How to configure my server

I’m running a private Arch Linux (4.5.4.1-ARCH) server with Apache (2.4.20) for some private webapps (invoicing, database, testserver, backups, etc…). This machine has a dynamic ip from freedns dot org. For the sake of example let’s say mycomputer,afraid,org.

I have a public website, let’s say www,mywebsite,com that points to a different server alltogether. To make it easier for myself, I have configured a subdomain for each service I want to access on my private server. I pointed each subdomain to CNAME mycomputer,afraid,org

This is how it looks

invoicing,mywebsite,com --> mycomputer,afraid,org (cname)
phpmyadmin,mywebsite,com --> mycomputer,afraid,org (cname)
backups,mywebsite,com --> mycomputer,afraid,org (cname)
–> apache handles the separation between these by using vhosts

Now I have recently discovered lets encrypt, I’m in love with it. I have already converted all my public websites (which have cpanel) to use letsencrypt and it’s working flawlessly. I haven’t had any problems because it’s pretty straightforward.

Obviously I would also like to get SSL going on my private websites, but I don’t know where to start. I have followed the tutorial on the archlinux wiki. https://wiki.archlinux.org/index.php/Let’s_Encrypt

Do I have to register the certificate for (each of) the subdomains of mywebsite,com or one for mycomputer,afraid,org?

It’s best to think of CNAMEs in the same way as symlinks, unless the application specially looks for them it doesn’t know what the “real” name/path is. Therefore you need a cert with the 3 sub-domains, whether the domain they point to is included or not is irrelevant.

1 Like

Ok thanks I’ll try that. It’ll be trial and error because the wiki is quite vague but I’ll report back when I get there.

It will only generate keys for domain records with an A record, CNAMEs and as cool110 said CNAMEs are just basically DNS symlinks. When you request a cert it physically checks the A records and talks to the IP specified.

If you had a static IP and not a CNAME you could add rather have

invoicing in A 1.1.1.1
phpmyadmin in A 1.1.1.1
backups in A 1.1.1.1

and then manually generate keys for invoicing.mywebsite,.com and phpmyadmin.mywebsite.com etc.

Ok guys as promised a report here. All worked well but I lost half a day figuring out why it wouldn’t work. I constantly got the dreaded “unauthorized” error message. I started monitoring the directory I set up according to the archlinux wiki (webroot method) - /var/lib/letsencrypt/.well-known/acme-challenge/ but there was no file created whatsoever! When I manually made a file, then it got served by the webserver just fine!

But then I realized that cerbot still created a .well-known directory anyways in the webroot instead of using the one I created… very strange! (so it make its challenges in /path/to/webroot/.well-known/acme-challenge/ -> So I had to make a symlink from /path/to/webroot/.well-known to /var/lib/letsencrypt/.well-known in order for it to create the challenges in the correct directory.

Is that behaviour expected? I believe it’s somewhat unexpected because I have this set up in my system as the arch wiki recommended:

/etc/httpd/conf/extra/httpd-acme.conf Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/" <Directory "/var/lib/letsencrypt/"> AllowOverride None Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS </Directory>

I made a symlink and all worked. Still unsure about if I made an error or not… I believe so. The arch wiki didn’t mention anything about a symlink.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.