How Apache 2.4.30 and later can be used to automate SSL certificate setup and renewal

Auto SSL With apache2

Published on 01/8/2020 , last <a href="#update" title="View update">updated</a> 01/13/2020 | 8.01.12020 HE

Apache 2.4.30 and later supports an experimental module called mod_md which allows automatic SSL certificate management with Let’s Encrypt as standard provider. This greatly simplifies the management of SSL certificates. Instead of setting up certbot and cronjobs to automatically renew certs server administrators now only need to add a few lines to their virtual host files.

This guide assumes the operating system is Ubuntu! If you use a different distro some commands may be different.

Installing a new apache version

Since mod_md is only available with Apache 2.4.30+ we need a fairly new apache version. Sadly, the newest on Ubuntu 18.04. is 2.4.29, so we need to add a new ppa to install from first. ondrej/apache2 seems to be what most people use and recommend, so we’ll add this.

sudo add-apt-repository ppa:ondrej/apache2
sudo apt-get update

Next, apache can be updated

$ apt install apache2

Check the apache version

$ apache2 -v
Server version: Apache/2.4.41 (Ubuntu)
Server built:   2019-08-21T20:43:21

Enabling mod_md

First mod_md must be enabled. This can be done with a2enmod.

$ sudo a2enmod md

Next, Apache must be reload with systemctl

$ systemctl reload apache2

Now the virtual host can be updated as shown in the minimal example below.

ServerAdmin mailto:some-valid@email.com
MDCertificateAgreement accepted
MDomain test.kevingimbel.de

<VirtualHost *:80>
        ServerName test.kevingimbel.de
        [...]
</VirtualHost>

<VirtualHost *:443>
        ServerName test.kevingimbel.de
        [...]
</VirtualHost>

The following values are required for mod_md to work properly:

  • ServerAdmin with valid e-mail address
  • ServerName in VirtualHost
  • MDomain with valid domain name
  • MDCertificateAgreement accepted to accept the ACME terms of service

After making the changes, the server must be reloaded again.

$ systemctl reload apache2

With the values in place the server will contact Let’s Encrypt and retrieve a certificate, wire it up in the backend, and serve the website over https. The mod_md documentation contains more configuration options as well as information on how to use a different Certificate Authority.

Update

Update 13.01.2020

Slight grammatical adjustments:

  • Replaced double “supports” in first sentence with “allows” and “setup” with “management”
  • Replaced “setups” with “setup and renewal” in sub headline

Categories

Tags

Like this?

This website contains no advertisement, no tracking, no paid articles, and no shady-things-whatsoever. It is just content, provided free of charge and with accessibility in mind.

If you would like to support me in providing content - and code - for free or if this page has helped you or your company, consider supporting me directly.

You can support me via:

A colorful image of me wearing my DIY mask. The image has a colorful glitch effect.

Kevin Gimbel

is a DevOps Engineer and avid (Video) Gamer. He’s also interested in Sci-Fi, Cyberpunk, and dystopian books.

Wearing a mask is a good idea!

You can find out more about me if you wish.