Looking for some helping hand on the following. No directly connected to Letsencrypt functionality, but kind of connected. Our WEB server resolved by a multiple FQDN names and we are looking on how to introduce dynamic vhost configuration with SSL certificates from Letsencrypt.
Tried to implement with simple VirtualHost directives. Everything is fine, unless one thing. In order to introduce new host, we need to create new VirtualHost and then restart Apache. Here my config example:
Define DocumentRoot /var/www-gac-frontend/build
Define ServerName api.example.com
Define CertPath /etc/letsencrypt/live
<VirtualHost ${ServerName}:80>
ServerName ${ServerName}
DocumentRoot ${DocumentRoot}
<Directory ${DocumentRoot}/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/${ServerName}_error.log
CustomLog ${APACHE_LOG_DIR}/${ServerName}_access.log combined
ErrorDocument 500 "Maintenance in progress.<br/>Please try again in a few minutes."
</VirtualHost>
<VirtualHost ${ServerName}:443>
ServerAdmin webmaster@localhost
ServerName ${ServerName}
<Directory ${DocumentRoot}/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/${ServerName}_error_ssl.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/${ServerName}_access_ssl.log combined
SSLEngine on
SSLCertificateFile ${CertPath}/${ServerName}/fullchain.pem
SSLCertificateKeyFile ${CertPath}/${ServerName}/privkey.pem
ErrorDocument 500 "Maintenance in progress.<br/>Please try again in a few minutes."
</VirtualHost>
The other option was to use Apache mod_vhost_alias. Here my config example.
Thank you for the reply. Trying to introduce automatic domain registration to our service. apachectl -k graceful might be an option. The only one thing, I'm concern. If something will go wrong (i.e. missconfiguration in dynamically created *.cong file) might lead to complete WEB server stop.
The existing worker processes will keep running with the configuration under which they were initiated. No new worker processes will be initiated until the configuration is fixed. You can always test the configuration (sudo apachectl -S) before reloading as a matter of practice to ensure that things won't be broken upon reload.
I'm not sure what you are trying to do can even be done within Apache.
And if anything can be found to advance this topic, it would likely be within an Apache forum; as your request is NOT specifically tied to LE (nor HTTPS).
My best recommendation is to look for other web server software that already does what you need [don't reinvent the wheel].
You could use apachectl configtest (or its equivalent apachectl -t) to check the current configuration. And only if it reports success. Would be quite simple:
apachectl configtest && apachectl graceful
Or:
apachectl -t && apachectl -k graceful
(The above apachectl -S is more of a human readable debugging thing IMO.)
Hello @rg305
Thank you for your reply! The reason, why I'm asking such a question here, is because TLS sertificate is pretty tight connected to WEB server configuration. So in order not to invent the wheel ( ) decided to ask you guys, how are you dealing with the configuration on-the-fly. Any feedbacks are highly appreciated.
@Osiris , @griffin thank you, gentlemen for your replies. Will try/move with your solution first, as more familar (but not an expert of course) with Apache configs.