[noob] attempt to set up Apache with LE cert on Debian8


#1

Hi all,

I am a LAMP stack novice, trying to run a website (with Drupal blog) on a Debian8 server. I have ran the LE script and created a certificate. I am trying to set this up with Apache. My latest working assumption (possibly flawed) is that I need to edit default-ssl.conf and change the lines:

            SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem
            SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

I cannot find a .key file to correspond with the above, but have two .pem files:

0000_key-letsencrypt.pem 0001_key-letsencrypt.pem

Do these relate to the above? Am I barking up the wrong tree?

Thanks for any guidance,

pp


#2

The cert and key should be in /etc/letsencrypt/live//

privkey.pem is the private key.
cert.pem is the certificate or public key.

You will also need either chain.pem or fullchain.pem depending apache version.
Apache 2.2.x needs

SSLCertificateFile "/etc/letsencrypt/live//cert.pem"
SSLCertficateKeyFile "/etc/letsencrypt/live//privkey.pem"
SSLCertificateChainFile “/etc/letsencrypt/live//chain.pem”

It is highly recommended to use the symlinks versus the actual files to help reduce the editing of config files.

Not sure which Apache ships with Debian 8 but my asthmatic Debian defaults to 2.2.x


#3

Excellent, thank you!

I have added this. Thanks. I think my version of apache requires the paths not be quoted.

I have eliminated one hurdle. Apache now restarts. The website is not loading however either through https or plain http so I have some unpicking to do yet.

Many thanks!


#4

Ok, so now the site and drupal admin page are accessible over http but not https (I am simply typing https://www. in front of the domain name).

I have admittedly followed a cut and paste and hope strategy with apache config files as I struggle to know what ought to be there. Currently I have two files in /etc/apache2/sites-enabled:

default-ssl.conf pocketapocketa.cz.conf

The former is a symbolic link to /etc/apache2/sites-available/default-ssl.conf

in /etc/apache2/sites-available/ there are then:

pocketapocketa.cz.conf pocketapocketa.cz-le-ssl.conf

I think the latter was created on reloading apache following a change to some .conf files (and possible the change to certificate paths as a result of this thread), but I am not certain.

This is, I suspect, a mess, and perhaps one better asked elsewhere. Since kroboto mentioned symlinks, however, I’ll admit I don’t know where I am supposed to be linking from / to. Perhaps this relates to the problem?

Again, apologies, this is not my forte!


#5

The symlinks I !entioned are created by the LE client. When you renew the certs the symlinks will be updated so the apache config files wont need to be edited. A simple reload of apache will load the new certs/key/chain files.

Regarding the www not working, do you have a ServerAlias set in the vhost?


#6

Ok, ServerAlias[es]:

/etc/apache2/sites-available/default-ssl.conf:
     ServerAlias *.pocketapocketa.cz
/etc/apache2/sites-available/pocketapocketa.cz-le-ssl.conf:
     ServerAlias *.pocketapocketa.cz

I am thinking there is a lot of redundancy here, and that default-ssl.conf doesn’t belong. I have also edited these files from references I have found elsewhere. Previously, they referenced pocketapocketa.cz. I found several references to *.example.com style references. The site doesn’t in fact contain any *.pocketapocketa.cz addresses so perhaps needs changing back.

But right now I’m starting to focus on another area. Given that port 80 but not port 443 seems to be working. The lines:


are in /etc/apache2/sites-available/pocketapocketa.cz-le-ssl.conf but not linked to in /etc/apache2/sites-enabled/

Sites themselves are linked to by the a2ensite command. Will this route to a site be considered in the same way?

YES! With some unpicking of flawed .conf files, that sorted it.

Thanks very much for your help!

pp