Apache with ACMEv2

icing · August 14, 2019, 2:36pm

With the current release of 2.4.41 of Apache httpd you get ACMEv2 support in the form of the mod_md module. Among other things, you get so see all your managed domains in the server-status page:

The release was just being made and is available on fedora and debian-sid, at the least. I hear that gentoo also has it.

The included version of mod_md supports all bells and whistles of Let’s Encrypt and can be configured for wildcard certificates too, if you know how to talk to you DNS server.

More in the documentation with various how-to sections.

Hope you like it.

tdelmas · August 14, 2019, 2:51pm

If mod_md is not experimental anymore maybe it could be a good idea to add it in that page https://letsencrypt.org/docs/client-options/ ?

Osiris · August 14, 2019, 3:31pm

Isn’t it more logical to link to the official Apache site for its documentation?

https://httpd.apache.org/docs/2.4/mod/mod_md.html

I’m pretty sure it’s still experimental, according to the warning in the documentation I linked above:

This module is experimental. Its behaviors, directives, and defaults are subject to more change from release to release relative to other standard modules. Users are encouraged to consult the “CHANGES” file for potential updates.

Also:

Gentoo does have the module in its current version, apache-2.4.39.ebuild

And the mod_md module has been around longer than version 2.4.41. Heck, there were no major mod_md changes in that version.

In essence, thanks for the reminder for mod_md, but a) it isn’t marked as stable and b) was around a little bit longer than version 2.4.41, which even isn’t regarded as the stable Apache version, that’s 2.4.39.

icing · August 15, 2019, 8:28am

Thanks @Osiris, you do realise that you are mans-plaining to the creator of the module, right?

I am linking to the github version of the documentation since it is the better and more usable one. I think it helps people more. Also, I encourage people and distributions to use the github releases as they are far more frequent.

As to the “experimental” status, maybe it is time to purge that for the 2.0.x versions. The module is “stable” as there has been no breakage of existing configurations, nor is it planned. However, the functionality is still expanding. Upcoming are the 2.1.x releases that tackel OCSP stapling.

Maybe the maintainer of the Let’s Encrypt client list could tell me what she needs to at the native Apache support to the page? Thanks!

_az · August 15, 2019, 9:34am

Anybody can modify the list, just submit a PR against https://github.com/letsencrypt/website/blob/master/data/clients.json .

Personally I’m very excited for the new mod_md to become available for all Apache installations. I’ve long believed that the ultimate end game is for all webservers to have native support and for external clients like Certbot to be obsoleted.

Osiris · August 15, 2019, 11:23am

All the more reason to be more clear in your topicstart As a “layman”, it’s very confusing. Which documentation should I use? Why should I use github and not Apache.org? Et cetera et cetera.

icing · August 16, 2019, 7:04am

Thanks, @_az, PR is in the works.

cpu · August 16, 2019, 1:19pm

Seconded! Thanks for your continued work on this @icing. It’s a great project.

bmw · August 16, 2019, 3:01pm

As one of the primary engineers on Certbot, thirded! I think the main role of clients like Certbot is to fill the gap until servers get their own ACME support and make configuring TLS easier.

I think I speak for everyone on the Certbot team when I say we’re all big fans of mod_md.