Attempt apache mod_md with Lets Encrypt Staging

2021-10-25 22:56:29 -05:00 · 2021-10-25 22:56:29 -05:00 · a9ce587c21
commit a9ce587c21
parent 754ce4a6f8
1 changed files with 22 additions and 2 deletions
--- a/templates/Fedora/34/etc/httpd/conf.d/vhost.conf
+++ b/templates/Fedora/34/etc/httpd/conf.d/vhost.conf
@ -1,3 +1,17 @@
+MDBaseServer on
+MDCertificateProtocol ACME
+MDCAChallenges http-01
+MDDriveMode auto
+MDPrivateKeys RSA 4096
+MDRenewWindow
+MDStoreDir md
+# MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory
+# We want staging for now...
+MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory
+# MDCertificateAgreementhttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
+# https://httpd.apache.org/docs/trunk/mod/mod_md.html says the below works...
+MDCertificateAgreement accepted
+
 <Directory "/srv/http">
    AllowOverride None
    Require all granted
@ -58,6 +72,8 @@

 {% endfor %}
 {% endif %}
+MDomain {{ item.fqdn }}
+
 <VirtualHost *:443>
  SSLEngine on
  SSLProtocol all -TLSv1.1
@ -65,8 +81,12 @@
  SSLHonorCipherOrder on
  SSLCipherSuite PROFILE=SYSTEM
  SSLProxyCipherSuite PROFILE=SYSTEM
-  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
-  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+  # original
+  # SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+  # SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+  # mod_md should change hte default value to this
+  # SSLCertificateFile /etc/httpd/md/domains/{{ item.fqdn }}/pubcert.pem
+  # SSLCertificateKeyFile /etc/httpd/md/domains/{{ item.fqdn }}/privkey.pem
  ServerName {{ item.fqdn }}
  ServerAdmin webmaster@firedragonenterprises.com
  DocumentRoot /srv/http/{{ item.fqdn }}