Custom Apache configuration


#1

How does the client know how to interpret my Apache web server configuration? I mean it’s a pretty complex task to change any web host configuration, add a file to make it publicly accessible and don’t break existing things like .htaccess redirects. Think of configurations like ASP.NET MVC where the URL doesn’t have to correspond to anything in the file system.

It would be a lot simpler if the validation process wouldn’t need to tinker with my live web server but just use another port that’s free. It could then download the certificate to a path that I provide for each domain and maybe reload the web server if necessary.

I wouldn’t want to even try this client if it has the potential to seriously damage my server configuration.


#2

You can always use a manual certonly method if you want to.

In my experience, when there has been something that it has failed over, it has put the configuration files back exactly as they were without an issue. It is still “beta” though, so I did take backups first


#3

I think having the client update the config would work for most as they probably didn’t touch the config originally.

For those of us who have complex or even fiendish apache config’s it’s best not let the client touch them - which is what I’ve done.

I’ve made a couple of minor changes to the config to support LE and then keep the client away from the production servers - they just proxy /.well-known to it. Then when the certs are done I then manually copy up to each server they are needed on.

It works & no risk to the config.

I wrote about this a couple of weeks ago - made an edit last night to handle LE going public beta but it works well: http://blog.retep.org/2015/11/18/centralizing-certificate-management-of-letsencrypt-with-a-raspberry-pi/


#4

Okay, so the URL for validation is basically fixed and known in advance? From what I’ve read about the negotiation protocol it is kind of random and the CA server tells me where I should provide the given file.

I’ll probably also include such a proxy redirection in all of my virtual hosts. That part of the Apache config file is generated by a script.

Can I run the letsencrypt client on the same machine as the public web server, but proxy from Apache to the client on a free port, like 12345? So can I instruct the letsencrypt client to listen on that private port with its embedded server, while the CA server connects to my public web server on port 80?


#5

You can use a proxy-pass as suggested by PeterMount on this thread, or webroot simply mapping the .well-know directory to a specific directory. You can also check this Debian Let's encrypt automation