Ubuntu – Let’s Encrypt, Apache2 – Editing vhosts properly

Apache2letsencryptssl

What is the proper way to edit /etc/apache2/sites-enabled when there is example.com.conf and example.com-le-ssl.conf?

Should I edit both the files when changing something? Or only one and then somehow force certbot-auto to fix it?

Best Answer

I'm not sure what is the right answer of your question, but I would suggest you the following simplification:

1. Force all users to use HTTPS. The definition of the HTTP VirtualHost should look like this:

<VirtualHost *:80>

        ServerName example.com

        # Redirect Requests to HTTPS
        Redirect permanent "/" "https://example.com/"

        ErrorLog ${APACHE_LOG_DIR}/example.com.error.log
        CustomLog ${APACHE_LOG_DIR}/example.com.access.log combined

</VirtualHost>

In this way you will need maintain only the configuration of the HTTPS VirtualHost.

2. As soon as you generate "Let's Encrypt" ssl certificate files, describe them manually into the definition of the HTTPS VirtualHost:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>

        ServerName example.com
        ServerAdmin admin@example.com            

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

        ErrorLog ${APACHE_LOG_DIR}/example.com.error.log
        CustomLog ${APACHE_LOG_DIR}/example.com.access.log combined

        DocumentRoot /var/www/html    
        <Directory /var/www/html>
              # etc...
        </Directory>

        # etc...

    </VirtualHost>
</IfModule>

3. Insert the definitions of both VirtualHosts into a single configuration file:

<VirtualHost *:80>
        # etc...
</VirtualHost>

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        # etc...
    </VirtualHost>
</IfModule>

This file could be /etc/apache2/sites-available/example.com.conf.

4. Don't forget to a2dissite unnecessary VirtualHosts (respectively a2ensite the necessary ones) and restart Apache.

5. Edit root's crontab and add a job which will try to renew the certificates, every week, for example. Type sudo crontab -e and add this line at the bottom:

0 3 * * 0 /usr/bin/letsencrypt renew  >> /var/log/letsencrypt-renew.week-$(date +%W).log 2>&1

That's it.

Related Solutions

Ubuntu – Running Apache and Tomcat together on different subdomains

I have similiar problem when I use such construction in virtual host definition:

ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

In my case it start working when I point application:

these allow you to redirect such address: http://app.example.com/confluence

ProxyPass /confluence/ http://localhost:8180/confluence/ 
ProxyPassReverse /confluence/ http://localhost:8180/confluence/

these allow you to redirect such address: http://app.example.com to proper application

ProxyPass / http://localhost:8180/confluence/ 
ProxyPass / http://localhost:8180/confluence/

Ubuntu – Disable SSLv3 in Apache2 on a clean install of ubuntu 14.04.1 Server

I found that I had other config files which overrode the option.

It was possible to find the files by running:

cd /etc/apache2
grep -r "SSLProto" .

Best Answer

Related Solutions

Ubuntu – Running Apache and Tomcat together on different subdomains

Ubuntu – Disable SSLv3 in Apache2 on a clean install of ubuntu 14.04.1 Server

Related Question