[solved] Multi domain httpd.conf and options-ssl-apache.conf

My web servers have an NFS share to a server that contains the SSL certs.
Meaning, the certs are not on the local web server but on a server that has access to our DNS server so that new certs or renewals can be done centrally.

The question is, does each virtual host need it’s own directive of;
Include /etc/letsencrypt/options-ssl-apache.conf

Or can it be specified as a global directive?

Hi @Lorance,

What is the contents of /etc/letsencrypt/options-ssl-apache.conf ?

SSL directives that could apply globally it seems.

I personally don't use it. I have my own global settings in the ssl.conf file. Mainly cause I only have like 4 cipher sets and I disable SHA1 ciphers on top of the standard setup.

1 Like

No, I guess it can be a global directive, but it strictly depends on its contents.

For example, you can have a server-wide cipher list: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite

The problem seems to be that later running the certbot apache thing makes changes to the httpd.conf file. Lately, it started adding another file instead and an include in the conf file but I seem to have a mix.

I don’t think it does. I believe it just modifies the virtualhost file, which gets included in httpd.conf

In any case, you can configure your server as you like it. Nothing in that file is irreplaceable.

So I can manually configure the web server and do not have to run the certbot apache/nginx options. I thought those did something in addition to configuring the web server conf.

Good to know, thanks very much.

Yes.

Here is a place to start if you’re just learning or just lazy: https://ssl-config.mozilla.org/ :wink:

Correct. I run the command with certonly option and build my vhosts.

The --apache option will create a new vhost config file & append a line in the httpd.conf file to include the new file. It's an option for those less technical.

Lazy? I hope that’s just a joke.

1 Like

I was just projecting, hope you’re not offended. :wink:

It wasn’t clear but it’s fine now that you explain.

Thanks for the help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.