As some of you might know, Apache has integrated support for Let’s Encrypt since beginning of 2018. That feature is implemented in its built-in module mod_md. That support is based on the “old” Let’s Encrypt ACMEv1 endpoint. So, it has no access to the newer features.
Me, being the author, just got a grant by Mozilla’s Open Source Support to bring Apache to ACMEv2 and also make an alternate implementation for OCSP Stapling.
The Apache project wants to make integration with Let’s Encrypt as easy as possible. If you have feedback on the current design or miss out on something, now is a good time to present your ideas over on github.
(Disclaimer: this is not an attempt to win users. A lot of people happily use Certbot with Apache and that is a fine thing. I did so myself before I wrote mod_md. The certbot people are doing excellent work. So, use whatever feels right.)
Version 2.0.1 is out and is waiting for test drivers. This version builds against a recent Apache 2.4.x server. I hope to get more people into building packages for the various OS. For Windows, there is already one. See README.md for all the details.
This version supports ACMEv2 and all its challenge types. To get the tls-alpn-01 working, you need a patched mod_ssl module as well. The module will detect this and use the new challenge or not.
All details and configurations now described in README.md. If you miss something, why not add a pull request or on problems raise an issue?
Besides this, there are some quality of life improvements as well. Check the chapter on ‘Monitoring’ on how you can see the list of all your domains and expiration times etc. in your browser. Or get it as JSON.
I keep updating here on the progress until someone stops me.
Version 2.0.3 is now out. You have extended monitoring capabilities with the new md-status handler that gives you JSON information about all your managed domains.
It will list any renewal errors down to the error details sent back from Let’s Encrypt - should that happen. So, no longer dig through error logs to see what went wrong!
Also, when linked with OpenSSL >= v1.1.x, the status handlers will give you the certificate transparency information of newly arrived certificates right away. This includes timestamp, CTlog identifier, signature algorithm and the signature itself.
Additionally, the ugprading to ACMEv2 defaults have changes. The README.md contains details about why this was necessary.
