Arch Linux Apache server


#1

Hi there,

My site is still not running on https, I have followed the following tutorial: https://certbot.eff.org/#arch-apache

Full domain:
(www.)ztjuh.tk

Command:
$ sudo certbot certonly --webroot -w /home/ztjuh/public_html -d ztjuh.tk -d www.ztjuh.tk

Output:
IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/ztjuh.tk/fullchain.pem. Your cert will expire
    on 2016-12-12. To obtain a new or tweaked version of this
    certificate in the future, simply run certbot again. To
    non-interactively renew all of your certificates, run “certbot
    renew”

  • If you lose your account credentials, you can recover through
    e-mails sent to zjaakie@gmail.com.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Name and version of OS:
Arch Linux 4.7.1-1-ARCH

I ran these commands while Apache was running…

Something wrong or not set in my apache configuation? I couldn’t find anything about Apache configuration. Only in the Arch Linux wiki.

I made:
/etc/httpd/conf/extra/httpd-acme.conf:

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

And in /etc/httpd/conf/httpd.conf:
Include conf/extra/httpd-acme.conf

After this I restarted Apache too.

Or is something not running?

I can see http://ztjuh.tk/.well-known/
and http://i.ztjuh.tk/.well-known/ (for my subdomain)

Also I saw this in my ztjuh.tk-access_log

66.133.109.36 - - [14/Sep/2016:00:12:25 +0200] “GET /.well-known/acme-challenge/wvq5RHcbdhK6vhfP-wxrIxXujao5oy4oPbg3BD3_J5c HTTP/1.1” 200 87
66.133.109.36 - - [14/Sep/2016:00:12:26 +0200] “GET /.well-known/acme-challenge/joEpMZoOWg91Y9rREUtUbsJ-ibwwC1m3i4tggC4h8G0 HTTP/1.1” 200 87

So it seems that it did “something” at the installation…

Thanks for helping and your time!

Greetings,
Alex


#2

Hi @zkitzo, all of the messages that you’re describing shows that the process worked properly, and there is nothing more to debug or investigate!

What I think is causing the confusion here is that when you use the certonly method, the Certbot software does not set up or activate HTTPS for you in your web server configuration. Instead, it only obtains the digital certificate (which is the PEM file mentioned in the output that you quoted). There is still an additional step that you have to do yourself, which is to edit your Apache configuration to refer to this certificate and to the associated certificate chain, and to indicate that you want Apache to serve your site as HTTPS.

Perhaps the documentation should be clearer that this is what is meant by “cert only” in this context.

Do you know how to do these steps to activate HTTPS in your Apache configuration, or do you need additional help with that process?


#3

Hi @schoen !

Thanks for replying and clearing up what “cert only” is.

I really don’t have any clue how to setup Apache with this… My guess is add a vhost on port 443 in /etc/httpd/conf/extra/httpd-vhosts.conf and locate the PEM files?

If you could help me with that, that would be awesome :slight_smile:


#4

I’d suggest working through the article at https://wiki.archlinux.org/index.php/Apache_HTTP_Server

You don’t need to “Create a key and (self-signed) certificate” as you have the Let’s Encrypt certs, which you can then use in the config.


#5

I’ve got it working! I followed the steps on https://gethttpsforfree.com/

But this is not working with automating renewal. I used the certificates from gethttpsforfree.com, can someone please tell me which .crt, .key and .pem file to use for each of these? Because I can only find 4 .pem files…

What I have now:

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;

SSLCertificateFile "/etc/ssl/certs/domain.crt"
SSLCertificateKeyFile "/etc/ssl/private/domain.key"
SSLCertificateChainFile “/etc/ssl/certs/intermediate.pem”

What do I change so it works with Certbot (letsencrypt.org)?

I can see the .pem files symlinks in /etc/letsencrypt/live/ztjuh.tk.


#6

For Apache 2.2.x and older

SSLCertificateFile "/etc/letsencrypt/live/ztjuh.tk/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/ztjuh.tk/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/ztjuh.tk/chain.pem"

For Apache 2.4.x and newer

SSLCertificateFile "/etc/letsencrypt/live/ztjuh.tk/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/ztjuh.tk/privkey.pem"

#7

Thank you very much, so just to be sure, I can comment out SSLCertificateChainFile? Since I’m running Apache 2.4.x.

EDIT: Seems to be working! Thank you so much @cool110


#8

Yes, SSLCertificateChainFile is a deprecated directive.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.