Follow

holy crap did any of you know about Apache2's built in ACME support

Apache2 can do the exact thing Caddy does and automatically get certs from Let's Encrypt at runtime

you just have to flip it on (per domain name)

going back to version... 2.4.30

from 2018

WHY WAS THIS NOT NEWS

turns out good things happen to people who read the documentation

@alilly Holy crap. Total game changer. It would be so nice to not have to deal with certbot anymore

It even seems to integrate with mod_status, so you can get a dashboard of the cert status of all your hosted domains 🤯​

@alilly Update: I just tried automatic cert management via mod_md on a site I needed to migrate to a new server.

IT WORKS. IT ACTUALLY WORKS.

(Or at least it does for initial setup of the cert -- we'll see how gracefully it handles renewal in three months.)

Couple notes:

* It won't work until you add a contact email address and affirmation that you accept the Let's Encrypt TOS to your Apache configuration. They provide configuration directives for this (MDContactEmail and MDCertificateAgreement), but the docs aren't really clear that this is mandatory so I had to have things blow up a few times before I figured it out. You can add these either on a per-site basis in the vhost config, or globally in the global Apache config.

* You don't have to add anything to the vhost config to tell it where the new certs are -- you just tell the vhost that it's using a "managed domain," and mod_md handles all that for you.

In the words of Borat, "very nice!!! I like!!!"

* mod_md can fetch a new cert for you, but it won't actually be _applied_ to the vhost until the next time Apache restarts. I can see this being an issue when it comes time to renew.

* If you get everything set up but they fail silently, turn on mod_status and set up a status page. mod_md automatically provides detailed notes on any failed attempts to get a cert to mod_status. You just activate the status page and it will walk you through fixing whatever errors there were. (This was how I figured out the need to add the contact email and the TOS acceptance.)

@jalefkowit It doesn't apply the cert until the whole server restarts or until the worker restarts? Workers restart pretty often.

@alilly Ooh, that's an excellent question. I waited a few minutes, got tired of waiting, and restarted the server. But I dunno if it might have applied itself automatically if I'd just waited longer.

@jalefkowit None of my sites have much traffic so it'd be no trouble to schedule daily restarts at midnight or something, it only takes a few seconds for the server to restart. But it'd be nice not to have to do that.

@jalefkowit ooh nice MDRequireHttps directive to manage 80->443 redirection

@alilly I know right??? No more having to manually fill a port 80 vhost with mod_rewrite rules 👍​

@alilly It left me wondering if there's some way to have it automatically trigger a restart when a cert is issued/renewed. Restarts are fast enough that I don't care about losing a few seconds, if it means I don't have to keep track of what server needs restarting when to keep their certs current

@jalefkowit you might need a one-line script instead because it passes information about the new certificate as additional arguments and I don't know how apache2ctl (or service or /etc/init.d/apache2 or systemctl) handle unexpected arguments

@alilly I can live with that, particularly if it's general enough I can just add "drop this reboot script into a standard location" into my provisioning to-do list and call it a day

@jalefkowit I wouldn't reboot the whole machine, that's definitely excessive

@jalefkowit but yeah the script is just gonna be a shebang and whatever command you would use to restart httpd

@alilly oh no, absolutely. I just meant reboot Apache. Sloppy wording, sorry

@jalefkowit @alilly this, and the apache feather burned into my ass, as part of becoming an ASF member, is the main reason i still use Apache Httpd as my main Web server and proxy and TLS termination

(that is, despite this very annoying bug: bz.apache.org/bugzilla/show_bu you literally need mod_rewrite to configure one of today's most common proxy scenarios)

@alilly I wonder if you could do acme in nginx with lua blocks

@alilly oh wow, TIL

I can replace acme.sh on one of my Apache httpd servers with this module

something worth testing at any rate

@alilly yep, this has been around for quite a while. It was after the first LE wave and I remember it was one of the reasons to not use debian stable back then, because apache versions were too old. But it was also a bit clumsy from a handling perspective, hope that is resolved by now :)

Sign in to participate in the conversation
 moé for solarpunk~

Moé for Solarpunk is a small, friendly server run by a group of optimistically-utopian LGBT+ individuals. Registration is by invite only!