Apache2 : Configure mod_md2020/07/30 |
Install and Configure [mod_md] to automate managing certificates from Let's Encrypt.
It's possbile to configure each VirtualHost.
And it's not need to configure manual SSL/TLS setting like here for the Site with [mod_md].
Also it needs that it's possible to access from the Internet to the Site with [mod_md] because of verification from Let's Encrypt.
|
|
[1] | Install [mod_md]. |
root@www:~# apt -y install libapache2-mod-md
|
[2] | Configure [mod_md]. |
root@www:~#
vi /etc/apache2/conf-available/acme.conf # create new
MDBaseServer on
MDCertificateProtocol ACME
MDCAChallenges http-01
MDDriveMode auto
MDPrivateKeys RSA 2048
MDRenewWindow 33%
MDStoreDir md
MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
<Location "/md-status">
SetHandler md-status
Require ip 127.0.0.1 10.0.0.0/24
</Location>
# [MDRenewWindow]
# default is [33%] if not specified
# if validity of certificates falls specified duration,
# [mod_md] will get new certificates
# 90 days * 33% ≒ 30 days
# if you'd like to set with day, specify [d]
# 30 days ⇒ [30d]
# [MDStoreDir]
# the directory certificates or other data are stored
# if not specified, default is [md]
# it is relative path from [ServerRoot] in [httpd.conf]
# [md-status]
# monitor MD status
|
[3] | Configure each VirtualHost you'd like to set [mod_md]. It needs to specify valid email address for each [ServerAdmin] directive because Let's Encrypt will send various notification. |
# for example, set on the site [www.srv.world] site root@www:~# vi /etc/apache2/sites-available/www.srv.world.conf MDomain www.srv.world MDCertificateAgreement accepted DirectoryIndex index.html ServerAdmin root@www.srv.world <VirtualHost *:80> DocumentRoot /var/www/html ServerName www.srv.world </VirtualHost> <VirtualHost *:443> SSLEngine on DocumentRoot /var/www/html ServerName www.srv.world </VirtualHost> # for example, set on the site [dlp.srv.world] site root@www:~# vi /etc/apache2/sites-available/dlp.srv.world.conf MDomain dlp.srv.world MDCertificateAgreement accepted DirectoryIndex index.html ServerAdmin root@dlp.srv.world <VirtualHost *:80> DocumentRoot /var/www/dlp.srv.world ServerName dlp.srv.world </VirtualHost> <VirtualHost *:443> SSLEngine on DocumentRoot /var/www/dlp.srv.world ServerName dlp.srv.world </VirtualHost> a2enmod md Enabling module md. To activate the new configuration, you need to run: systemctl restart apache2root@www:~# a2enconf acme Enabling conf acme. To activate the new configuration, you need to run: systemctl reload apache2root@www:~# a2ensite www.srv.world Enabling site www.srv.world. To activate the new configuration, you need to run: systemctl reload apache2root@www:~# a2ensite dlp.srv.world Enabling site dlp.srv.world. To activate the new configuration, you need to run: systemctl reload apache2
root@www:~#
systemctl restart apache2
# on initial start, some validation ckecks run and # dumy certificate is created under the directory you set for [MDStoreDir] root@www:~# ll /etc/apache2/md/domains/dlp.srv.world total 20 drwx------ 2 root root 4096 Jul 30 19:26 ./ drwx------ 4 root root 4096 Jul 30 19:26 ../ -rw------- 1 root root 1115 Jul 30 19:26 fallback-cert.pem -rw------- 1 root root 1704 Jul 30 19:26 fallback-privkey.pem -rw------- 1 root root 471 Jul 30 19:26 md.json # if all checks passed, valid certificate is gotten root@www:~# ll /etc/apache2/md/domains/dlp.srv.world total 36 drwx------ 2 root root 4096 Jul 30 19:29 ./ drwx------ 4 root root 4096 Jul 30 19:29 ../ -rw------- 1 root root 15715 Jul 30 19:29 job.json -rw------- 1 root root 516 Jul 30 19:29 md.json -rw------- 1 root root 1704 Jul 30 19:29 privkey.pem -rw------- 1 root root 3554 Jul 30 19:29 pubcert.pem |
[4] | It's possible to confirm expiration date and others of certificate with [openssl] command like follows. Or it's possbile to see them to access to the URL of [md-status] you set on [2]. |
root@www:~# openssl s_client -connect www.srv.world:443 | openssl x509 -noout -startdate -enddate depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = www.srv.world verify return:1 notBefore=Jul 30 03:29:11 2020 GMT notAfter=Oct 28 03:29:11 2020 GMTroot@www:~# openssl s_client -connect dlp.srv.world:443 | openssl x509 -noout -startdate -enddate depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = dlp.srv.world verify return:1 notBefore=Jul 30 03:28:59 2020 GMT notAfter=Oct 28 03:28:59 2020 GMT |
Sponsored Link |
|