Apache httpd : Configure mod_md2020/11/10 |
Install and Configure [mod_md] to automate managing certificates from Let's Encrypt.
It's possbile to configure each VirtualHost.
And it's not need to configure manual SSL/TLS setting like here for the Site with [mod_md].
Also it needs that it's possible to access from the Internet to the Site with [mod_md] because of verification from Let's Encrypt.
|
|
[1] | Install [mod_md]. |
[root@www ~]#
dnf -y install mod_md # after installing, [mod_md] is enabled [root@www ~]# cat /etc/httpd/conf.modules.d/01-md.conf LoadModule md_module modules/mod_md.so |
[2] | Configure [mod_md]. |
[root@www ~]#
vi /etc/httpd/conf.d/acme.conf # create new MDBaseServer on MDCertificateProtocol ACME MDCAChallenges http-01 MDDriveMode auto MDPrivateKeys RSA 2048 MDRenewWindow 33% MDStoreDir md MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf <Location "/md-status"> SetHandler md-status Require ip 127.0.0.1 10.0.0.0/24 </Location> # [MDRenewWindow] # default is [33%] if not specified # if validity of certificates falls specified duration, # [mod_md] will get new certificates # 90 days * 33% ≒ 30 days # if you'd like to set with day, specify [d] # 30 days ⇒ specify [30d] # [MDStoreDir] # the directory certificates or other data are stored # if not specified, default is [md] # it is relative path from [ServerRoot] in [httpd.conf] # [md-status] # monitor MD status |
[3] | If SELinux is enabled, change policy. |
[root@www ~]# setsebool -P httpd_can_network_connect on
|
[4] | Configure each VirtualHost you'd like to set [mod_md]. It needs to specify valid email address for each [ServerAdmin] directive because Let's Encrypt will send various notification. |
# for example, set on the site [rx-7.srv.world] site [root@www ~]# vi /etc/httpd/conf.d/rx-7.srv.world.conf MDomain rx-7.srv.world MDCertificateAgreement accepted DirectoryIndex index.html ServerAdmin root@rx-7.srv.world <VirtualHost *:80> DocumentRoot /var/www/rx-7.srv.world ServerName rx-7.srv.world </VirtualHost> <VirtualHost *:443> SSLEngine on DocumentRoot /var/www/rx-7.srv.world ServerName rx-7.srv.world </VirtualHost> # for example, set on the site [rx-8.srv.world] site [root@www ~]# vi /etc/httpd/conf.d/rx-8.srv.world.conf MDomain rx-8.srv.world MDCertificateAgreement accepted DirectoryIndex index.html ServerAdmin root@rx-8.srv.world <VirtualHost *:80> DocumentRoot /var/www/rx-8.srv.world ServerName rx-8.srv.world </VirtualHost> <VirtualHost *:443> SSLEngine on DocumentRoot /var/www/rx-8.srv.world ServerName rx-8.srv.world </VirtualHost>
[root@www ~]#
systemctl restart httpd
# on initial starting, some validation ckecks run and # dumy certificate is created under the directory you set for [MDStoreDir] [root@www ~]# ll /etc/httpd/md/domains/rx-7.srv.world total 12 -rw-------. 1 root root 1119 Nov 10 19:25 fallback-cert.pem -rw-------. 1 root root 1704 Nov 10 19:25 fallback-privkey.pem -rw-------. 1 root root 533 Nov 10 19:25 md.json # if all checks passed, valid certificate is gotten [root@www ~]# ll /etc/httpd/md/domains/rx-7.srv.world total 16 -rw-------. 1 root root 4065 Nov 10 19:26 job.json -rw-------. 1 root root 578 Nov 10 19:26 md.json -rw-------. 1 root root 1704 Nov 10 19:26 privkey.pem -rw-------. 1 root root 3554 Nov 10 19:26 pubcert.pem |
[5] | It's possible to confirm expiration date and others of certificate with [openssl] command like follows. Or it's possbile to see them to access to the URL of [md-status] you set on [2]. |
[root@www ~]# openssl s_client -connect rx-7.srv.world:443 | openssl x509 -noout -startdate -enddate depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = rx-7.srv.world verify return:1 notBefore=Nov 10 06:25:50 2020 GMT notAfter=Feb 8 06:25:50 2021 GMT[root@www ~]# openssl s_client -connect rx-8.srv.world:443 | openssl x509 -noout -startdate -enddate depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = rx-8.srv.world verify return:1 notBefore=Nov 10 06:26:00 2020 GMT notAfter=Feb 8 06:26:00 2021 GMT |
Sponsored Link |