You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Steffen <in...@apachelounge.com> on 2019/08/05 12:06:52 UTC

mod_md with no vhosts, sni and ssl only, no go



I read in the new docu that you can generate a certificate for 
domains(s) that does not appear in any host.

So I did a try to generate one certificate for two domains (in Subject 
Alternative Name)

Configuration

SSL only on port 443
No vhosts



Listen 443

Protocols h2 http/1.1 acme-tls/1

MDomain apachelounge.nl www.apachelounge.nl  vosadministraties.nl 
www.vosadministraties.nl
MDCertificateAgreement 
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
MDRenewMode Always

ServerName land10web.com

SSLEngine on
...
...

Apache does not start. It exits with a mod_ssl error,  no SSL 
certificates configured and no other module contributed any
See attachment serror1.log



When I add to the config a valid certificate


SSLCertificateFile conf/land10web.com-chain.pem
SSLCertificateKeyFile conf/land10web.com key.pem

Then Apache starts but mod_md gives error in the log.
See attachment  serror2.log

See now e.g. : .
- server seems not reachable via http: (port 80->80) and reachable via 
https: (port 443->443)
- The https: challenge 'tls-alpn-01' is disabled because the Protocols 
configuration does not include the 'acme-tls/1' protocol. (it is in 
the protocols directive).


Or what I want is not supported, or I do some wrong. Appreciate some 
help.


- Steffen

Re: mod_md with no vhosts, sni and ssl only, no go

Posted by Stefan Eissing <st...@greenbytes.de>.

I think mod_md is not particularly suited to server setups without any VirtualHosts. I have at least no tests for this.

You can try (with a 2.4.40):

# the new, shorter form
MDCertificateAgreement accepted
# we want the base server to be managed
MDBaseServer on
# the list of domains, including one from the base server
MDomain apachelounge.nl www.apachelounge.nl  vosadministraties.nlwww.vosadministraties.nl land10web.com
# since we have no vhost, we need to say where https requests arrive
MDPortMap https:443
# since we have only https, we need to enable the new ACME tls challenge protocol
Protocols h2 http/1.1 acme-tls/1
...

- Stefan


> Am 05.08.2019 um 14:06 schrieb Steffen <in...@apachelounge.com>:
> 
> 
> I read in the new docu that you can generate a certificate for domains(s) that does not appear in any host.
> 
> So I did a try to generate one certificate for two domains (in Subject Alternative Name)
> 
> Configuration
> 
> SSL only on port 443
> No vhosts
> 
> 
> 
> Listen 443
> 
> Protocols h2 http/1.1 acme-tls/1
> 
> MDomain apachelounge.nl www.apachelounge.nl  vosadministraties.nlwww.vosadministraties.nl
> MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
> MDRenewMode Always
> 
> ServerName land10web.com
> 
> SSLEngine on 
> ...
> ...
> 
> Apache does not start. It exits with a mod_ssl error,  no SSL certificates configured and no other module contributed any
> See attachment serror1.log 
> 
> 
> When I add to the config a valid certificate
> 
> SSLCertificateFile conf/land10web.com-chain.pem
> SSLCertificateKeyFile conf/land10web.com key.pem 
> 
> Then Apache starts but mod_md gives error in the log.
> See attachment  serror2.log
> 
> See now e.g. : .
> - server seems not reachable via http: (port 80->80) and reachable via https: (port 443->443) 
> - The https: challenge 'tls-alpn-01' is disabled because the Protocols configuration does not include the 'acme-tls/1' protocol. (it is in the protocols directive).
> 
> 
> Or what I want is not supported, or I do some wrong. Appreciate some help.
> 
> 
> - Steffen
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>