing Reply with quote

ether wrote:
The download link leads to a 404. Any help?


maybe they're preparing to up date to v1.1.8, a lot changed since then.
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 556

PostPosted: Fri 19 Jan '18 11:25    Post subject: Reply with quote

Oops.. now again available.

The next Apache 2.4.30 is around the corner, this is going to contain 1.1.8.

In the mean time you can use 1.0.3.
Back to top
nono303



Joined: 20 Dec 2016
Posts: 14
Location: France, Lille

PostPosted: Fri 19 Jan '18 16:33    Post subject: Reply with quote

Hi,

If you want, you can also try newer build available on https://www.apachelounge.com/viewtopic.php?t=7860
Back to top
pbhq



Joined: 17 Mar 2013
Posts: 10
Location: Germany

PostPosted: Fri 19 Jan '18 19:28    Post subject: Reply with quote

admin wrote:
In the mean time you can use 1.0.3.


Renewing the certificates does not work in the version 1.0.3, because mod_watchdog hangs in an infinite loop from the day the ReNew should succeed. Rolling Eyes
Back to top
pbhq



Joined: 17 Mar 2013
Posts: 10
Location: Germany

PostPosted: Fri 19 Jan '18 20:27    Post subject: Reply with quote

The update to the version v1.1.8 solved the problem Very Happy .

However, the ReNew also worked in this version not without problems, because I first received a suspect certificate and then was again requested a new certificate after 24 hours, which now works.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache Building & Member Downloads
Page 1 of 1