Skip to content

Home

Jump to bottom
Stefan Eissing edited this page Aug 4, 2017 · 20 revisions

Documentation

This wiki documents features of mod_md and offers help in using it. Discussions are best held on the Apache httpd developer mailing list. If you miss a specific feature being covered here, you may also open an issue or, even better, contribute to the content here.

Usage

Security

What can I expect?

When you have installed mod_md and the patched mod_ssl in your Apache and configured your_domain to be managed (how, I explain more below), you will see something like the following in your log file:

[...00.587735] [md:info] ...<your_domain>: setup staging
[...00.588024] [md:info] ...<your_domain>: need certificate
[...07.040614] [md:info] ...<your_domain>: check Terms-of-Service agreement
[...07.040692] [md:info] ...<your_domain>: setup new authorization
[...13.604130] [md:info] ...<your_domain>: setup new challenges
[...19.522348] [md:info] ...<your_domain>: monitoring challenge status
[...25.387469] [md:info] ...<your_domain>: checked all domain authorizations
[...25.387551] [md:info] ...<your_domain>: creating certificate request
[...35.480524] [md:info] ...<your_domain>: received certificate
[...35.480565] [md:info] ...<your_domain>: retrieving certificate chain
[...41.634865] [md:notice] ... 1 Managed Domain has been setup and 
               changes will be activated on next (graceful) server restart.

when you then restart the server, the new Let's Encrypt certificate is used by your_domain. Before it expires, mod_md will obtain a new one and you will see a similar message in your server log.

What do I need to do?

Apart from the installation, you need to configure your server to load mod_md and tell it where it should take over your https management. A simple example:

You have a virtual host defined like this:

<VirtualHost *:443>
    ServerName www.your_domain.de
    ServerAlias your_domain.de
    Protocols h2 http/1.1

    SSLEngine on
    SSLCertificateFile /etc/mycerts/your_domain.de/fullchain.pem
    SSLCertificateKeyFile /etc/mycerts/your_domain.de/privkey.pem
    ...
</VirtualHost>

then you could change it to this:

ManagedDomain your_domain.de www.your_domain.de

<VirtualHost *:443>
    ServerName www.your_domain.de
    ServerAlias your_domain.de
    Protocols h2 http/1.1

    SSLEngine on
    ...
</VirtualHost>

The SSLCertificate* configurations are gone and you added a ManagedDomain with a list of host names (here, there are two, it could be just one or maybe ten).

More examples and other documentation you can find in the usage topics above.

Directives

Clone this wiki locally