How to integrate a wildcard certificate with Apache


#1

I got a generic certificate for my domain (vhost.fr).

How do I integrate this certificate into my infrastructure?

Server CENTOS7-4, Reverse proxy Apache (httpd 2.4.6).
Do I need to set up httpd.conf or set up each virtualhost ?
Can we use the httpd acme MOD_MD module in a production environment ?
If so, what should be put behind the MDCertificateAgreement directive ?

thank for you answers


#2

I’m not really sure what your question is.

It really depends on how your infrastructure and current Apache configuration is organised. Do you use name based virtual hosts or do you just have one single site running on that Apache?

Also, as far as I know, mod_md is used to retrieve certificates “on the fly”. But you already have a certificate and presumably a way to automatically renew the certificate every 60 days…

So, again, could you please elaborate more on what you want to accomplish? Because a wild card certificate isn’t that different from any other certificate. You can just use it with the SSLCertificateFile directive…


#3

Hi,

I have a problem in using the keys with Apache 2.4 (httpd)

LetsEncrypt provides 4 files:
Privkey1.pem
Fullchain1.pem
Chain1.pem
Cert1.pem

In the VirtualHost, we have:
-SSLCertificateFile-> cert1.pem
-SSLCertificateKeyFile-> privkey1.pem
-SSLCertificateChainFile-> chain1.pem
Is that correct?

There are also:
-SSLCACertificateFile->?
Should this directive be informed? And if so with what ? fullchain.pem ?


#4

You should be pointing your Apache configuration to files in /etc/letsencrypt/live/vhost.fr ONLY. Do not use /etc/letsencrypt/archive or other directories.

On Apache 2.4.6:

SSLCertificateFile /etc/letsencrypt/live/vhost.fr/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/vhost.fr/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vhost.fr/privkey.pem

Those are the only lines you need. You can use https://mozilla.github.io/server-side-tls/ssl-config-generator/ for general Apache SSL settings.

If you wanted to use mod_md, then this would REPLACE whatever method you used to get your certificate initially. It means you would discard Certbot and any existing certificates, because mod_md would issue and manage the certificate lifecycle for you.

I’m also pretty sure that mod_md only supports ACME v1 and therefore would not be able to issue a wildcard certificate, which is relevant to you.

According to the documentation, it is experimental. So, it is a risk for you to consider.

Also answered in the documentation - https://httpd.apache.org/docs/trunk/mod/mod_md.html#mdcertificateagreement


#5

In case of Let’s Encrypt, their current Terms of Service are here. Those terms might (and probably will) change over time. So, the certificate renewal might require you to update this agreement URL.

It seems like it would be helpful for mod_md to have a reliable way to notify the user when this condition occurs!