logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.



Post new topic   Forum Index -> Building & Member Downloads View previous topic :: View next topic
Reply to topic   Topic: generating SSL certificates on first access to domain
Author
asters



Joined: 09 Nov 2020
Posts: 2

PostPosted: Mon 09 Nov '20 18:02    Post subject: generating SSL certificates on first access to domain Reply with quote

Hi,
I'm trying to build an Apache module that will generate ssl certificates on-fist-access to the requested domains.

We provide a service that ends up with a lot of Apache virtual hosts for domains that have to be available, but might never be used. Right now we're generating the ssl certificates when the virtual hosts are created, but it takes a lot of time and resources.

I thought it might be possible to create those certificates on-demand instead:

1. Intercept the request.
2. Check if a certificate for this domain exists.
3. If it doesn't, generate it using Let's Encrypt.
4. Load the page over ssl.

Is this even possible?

I wrote a basic module, but I'm not sure how to hook it so it executes before the ssl module does its ssl stuff.

Any help will be appreciated! Thank you!
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6861
Location: Germany, Next to Hamburg

PostPosted: Wed 11 Nov '20 12:42    Post subject: Reply with quote

On https://httpd.apache.org/docs/2.4/developer/modguide.html you will find all available hooks.

However it is not possible to do that on the first request, since the browser at first negotiates the SSL connection conditions with the server.
Back to top
tangent



Joined: 16 Aug 2020
Posts: 20
Location: UK

PostPosted: Wed 11 Nov '20 17:46    Post subject: Reply with quote

James is right; there's no direct way to hook a custom module to generate and apply the certificate on first request.

If you're using a script to create the virtual hosts, from a template structure with edits, etc., then can't you include a further script to trigger the Let's Encrypt side of requesting the site certificate, using certbot or the like?

You'll still have to get past the Let's Encrypt server challenge to verify you control the domain you’re requesting a first new certificate for, so can't see you'd be able to fully automate the process.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6861
Location: Germany, Next to Hamburg

PostPosted: Mon 16 Nov '20 12:38    Post subject: Reply with quote

mod_md creates certs.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1075
Location: Amsterdam, NL, EU

PostPosted: Mon 16 Nov '20 16:44    Post subject: Reply with quote

But not on the fly. It needs a restart of Apache to acticate a generated certificate.
Back to top
asters



Joined: 09 Nov 2020
Posts: 2

PostPosted: Wed 18 Nov '20 11:29    Post subject: Reply with quote

tangent wrote:
If you're using a script to create the virtual hosts, from a template structure with edits, etc., then can't you include a further script to trigger the Let's Encrypt side of requesting the site certificate, using certbot or the like?


Yes, we're doing this right now: the script creates virtual hosts and generates certificates for them using certbot. But the goal is to create the virtual hosts using the script, but create certificates on first access to the domains. We're expecting hundreds of domains being added in bulk but in the end only a fraction of them actually being used. It's fine if we create virtual hosts for them all, but we don't want to create the certificates because it takes a long time and then they have to be renewed every two months... for no reason if the domains won't be used.

What we need to do is figure out a way to intercept that https connection before it tries to load the certificate. Doesn't mod_ssl do that somehow? Or what about setting up a reverse proxy and redirecting the https request somewhere where a certificate would be generated and then redirecting it back?
Back to top


Reply to topic   Topic: generating SSL certificates on first access to domain View previous topic :: View next topic
Post new topic   Forum Index -> Building & Member Downloads