Quick notes on switching to Lets Encrypt certificates for HTTPS

Toby's instructions about LE are at X509LetsEncrypt

If you can, life will probably be simpler if can use DNS, so add these lines.

#define X509_LETSENCRYPT_USE_DNS_CHALLENGE
#include <dice/options/apacheconf-x509-letsencrypt.h>

if not already added. You definitely need the #include.

If you can't use DNS, then hint for now is that you may have to take steps to make sure the URL HTTP .../.well-know/ works and doesn't get intercepted by whatever service is already running on the machine you are wanting to update the certificate for. Try getting RewriteRule ^/.well-known/ - [LAST] early into the config of your site.

Then use my LE_CERT() macro to generate a suitable LE cert.

LE_CERT(wcmshttps,apache,wcms.inf.ed.ac.uk)

Where wcmshttps is a unique x509 component tag. apache is the owner and group of the certificate, wcms.inf.ed.ac.uk is the name of the certificate.

Then you need to get apache to use the new cert for HTTPS. You are not touching Cosign stuff.

If you are doing things the right way and using apacheconf to configure your certificate locations, then you can use another macro

APACHECONF_VHOST_USE_CERT(wcms,wcmshttps)

or it is the main apache config

APACHECONF_USE_CERT(wcmshttps)

Where wcms is the apacheconf tag for the vhost you want to set the certificate for. and wcmshttps is the name of the x509 tag you used with the LE_CERT macro.

If you are manually configuring apache via files in the file system, or file component, then you'll need to update the apache directives:

  SSLCertificateFile "/opt/wcms/certs/wcms.inf.ed.ac.uk.crt"
  SSLCertificateKeyFile "/opt/wcms/certs/wcms.inf.ed.ac.uk.key"
  SSLCertificateChainFile "/opt/wcms/certs/quovadis.chain"

via that other route.

That should be it!

I suggest you go as far as the LE_CERT() part first, and make sure the machine successfully generates the new certificate eg

root> tail /var/lcfg/log/x509
12/02/20 17:20:47:    New keys generated for wcms.inf.ed.ac.uk.
12/02/20 17:20:48:    Runnning om apacheconf try_restart

root> qxprof x509 | grep file_wcmshttps  
certfile_wcmshttps=/etc/pki/tls/certs/le-wcms.inf.ed.ac.uk.crt
chainfile_wcmshttps=/etc/pki/tls/certs/le-wcms.inf.ed.ac.uk.chain
keyfile_wcmshttps=/etc/pki/tls/private/le-wcms.inf.ed.ac.uk.key

before you then go and try and configure apache to use them.

Remember to check the apacheconf component gets its config, and that it does succesfully restart. -- NeilBrown - 12 Feb 2020

Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r1 - 12 Feb 2020 - 18:26:28 - NeilBrown
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies