Certbot with Apache
Prelim Concepts
- A
.pfx
file is a PKCS#12 archive. Typically, a PKCS#12 archive contains a certificate (possibly with its assorted set of CA certificates) and the corresponding private key. - A
.cert
(or.cer
or.crt
) file usually contains a single certificate, alone and without any wrapping (no private key, no password protection, just the certificate). The certificate contains the Server’s public key and the CA’s signature of the public key (i.e. the CA asserting that the public key belongs to this domain…)
Certbot with Apache – Overview
Getting Certboth with Apache working was a little tricky. Certbot is a popular client for letsencrypt. It requires an ACME server to talk to – in order for the server to provision the certbot EC2 (or whereever it is sitting) with a correct server certificate.
Certbot’s request (to the ACME server) when using apache is slightly modified (Also read, Installing Apache on an amazon ec2 linux 2 instance)
-
sudo /opt/letsencrypt/certbot-auto --apache --redirect --webroot-path /var/www/html --no-verify-ssl --agree-tos --email blah@blah.com --server https://myacmeserver.com--domains mytestdomain.com
- The –redirect will ensure that http requests get routed to https
- the –apache is what tells certbot to
- a) use apache’s plugin for the domain challenge step. And
- b) to modify the appropriate conf files in apache (see below).
Certbot client overwrites the httpd.conf and the httpd-le-ssl.conf configuration file in apache
Httpd.conf – certbot adds the following to the default httpd.conf (typically in /etc/httpd/conf/ folder)
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(something-else.example-prod.com|whatever.example-prod.com|...others...)$
RewriteRule ^/(.*) https://www.example-prod.com/$1 [R=permanent,L]
httpd-le-ssl.conf – certbot adds a virtual host entry to apache’s httpd-le-ssl.conf file
<VirtualHost *:443>
ServerName www.example2.com
DocumentRoot /var/www/example2.com/public_html
ServerAlias example2.com
ErrorLog /var/www/example2.com/error.log
CustomLog /var/www/example2.com/requests.log
<Directory "/var/www/vhosts/ffh/public/"> AllowOverride all SSLOptions +StdEnvVars #Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all SSLRequireSSL On </Directory>
SSLEngine on SSLCertificateFile /etc/apache2/ssl/example2/MY_ACME_CERT.crt SSLCertificateKeyFile /etc/apache2/ssl/example2/MY_ACME_KEY.key </VirtualHost> Note: The .crt has to be pem encoded (it will accept a .pem file as well)
Troubleshooting Certbot with Apache – What could go wrong?
- Often, even though the conf file entries shown above are correctly written, apache doesn’t pick them up. The way you know this is by hitting a test web page on your apache webroot (see this post). If you get an insecure certificate, it means that apache is most likely service you a self signed cert instead of the correct letsencrypt cert.
- The workaround is ensuring that apache can find the letsencrypt certificate. And to do that, you need the virtualhost for :443 setup to POINT to the newly issued letsencrypt certificates (shown as MY_ACME_CERT.crt in the sample above)
- Restart apache – sudo service httpd restart
-
If you encounter errors on restarting apache, check the error log - e.g. cat /var/log/httpd/error_log | grep error
Summary
Certbot with Apache, although almost nearly fully automated, may require some tweaking to ensure that Apache can find the provisioned ACME (letsencrypt) certificates correctly.
Test with a browser – and ensure that the certificate served by the browser is ‘valid’ (Insecure warning means, Apache may be using a self signed cert instead of your newly provisioned ACME cert).
Need an experienced AWS/GCP/Azure Professional to help out with your Data Protection or Public Cloud Strategy? Set up a time with Anuj Varma.
Leave a Reply