I am trying to use Letsencrypt to secure one of my dev servers. I don’t need to worry about a userbase and their odd browsers etc. as only five people will have access, all of whom I work with. Therefore I have limited
/etc/apache2/mods-available/ssl.conf to only allow TLSv1.2, with strong ciphers.
Apache2 on Ubuntu 16.04 comes with GnuTLS as default - and I would like to use it. But when I run “sudo certbot” it enables mod_ssl.
I have looked around the documentation to see a switch to make it use GnuTLS instead, but no luck.
As always there are three options:
I am ‘blind’ and it is there and I have just missed it
I am not fully understanding the relationship between components, in this case mod_ssl and mod_gnutls
what I am looking for is not there (i.e. Letsencrypt only works with mod_ssl)
Which one is it?
Please fill out the fields below so we can help you better.
My domain is: n/a
I ran this command: sudo certbot
It produced this output: “… Enabled Apache SSL module …”
My web server is (include version): Apache2
The operating system my web server runs on is (include version): Ubuntu Server 16.04LTS
Apache can Interact with the GNUTLS library via the mod_gnutls plugin https://mod.gnutls.org/
I am pretty certain that certbot only uses the mod_ssl library however… there are no reasons (I can think of) that there shouldn’t be support for the mod_gnutls plugin.
a) at this time Letsencrypt uses mod_ssl only
b) what I am looking for (mod_gnutls support) may be possible, only no one has asked for it?
If that is the case, I am quite happy to log a feature request for it when I find where that is done
Follow-up question (and this shows how little I had played with all of this until yesterday):
If I go through the certbot routine, get a certificate installed and it works - is there anything stopping me from then pointing my gnutls-enabled virtual host config at that cert, and disable mod_ssl again? Or will that not work?
That should work just fine. This is what certbot certonly can do. However, if you use --apache it will also be using mod_ssl for the temporary virtualhost (that you never see) created during the authorization process. If you want to use Certbot and don't want mod_ssl to ever be used, right now you ought to use certbot certonly --webroot.
In agreement with @ahaw021, nobody has asked for this before. The installer that attempts to modify your Apache configuration file (if you use the default form, also known as certbot run, with --apache) is hard-coded to use mod_ssl directives because that's what almost all Apache users have and expect to use at the moment.