Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Apache Lounge is not sponsored.
Your donations will help to keep this site alive and well, and continuing building binaries.
| |
|
| View previous topic :: View next topic |
| Author |
Message |
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 2685
Location: Hilversum, NL, EU
|
 Posted: Fri 13 Oct '17 11:01 Post subject: Let's Encrypt for Apache :: mod_md |
 |
|
Note:
*) mod_md is in 2.4.30 added as an experimental module,
be aware to use it in production, we need success stories (we know one on windows).
Let's encrypt has new features, like the new ACMEv2 protocol and wildcard.
Maybe better to wait with mod_md.
Advised is to use:
win-acme which has a more complete feature set. No wildcard and ACME v2 yet.
or
Which have wild card certificates and ACME v2 SSL For Free or command line client Crypt-LE
Please mail me or post here when you have success with mod_md or not.
# Uncomment in your httpd.conf
LoadModule watchdog_module modules/mod_watchdog.so
LoadModule md_module modules/mod_md.so
# Configuration
see http://httpd.apache.org/docs/2.4/mod/mod_md.html
You need at least:
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
MDomain .... .....
In the :443 VirtualHost(s), turn on mod_ssl:
SSLEngine on
Normally, certificates are valid for around 90 days and mod_md will renew them the earliest 30 days before they expire.
You can set for example every 10 days: MDRenewWindow 80d
When testing, consider the rate limits: https://letsencrypt.org/docs/rate-limits/
To get more insight what is going on, set: LogLevel info md:trace2 ssl:notice
If you need to experiment, configure :
MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory . Then no valid certificates are generated.
Enjoy,
Steffen
Last edited by Steffen on Wed 14 Mar '18 13:28; edited 13 times in total |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 2685
Location: Hilversum, NL, EU
|
| Posted: Wed 01 Nov '17 11:51 Post subject: |
|
|
Maybe you have already noticed that mod_md can now automatically stop/start Apache to activate after a (re)new.
A discussion with the author stefan from greenbytes resulted in a new directive MDNotifyCmd : https://httpd.apache.org/docs/trunk/mod/mod_md.html#mdnotifycmd
Now with a simple script you can do what you want.
For example I have now a .bat and mailsend in the Apache/folder:
| Code: | | MDNotifyCmd c:/apache24/bin/mod_md.bat |
The script mod_md.bat stops/start Apache, kills fastcgi zombies, copy certificates to mail server and sends a mail:
| Code: | @ECHO OFF
powershell -command "Start-Sleep -s 10"
Net stop <service-name>
powershell -command "Start-Sleep -s 10"
REM kill eventually zombie php-cgi.exe's when you run php with mod_fcgid
taskkill /F /T /IM php-cgi*
Net start <service-name>
REM copy certificates to mail server (in my case Surgemail)
xcopy <path to apache>\md\domains\<domain-name>pubcert.pem <path to surgemail>\ssl\surge_cert.pem /Y
xcopy <path to apache>\md\domains\<domain-name>privkey.pem <path to surgemail>\ssl\surge_priv.pem /Y
<path to apache>/bin/mailsend -q -f steffen@sland.nl -smtp sland.nl -user steffen@sland.nl -pass xxxxxx -name "Steffen L" -t Steffen@sland.nl -sub "Lets Encrypt mod_md Notification" -M "Managed Domain(s) created/renewed:" -M "%~1" -M "%~2" -M "%~3" -M "%~4" -M "." |
Note:
The script is executed after ~24 hours when it is renewed
Note:
mailsend.exe , see https://github.com/muquit/mailsend/releases and https://github.com/muquit/mailsend/blob/master/doc/examples.mediawiki |
|
| Back to top |
|
|
|
|
|
|
