Date: Thu, 18 Jan 2018 16:04:53 -0500 From: David Mehler <dave.mehler@gmail.com> To: Peter Boosten <peter@boosten.org> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: acme-client and multiple domains periodic renewal Message-ID: <CAPORhP5pgd%2BRL8v6SZ8YxQ9=qZ0F242y_OQ_LRxmHJpVcGyweA@mail.gmail.com> In-Reply-To: <21941967-64AB-4585-8F16-1323CF080E54@boosten.org> References: <CAPORhP4HzZedjTKq0bcUUTT%2BxUSPeEcR=h7-OfdjO84JRBChTg@mail.gmail.com> <21941967-64AB-4585-8F16-1323CF080E54@boosten.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello,
Thanks for your response. What my eventual end goal is is to get
universal https access for all my domains except for the acme-client
validation which I understand must be done over http, so that is http
everything else https. I'm using FreeBSD 10.3 and apache 2.4.
I've got two domains each with a number of subdomains so they are SAN
certificates. I've taken out the redirects as that is appearing to
cause errors in validation.
Ideally i'd like my SAN certificates to be updated when they are due,
currently mine is not. Peter, if you could let me take a look at your
config, compare it to mine, i'd appreciate it.
Here's my configuration:
In httpd.conf:
# Access to .well-known for acme-challenge keys
<Directory "/usr/local/www/.well-known/">
Options None
AllowOverride None
Require all granted
Header add Content-Type text/plain
</Directory>
In a virtual host file:
#
# Virtual host file
#
<VirtualHost *:80>
ServerAdmin webmaster@example.com
DocumentRoot "/usr/vhosts/example.com/htdocs/"
ServerName www.example.com
ServerAlias example.com www.example.com mail.example.com
ErrorDocument 404 /errordocs/error404.htm
# share well-known for renewal via Let's acme-client
Alias /.well-known/ /usr/local/www/.well-known/
# The below block doesn't work with acme-challenges
# Anything that isn't going to example.com/.well-known gets
forwarded to the https site
#RewriteEngine on
#RewriteCond %{REQUEST_URI} !^/.well-known
#RewriteRule (.*) https://www.example.com$1 [R=301,L]
# atempted to with redirect
#Redirect / https://www.example.com/
ErrorLog "/usr/vhosts/example.com/logs/error.log"
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@example.com
DocumentRoot "/usr/vhosts/example.com/htdocs/"
ServerName www.example.com
SSLEngine on
SSLCertificateFile "/usr/local/etc/ssl/acme/example.com/cert.pem"
SSLCertificateKeyFile "/usr/local/etc/ssl/acme/private/example.com/privkey.pem"
SSLCertificateChainFile "/usr/local/etc/ssl/acme/example.com/chain.pem"
<Directory "/usr/vhosts/example.com/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
</Directory>
<IfModule mod_log_config.c>
CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/example.com/logs/access.log-%Y-%m-%d.log 86400" combined
</IfModule>
# Disc cache setup
CacheQuickHandler off
CacheLock on
CacheLockPath /tmp/mod_cache-lock
CacheLockMaxAge 5
CacheIgnoreHeaders Set-Cookie
<Location />
CacheEnable disk
CacheHeader on
CacheDefaultExpire 600
CacheMaxExpire 86400
CacheLastModifiedFactor 0.5
ExpiresActive on
ExpiresDefault "access plus 5 minutes"
Header merge Cache-Control public
FileETag All
</Location>
</VirtualHost>
Thanks.
Dave.
On 1/18/18, Peter Boosten <peter@boosten.org> wrote:
> I have a SAN certificate, and it has been renewed several times now.
>
> Let me know what you want to know exactly (will be home in a couple of
> minutes)
>
> Peter
>
>> On 18 Jan 2018, at 20:07, David Mehler <dave.mehler@gmail.com> wrote:
>>
>> Hello,
>>
>> If anyone has acme-client going with multiple domains and updating
>> through periodic.conf please email me i'd like to know your
>> configuration?
>>
>> Everytime I think I get this going three months later the certificates
>> don't renew and I get invalid ssl certificates when attempting to
>> access the web sites.
>>
>> Thanks.
>> Dave.
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe@freebsd.org"
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPORhP5pgd%2BRL8v6SZ8YxQ9=qZ0F242y_OQ_LRxmHJpVcGyweA>