Prelim Concepts

• A .pfx file is a PKCS#12 archive. Typically, a PKCS#12 archive contains a certificate (possibly with its assorted set of CA certificates) and the corresponding private key.
• A .cert (or .cer or .crt) file usually contains a single certificate, alone and without any wrapping (no private key, no password protection, just the certificate). The certificate contains the Server’s public key and the CA’s signature of the public key (i.e. the CA asserting that the public key belongs to this domain…)

Certbot with Apache – Overview

Getting Certboth with Apache working was a little tricky.  Certbot is a popular client for letsencrypt. It requires an ACME server to talk to – in order for the server to provision the certbot EC2 (or whereever it is sitting) with a correct server certificate.

Certbot’s request (to the ACME server) when using apache is slightly modified (Also read, Installing Apache on an amazon ec2 linux 2 instance)

• sudo /opt/letsencrypt/certbot-auto --apache --redirect --webroot-path /var/www/html --no-verify-ssl --agree-tos --email blah@blah.com --server https://myacmeserver.com--domains mytestdomain.com

• The –redirect will ensure that http requests get routed to https
• the –apache is what tells certbot to
  • a) use apache’s plugin for the domain challenge step. And
  • b) to modify the appropriate conf files in apache (see below).

Certbot client overwrites the httpd.conf  and the httpd-le-ssl.conf configuration file in apache

Httpd.conf  – certbot adds the following to the default httpd.conf (typically in /etc/httpd/conf/ folder)

RewriteEngine on
    RewriteCond %{HTTP_HOST} ^(something-else.example-prod.com|whatever.example-prod.com|...others...)$
    RewriteRule ^/(.*) https://www.example-prod.com/$1 [R=permanent,L]

httpd-le-ssl.conf – certbot adds a virtual host entry to apache’s httpd-le-ssl.conf file

<VirtualHost *:443>
    ServerName www.example2.com
    DocumentRoot /var/www/example2.com/public_html
    ServerAlias example2.com
    ErrorLog /var/www/example2.com/error.log
    CustomLog /var/www/example2.com/requests.log 

  <Directory "/var/www/vhosts/ffh/public/">
      AllowOverride all
      SSLOptions +StdEnvVars
      #Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
      Order allow,deny
      Allow from all
      SSLRequireSSL On
   </Directory>

   SSLEngine on 
   SSLCertificateFile /etc/apache2/ssl/example2/MY_ACME_CERT.crt 
   SSLCertificateKeyFile /etc/apache2/ssl/example2/MY_ACME_KEY.key 

</VirtualHost>

Note: The .crt has to be pem encoded (it will accept a .pem file as well)

Troubleshooting Certbot with Apache – What could go wrong?

1. Often, even though the conf file entries shown above are correctly written, apache doesn’t pick them up. The way you know this is by hitting a test web page on your apache webroot (see this post). If you get an insecure certificate, it means that apache is most likely service you a self signed cert instead of the correct letsencrypt cert.
2. The workaround is ensuring that apache can find the letsencrypt certificate. And to do that, you need the virtualhost for :443 setup to POINT to the newly issued letsencrypt certificates (shown as MY_ACME_CERT.crt in the sample above)
3. Restart apache – sudo service httpd restart

4. If you encounter errors on restarting apache, check the error log -
    e.g. cat  /var/log/httpd/error_log | grep error

Summary

Certbot with Apache, although almost nearly fully automated, may require some tweaking to ensure that Apache can find the provisioned ACME (letsencrypt) certificates correctly.

Test with a browser – and ensure that the certificate served by the browser is ‘valid’ (Insecure warning means, Apache may be using a self signed cert instead of your newly provisioned ACME cert).

Need an experienced AWS/GCP/Azure Professional to help out with your Data Protection or Public Cloud Strategy? Set up a time with Anuj Varma.

The post Certbot with Apache appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.