MDBaseServer on MDCertificateProtocol ACME MDCAChallenges http-01 MDDriveMode auto MDPrivateKeys RSA 4096 MDRenewWindow MDStoreDir md # MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory # We want staging for now... MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory # MDCertificateAgreementhttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf # https://httpd.apache.org/docs/trunk/mod/mod_md.html says the below works... MDCertificateAgreement accepted AllowOverride None Require all granted {% for item in http_vhost %} Options Indexes FollowSymLinks AllowOverride None Require all granted {% endfor %} {% for item in http_vhost %} {% if item.aliases is defined %} {% for item_alias in item.aliases %} ServerName {{ item_alias }} ServerAdmin webmaster@firedragonenterprises.com DocumentRoot /srv/http/{{ item.fqdn }} RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0 {% endfor %} {% endif %} ServerName {{ item.fqdn }} ServerAdmin webmaster@firedragonenterprises.com DocumentRoot /srv/http/{{ item.fqdn }} RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0 {% if item.aliases is defined %} {% for item_alias in item.aliases %} SSLEngine on SSLProtocol all -TLSv1.1 SSLProxyProtocol all -TLSv1.1 SSLHonorCipherOrder on SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key ServerName {{ item_alias }} ServerAdmin webmaster@firedragonenterprises.com DocumentRoot /srv/http/{{ item.fqdn }} RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0 Require all denied Require all denied Require all denied {% endfor %} {% endif %} MDomain {{ item.fqdn }} SSLEngine on SSLProtocol all -TLSv1.1 SSLProxyProtocol all -TLSv1.1 SSLHonorCipherOrder on SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM # original # SSLCertificateFile /etc/pki/tls/certs/localhost.crt # SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # mod_md should change hte default value to this # SSLCertificateFile /etc/httpd/md/domains/{{ item.fqdn }}/pubcert.pem # SSLCertificateKeyFile /etc/httpd/md/domains/{{ item.fqdn }}/privkey.pem ServerName {{ item.fqdn }} ServerAdmin webmaster@firedragonenterprises.com DocumentRoot /srv/http/{{ item.fqdn }} Alias /error/ "/var/www/error/" {% if item.proxy is defined %} ProxyPass "/.well-known" "!" ProxyPass "/phpMyAdmin" "!" ProxyPass "/phpmyadmin" "!" ProxyPass "/" "{{ item.proxy }}" ProxyPassReverse "/" "{{ item.proxy }}" ProxyTimeout 300 {% endif %} Require all denied {% endfor %}