Apache Lounge



Forum Index Downloads Search Register Log in  RSS Apache Lounge

Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.



A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.

Let's Encrypt for Apache :: mod_md

Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips

View previous topic :: View next topic  
Author Message

Joined: 15 Oct 2005
Posts: 2634
Location: Hilversum, NL, EU

PostPosted: Fri 13 Oct '17 11:01    Post subject: Let's Encrypt for Apache :: mod_md Reply with quote


*) mod_md is in 2.4.30 added as an experimental module,
be aware to use it in production, we need success stories (we know one on windows).

Let's encrypt has new features, like the new ACMEv2 protocol and wildcard.
Maybe better to wait with mod_md.

Advised is to use:

which has a more complete feature set. No wildcard and ACME v2 yet.
Which have wild card certificates and ACME v2 SSL For Free or command line client Crypt-LE

Please mail me or post here when you have success with mod_md or not.

# Uncomment in your httpd.conf
LoadModule watchdog_module modules/mod_watchdog.so
LoadModule md_module modules/mod_md.so

# Configuration
see http://httpd.apache.org/docs/2.4/mod/mod_md.html

You need at least:
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
MDomain .... .....

In the :443 VirtualHost(s), turn on mod_ssl:
SSLEngine on

Normally, certificates are valid for around 90 days and mod_md will renew them the earliest 30 days before they expire.

You can set for example every 10 days: MDRenewWindow 80d

When testing, consider the rate limits: https://letsencrypt.org/docs/rate-limits/

To get more insight what is going on, set: LogLevel info md:trace2 ssl:notice

If you need to experiment, configure :
MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory . Then no valid certificates are generated.



Last edited by Steffen on Wed 14 Mar '18 13:28; edited 13 times in total
Back to top

Joined: 15 Oct 2005
Posts: 2634
Location: Hilversum, NL, EU

PostPosted: Wed 01 Nov '17 11:51    Post subject: Reply with quote

Maybe you have already noticed that mod_md can now automatically stop/start Apache to activate after a (re)new.

A discussion with the author stefan from greenbytes resulted in a new directive MDNotifyCmd : https://httpd.apache.org/docs/trunk/mod/mod_md.html#mdnotifycmd

Now with a simple script you can do what you want.
For example I have now a .bat and mailsend in the Apache/folder:

MDNotifyCmd c:/apache24/bin/mod_md.bat

The script mod_md.bat stops/start Apache, kills fastcgi zombies, copy certificates to mail server and sends a mail:


powershell -command "Start-Sleep -s 10"

Net stop <service-name>
powershell -command "Start-Sleep -s 10"

REM kill eventually zombie php-cgi.exe's when you run php with mod_fcgid
taskkill /F /T /IM php-cgi*

Net start <service-name>

REM copy certificates to mail server (in my case Surgemail)
xcopy <path to apache>\md\domains\<domain-name>pubcert.pem <path to surgemail>\ssl\surge_cert.pem /Y
xcopy <path to apache>\md\domains\<domain-name>privkey.pem <path to surgemail>\ssl\surge_priv.pem /Y

<path to apache>/bin/mailsend -q -f steffen@sland.nl -smtp sland.nl -user steffen@sland.nl -pass xxxxxx  -name "Steffen L" -t Steffen@sland.nl -sub "Lets Encrypt mod_md Notification" -M "Managed Domain(s) created/renewed:" -M "%~1" -M "%~2"  -M "%~3" -M "%~4" -M "."

The script is executed after ~24 hours when it is renewed

mailsend.exe , see https://github.com/muquit/mailsend/releases and https://github.com/muquit/mailsend/blob/master/doc/examples.mediawiki
Back to top

Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips
Page 1 of 1