Quick notes on switching to Lets Encrypt certificates for HTTPS

Toby's instructions about LE are at X509LetsEncrypt

If you can, life will probably be simpler if can use DNS, so add these lines.

#include <dice/options/apacheconf-x509-letsencrypt.h>

if not already added. You definitely need the #include.

If you can't use DNS, then hint for now is that you may have to take steps to make sure the URL HTTP .../.well-know/ works and doesn't get intercepted by whatever service is already running on the machine you are wanting to update the certificate for. Try getting RewriteRule ^/.well-known/ - [LAST] early into the config of your site.

Then use my LE_CERT() macro to generate a suitable LE cert.


Where wcmshttps is a unique x509 component tag. apache is the owner and group of the certificate, wcms.inf.ed.ac.uk is the name of the certificate.

Then you need to get apache to use the new cert for HTTPS. You are not touching Cosign stuff.

If you are doing things the right way and using apacheconf to configure your certificate locations, then you can use another macro


or it is the main apache config


Where wcms is the apacheconf tag for the vhost you want to set the certificate for. and wcmshttps is the name of the x509 tag you used with the LE_CERT macro.

If you are manually configuring apache via files in the file system, or file component, then you'll need to update the apache directives:

  SSLCertificateFile "/opt/wcms/certs/wcms.inf.ed.ac.uk.crt"
  SSLCertificateKeyFile "/opt/wcms/certs/wcms.inf.ed.ac.uk.key"
  SSLCertificateChainFile "/opt/wcms/certs/quovadis.chain"

via that other route.

That should be it!

I suggest you go as far as the LE_CERT() part first, and make sure the machine successfully generates the new certificate eg

root> tail /var/lcfg/log/x509
12/02/20 17:20:47:    New keys generated for wcms.inf.ed.ac.uk.
12/02/20 17:20:48:    Runnning om apacheconf try_restart

root> qxprof x509 | grep file_wcmshttps  

before you then go and try and configure apache to use them.

Remember to check the apacheconf component gets its config, and that it does succesfully restart.

Using the supplied x509 macros

You can achieve the same using just the macros already provided by the x509 headers. For example:

#include <dice/options/apacheconf-x509-letsencrypt.h>

!x509.catype_swebhttps  mSET(letsencrypt)
!x509.component_swebhttps       mADD(apacheconf)

apacheconf.vhostsslcert_sweb443         <%x509.certfile_swebhttps%>
apacheconf.vhostsslkey_sweb443          <%x509.keyfile_swebhttps%>
apacheconf.vhostsslchain_sweb443        <%x509.chainfile_swebhttps%>

-- NeilBrown - 12 Feb 2020

Topic revision: r2 - 14 Feb 2020 - 13:15:17 - NeilBrown
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies