Apache managed domans (mod_md)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gbumc.church

I ran this command: # apachectl restart

It produced this output:

My web server is (include version): httpd 2.4.53

The operating system my web server runs on is (include version): Debian 11 (Bullseye)

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A

I have successfully obtained a test cert with the letsencryp staging url. Is was verified as such by Qualys SSL Labs test.

I changed my httpd.conf to the acme v2 url and restarted the server. I have seen no change of the domain status in the md directory and the Qualys test still shows a test cert.

Can I remove any part of the md directory to initiate a change in the situation? (Note the original cert was hosted on another server and it was scheduled to expire on 22 May.)

1 Like

You now just need to follow the same steps, but this time get a new cert from the normal/production server.

Staging certs are not trusted.

3 Likes

Thanks, but I've tried that: changing the conf file and restarting. I have asked for help on the Apache user list, but no useful ideas yet. If I don't get any other ideas before long, I will try restarting completely from scratch by removing the md directory.

I don't know mod_md well so this is a total guess. But, try adding (or changing):

MDRenewWindow 91d 

From: mod_md - Apache HTTP Server Version 2.5

My guess is that mod_md sees your staging cert and does not realize you changed the MDCertificateAuthority. So, it thinks the staging cert is "fresh enough" and takes no action.

The above should force a renewal but be sure to CHANGE IT BACK after this test.
You could quickly get Rate Limited by Let's Encrypt otherwise.

You could also try asking at the mod_md github

3 Likes

I don't see how that is changing anything.
Restarting Apache won't obtain a new cert.

You need to run the ACME client again, but this time point it at the production endpoint.

3 Likes

mod_md is installed into Apache and restarting is enough to reactivate and trigger

5 Likes

Okay, success!

  • I removed the md directory

  • ensured the httpd.conf file has the correct Let's Encrypt valid cert URL

  • did a start

  • checked my error log which said valid cert was waiting for a graceful restart

  • I did the graceful restart and checked for a reasonable looking md directory

  • then I checked the site with Qualys again: A with a trusted cert

  • finally, I looked at the site and saw it as was expected

For the future I will ALWAYS set the httpd.conf file to the staging area to make sure the flow under my control works. Then remove the md directory, change the httpd.conf file back to the v2 URL, restart, check the logs, and do a graceful start.

3 Likes

What will they think of next?... Cars that drive all by themselves! - LOL

5 Likes

Excellent! That was going to be my next suggestion :slight_smile:

mod_md github: How to backup, restore, or start over

6 Likes