How to configure my server


#1

I’m running a private Arch Linux (4.5.4.1-ARCH) server with Apache (2.4.20) for some private webapps (invoicing, database, testserver, backups, etc…). This machine has a dynamic ip from freedns dot org. For the sake of example let’s say mycomputer,afraid,org.

I have a public website, let’s say www,mywebsite,com that points to a different server alltogether. To make it easier for myself, I have configured a subdomain for each service I want to access on my private server. I pointed each subdomain to CNAME mycomputer,afraid,org

This is how it looks

invoicing,mywebsite,com --> mycomputer,afraid,org (cname)
phpmyadmin,mywebsite,com --> mycomputer,afraid,org (cname)
backups,mywebsite,com --> mycomputer,afraid,org (cname)
–> apache handles the separation between these by using vhosts

Now I have recently discovered lets encrypt, I’m in love with it. I have already converted all my public websites (which have cpanel) to use letsencrypt and it’s working flawlessly. I haven’t had any problems because it’s pretty straightforward.

Obviously I would also like to get SSL going on my private websites, but I don’t know where to start. I have followed the tutorial on the archlinux wiki. https://wiki.archlinux.org/index.php/Let’s_Encrypt

Do I have to register the certificate for (each of) the subdomains of mywebsite,com or one for mycomputer,afraid,org?


#2

It’s best to think of CNAMEs in the same way as symlinks, unless the application specially looks for them it doesn’t know what the “real” name/path is. Therefore you need a cert with the 3 sub-domains, whether the domain they point to is included or not is irrelevant.


#3

Ok thanks I’ll try that. It’ll be trial and error because the wiki is quite vague but I’ll report back when I get there.


#4

It will only generate keys for domain records with an A record, CNAMEs and as cool110 said CNAMEs are just basically DNS symlinks. When you request a cert it physically checks the A records and talks to the IP specified.

If you had a static IP and not a CNAME you could add rather have

invoicing in A 1.1.1.1
phpmyadmin in A 1.1.1.1
backups in A 1.1.1.1

and then manually generate keys for invoicing.mywebsite,.com and phpmyadmin.mywebsite.com etc.


#5

Ok guys as promised a report here. All worked well but I lost half a day figuring out why it wouldn’t work. I constantly got the dreaded “unauthorized” error message. I started monitoring the directory I set up according to the archlinux wiki (webroot method) - /var/lib/letsencrypt/.well-known/acme-challenge/ but there was no file created whatsoever! When I manually made a file, then it got served by the webserver just fine!

But then I realized that cerbot still created a .well-known directory anyways in the webroot instead of using the one I created… very strange! (so it make its challenges in /path/to/webroot/.well-known/acme-challenge/ -> So I had to make a symlink from /path/to/webroot/.well-known to /var/lib/letsencrypt/.well-known in order for it to create the challenges in the correct directory.

Is that behaviour expected? I believe it’s somewhat unexpected because I have this set up in my system as the arch wiki recommended:

/etc/httpd/conf/extra/httpd-acme.conf Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/" <Directory "/var/lib/letsencrypt/"> AllowOverride None Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS </Directory>

I made a symlink and all worked. Still unsure about if I made an error or not… I believe so. The arch wiki didn’t mention anything about a symlink.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.