Arch Linux Apache server

zkitzo · September 13, 2016, 11:56pm

Hi there,

My site is still not running on https, I have followed the following tutorial: Certbot

Full domain:
(www.)ztjuh.tk

Command:
$ sudo certbot certonly --webroot -w /home/ztjuh/public_html -d ztjuh.tk -d www.ztjuh.tk

Output:
IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/ztjuh.tk/fullchain.pem. Your cert will expire
on 2016-12-12. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew all of your certificates, run "certbot
renew"
If you lose your account credentials, you can recover through
e-mails sent to zjaakie@gmail.com.
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Name and version of OS:
Arch Linux 4.7.1-1-ARCH

I ran these commands while Apache was running...

Something wrong or not set in my apache configuation? I couldn't find anything about Apache configuration. Only in the Arch Linux wiki.

I made:
/etc/httpd/conf/extra/httpd-acme.conf:

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

And in /etc/httpd/conf/httpd.conf:
Include conf/extra/httpd-acme.conf

After this I restarted Apache too.

Or is something not running?

I can see http://ztjuh.tk/.well-known/
and http://i.ztjuh.tk/.well-known/ (for my subdomain)

Also I saw this in my ztjuh.tk-access_log

66.133.109.36 - - [14/Sep/2016:00:12:25 +0200] "GET /.well-known/acme-challenge/wvq5RHcbdhK6vhfP-wxrIxXujao5oy4oPbg3BD3_J5c HTTP/1.1" 200 87
66.133.109.36 - - [14/Sep/2016:00:12:26 +0200] "GET /.well-known/acme-challenge/joEpMZoOWg91Y9rREUtUbsJ-ibwwC1m3i4tggC4h8G0 HTTP/1.1" 200 87

So it seems that it did "something" at the installation...

Thanks for helping and your time!

Greetings,
Alex

schoen · September 14, 2016, 12:55am

Hi @zkitzo, all of the messages that you’re describing shows that the process worked properly, and there is nothing more to debug or investigate!

What I think is causing the confusion here is that when you use the certonly method, the Certbot software does not set up or activate HTTPS for you in your web server configuration. Instead, it only obtains the digital certificate (which is the PEM file mentioned in the output that you quoted). There is still an additional step that you have to do yourself, which is to edit your Apache configuration to refer to this certificate and to the associated certificate chain, and to indicate that you want Apache to serve your site as HTTPS.

Perhaps the documentation should be clearer that this is what is meant by “cert only” in this context.

Do you know how to do these steps to activate HTTPS in your Apache configuration, or do you need additional help with that process?

zkitzo · September 14, 2016, 1:33am

Hi @schoen !

Thanks for replying and clearing up what “cert only” is.

I really don’t have any clue how to setup Apache with this… My guess is add a vhost on port 443 in /etc/httpd/conf/extra/httpd-vhosts.conf and locate the PEM files?

If you could help me with that, that would be awesome

serverco · September 14, 2016, 6:56am

I’d suggest working through the article at https://wiki.archlinux.org/index.php/Apache_HTTP_Server

You don’t need to “Create a key and (self-signed) certificate” as you have the Let’s Encrypt certs, which you can then use in the config.

zkitzo · September 14, 2016, 12:34pm

I've got it working! I followed the steps on https://gethttpsforfree.com/

But this is not working with automating renewal. I used the certificates from gethttpsforfree.com, can someone please tell me which .crt, .key and .pem file to use for each of these? Because I can only find 4 .pem files...

What I have now:

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;

SSLCertificateFile "/etc/ssl/certs/domain.crt"
SSLCertificateKeyFile "/etc/ssl/private/domain.key"
SSLCertificateChainFile "/etc/ssl/certs/intermediate.pem"

What do I change so it works with Certbot (letsencrypt.org)?

I can see the .pem files symlinks in /etc/letsencrypt/live/ztjuh.tk.

cool110 · September 14, 2016, 1:15pm

For Apache 2.2.x and older

SSLCertificateFile "/etc/letsencrypt/live/ztjuh.tk/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/ztjuh.tk/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/ztjuh.tk/chain.pem"

For Apache 2.4.x and newer

SSLCertificateFile "/etc/letsencrypt/live/ztjuh.tk/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/ztjuh.tk/privkey.pem"

zkitzo · September 14, 2016, 1:20pm

Thank you very much, so just to be sure, I can comment out SSLCertificateChainFile? Since I’m running Apache 2.4.x.

EDIT: Seems to be working! Thank you so much @cool110

cool110 · September 14, 2016, 1:24pm

Yes, SSLCertificateChainFile is a deprecated directive.

system · October 14, 2016, 1:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.