logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> How-to's & Documentation & Tips View previous topic :: View next topic
Reply to topic   Topic: Let's Encrypt for Apache :: How-To mod_md
Author
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3121
Location: Hilversum, NL, EU
PostPosted: Fri 13 Oct '17 11:01    Post subject: Let's Encrypt for Apache :: How-To mod_md Reply with quote
# Uncomment in your httpd.conf
LoadModule watchdog_module modules/mod_watchdog.so
LoadModule md_module modules/mod_md.so

# Configuration
see http://httpd.apache.org/docs/2.4/mod/mod_md.html
and
Far better https://github.com/icing/mod_md/blob/master/README.md

You need at least:
MDCertificateAgreement accepted
MDomain .... .....

In the :443 VirtualHost(s), turn on mod_ssl:
SSLEngine on


Normally, certificates are valid for around 90 days and mod_md will renew them the earliest 30 days before they expire.

You can set for example every 10 days: MDRenewWindow 80d

When testing, consider the rate limits: https://letsencrypt.org/docs/rate-limits/
If you need to experiment and not to hit the limits, configure :
MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory . Then no valid certificates are generated.

To get more insight what is going on, set: LogLevel info md:trace2 ssl:notice



Enjoy,

Steffen

Last edited by Steffen on Mon 30 Sep '19 10:41; edited 21 times in total
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3121
Location: Hilversum, NL, EU
PostPosted: Wed 01 Nov '17 11:51    Post subject: Reply with quote
Maybe you have already noticed that mod_md can now automatically stop/start Apache to activate after a (re)new.

A discussion with the author stefan from greenbytes resulted in a new directive MDNotifyCmd : https://httpd.apache.org/docs/trunk/mod/mod_md.html#mdnotifycmd

Now with a simple script you can do what you want.
For example I have now a .bat and mailsend in the Apache/folder:

Code:
MDNotifyCmd c:/apache24/bin/mod_md.bat


The script mod_md.bat stops/start Apache, kills fastcgi zombies, copy certificates to mail server and sends a mail:

Code:
@ECHO OFF

Net stop <service-name>
 
powershell -command "Start-Sleep -s 10"

REM kill eventually zombie php-cgi.exe's when you run php with mod_fcgid
taskkill /F /T /IM php-cgi*

Net start <service-name>

REM copy certificates to mail server (in my case Surgemail)
xcopy <path to apache>\md\domains\<domain-name>pubcert.pem <path to surgemail>\ssl\surge_cert.pem /Y
xcopy <path to apache>\md\domains\<domain-name>privkey.pem <path to surgemail>\ssl\surge_priv.pem /Y


<path to apache>/bin/mailsend -q -f steffen@sland.nl -smtp sland.nl -user steffen@sland.nl -pass xxxxxx  -name "Steffen L" -t Steffen@sland.nl -sub "Lets Encrypt mod_md Notification" -M "Managed Domain(s) created/renewed:" -M "%~1" -M "%~2"  -M "%~3" -M "%~4" -M "."


Note:
The script is executed after ~24 hours when it is renewed

Note:
mailsend.exe , see https://github.com/muquit/mailsend/releases and https://github.com/muquit/mailsend/blob/master/doc/examples.mediawiki
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3121
Location: Hilversum, NL, EU
PostPosted: Mon 30 Sep '19 10:33    Post subject: Reply with quote
Updated the start post.

Also there is now MDMessageCmd https://github.com/icing/mod_md/blob/master/README.md#mdmessagecmd

Very handy

I use a script to send a mail:

Code:
MDMessageCmd c:/apache24/bin/MDMessageCmd.bat


Code:
@ECHO OFF

<path to apache>\bin\mailsend -q -f steffen@sland.com -smtp sland.com -user steffen@land.nl -pass xxxxxx  -name "Steffen L" -t steffen@sland.nl -sub "Lets Encrypt MDMessageCmd" -M "Something happened concerning mod_md domain:" -M "%~1" -M "%~2"  -M "%~3" -M "%~4" -M "."


See also www.apachelounge.com/viewtopic.php?p=38549
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3121
Location: Hilversum, NL, EU
PostPosted: Mon 30 Sep '19 11:13    Post subject: Reply with quote
Forget to tell:

There is also better monitoring.

server-status : mod_md info is added

md-status : info JSON format

certificate-status : info about current and upcoming certificates on a domain.

See all at https://github.com/icing/mod_md/blob/master/README.md#monitoring
Back to top
nono303



Joined: 20 Dec 2016
Posts: 213
Location: Lille, FR, EU
PostPosted: Wed 02 Oct '19 17:32    Post subject: Reply with quote
my 2 cents, same notification for a mattermost hook url (what I use)
Code:

curl -i -X POST -H "Content-Type: application/json" -d "{\"username\": \"Lets Encrypt MDMessageCmd\", \"icon_url\": \"http://apache.org/favicon.ico\", \"text\": \"^| Something happened concerning mod_md domain ^|\n^|---^|\n^| %~1 ^|\n^| %~2 ^|\n^| %~3 ^|\n^| %~4 ^|\"}" https://[MATTERMOST_SERVER]/hooks/[HOOK_ID]
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3121
Location: Hilversum, NL, EU
PostPosted: Fri 08 Nov '19 12:42    Post subject: All the Things Promised Reply with quote
A status report mod_md.

With the release of version v2.2.2 the project sponsored by the beautiful people at MOSS, Mozilla's Open Source Support, has been concluded. You will soon see the result appear in various releases, such as Fedora and Debian unstable. What can you expect? How does this benefit you? Three things: Real ACME, Safer Stapling and Easy Monitoring.

Read more...... https://icing.github.io/mod_md/allthethingspromised.html

Nice summary
Back to top


Reply to topic   Topic: Let's Encrypt for Apache :: How-To mod_md View previous topic :: View next topic
Post new topic   Forum Index -> How-to's & Documentation & Tips