Files *-le-ssl.conf in sites-enabled

Krischu · June 26, 2023, 7:10am

I'm wondering whether it was a certbot command that once created files with
*-le-ssl.conf, derived from the files being in that directory. I'm not sure whether I created them manually of whether an automatism created them. The latter seem more likely to me.
Anyway, these files are constructed a bit different inside, such that they configure the mod_ssl module:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@mydomain.de

        DocumentRoot /var/www/de.mydomain.www
        ServerName www.mydomain.de
        ServerAlias alias1.de alias2.de 
        ServerSignature Off
        Redirect permanent / https://www.mydomain.de/


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mydomain.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.de/privkey.pem
</VirtualHost>
</IfModule>

griffin · June 26, 2023, 7:25am

Yep. You've got it.

Krischu · June 26, 2023, 7:44am

So far, so good. But why weren't files with this name not generated for every file? Are they some relicts I can delete now? I have all my vhosts configured right.

Osiris · June 26, 2023, 9:12am

Those other vhost conf files without a -le-ssl.conf file probably don't have TLS configured, probably because Certbot wasn't asked to. Certbot will only generate -le-ssl.conf files for vhosts it actually issues a certificate for. And if Certbot is instructed to only get a cert or certs for some hostnames, but not others, it will only add -le-ssl.conf files for the vhosts with issued certs.

MikeMcQ · June 26, 2023, 10:52am

As an additional note, that redirect statement is going to create a loop. It redirects back to itself

Krischu · June 27, 2023, 7:31am

Thanks. I believe it was an error on my side when I handcrafted this example. It should have been - as it is really the case in all my vhosts -

ServerName www.mydomain.de
        ServerAlias alias1.de alias2.de 
        ServerSignature Off
        Redirect permanent / https://mydomain.de/

Krischu · June 29, 2023, 9:04am

Just one more question regarding this topic:

what circumstance decides that certbot is generating a *-le-ssl.conf rather than editing the existing .conf file? And:
Is the order of statements important (Include before or after the SSL lines?):

SSLCertificateFile /etc/letsencrypt/live/mydomain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf  <<<

griffin · June 29, 2023, 10:49am

Certbot should always generate a separate *-le-ssl.conf file when you use an installer as part of its command.

For example, the following line acquires a cert via http-01 challenge(s) satisfied via Apache, but does not install it:

cerbot --apache --cert-only

Whereas the following line also installs a newly acquired cert into Apache (and thus creates the *-le-ssl.conf files).

Osiris · June 29, 2023, 10:58am

Unless there already are SSLCertificateFile/SSLCertificateKeyFile manually added to an existing HTTPS port 443 VirtualHost section, right? E.g., when a user has manually added such a section with snakeoil certs.

I believe in that scenario Certbot would update the SSLCertificateFile/SSLCertificateKeyFile directives with the new paths to /etc/letsencrypt/live/....

griffin · June 29, 2023, 2:36pm

I haven't looked at the installer code, but you could be right.

system · July 29, 2023, 2:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.