@alilly Holy crap. Total game changer. It would be so nice to not have to deal with certbot anymore
It even seems to integrate with mod_status, so you can get a dashboard of the cert status of all your hosted domains 🤯
@alilly Update: I just tried automatic cert management via mod_md on a site I needed to migrate to a new server.
IT WORKS. IT ACTUALLY WORKS.
(Or at least it does for initial setup of the cert -- we'll see how gracefully it handles renewal in three months.)
* It won't work until you add a contact email address and affirmation that you accept the Let's Encrypt TOS to your Apache configuration. They provide configuration directives for this (MDContactEmail and MDCertificateAgreement), but the docs aren't really clear that this is mandatory so I had to have things blow up a few times before I figured it out. You can add these either on a per-site basis in the vhost config, or globally in the global Apache config.
* You don't have to add anything to the vhost config to tell it where the new certs are -- you just tell the vhost that it's using a "managed domain," and mod_md handles all that for you.
In the words of Borat, "very nice!!! I like!!!"
* mod_md can fetch a new cert for you, but it won't actually be _applied_ to the vhost until the next time Apache restarts. I can see this being an issue when it comes time to renew.
* If you get everything set up but they fail silently, turn on mod_status and set up a status page. mod_md automatically provides detailed notes on any failed attempts to get a cert to mod_status. You just activate the status page and it will walk you through fixing whatever errors there were. (This was how I figured out the need to add the contact email and the TOS acceptance.)
@jalefkowit It doesn't apply the cert until the whole server restarts or until the worker restarts? Workers restart pretty often.
@alilly Ooh, that's an excellent question. I waited a few minutes, got tired of waiting, and restarted the server. But I dunno if it might have applied itself automatically if I'd just waited longer.
@jalefkowit None of my sites have much traffic so it'd be no trouble to schedule daily restarts at midnight or something, it only takes a few seconds for the server to restart. But it'd be nice not to have to do that.
@alilly It left me wondering if there's some way to have it automatically trigger a restart when a cert is issued/renewed. Restarts are fast enough that I don't care about losing a few seconds, if it means I don't have to keep track of what server needs restarting when to keep their certs current
@jalefkowit you might need a one-line script instead because it passes information about the new certificate as additional arguments and I don't know how
systemctl) handle unexpected arguments
@alilly I can live with that, particularly if it's general enough I can just add "drop this reboot script into a standard location" into my provisioning to-do list and call it a day
@jalefkowit but yeah the script is just gonna be a shebang and whatever command you would use to restart httpd
(that is, despite this very annoying bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=58593 you literally need mod_rewrite to configure one of today's most common proxy scenarios)
@alilly oh wow, TIL
I can replace acme.sh on one of my Apache httpd servers with this module
something worth testing at any rate
@alilly yep, this has been around for quite a while. It was after the first LE wave and I remember it was one of the reasons to not use debian stable back then, because apache versions were too old. But it was also a bit clumsy from a handling perspective, hope that is resolved by now :)
Moé for Solarpunk is a small, friendly server run by a group of optimistically-utopian LGBT+ individuals. Registration is by invite only!