You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Steffen <in...@apachelounge.com> on 2019/08/05 12:06:52 UTC
mod_md with no vhosts, sni and ssl only, no go
I read in the new docu that you can generate a certificate for
domains(s) that does not appear in any host.
So I did a try to generate one certificate for two domains (in Subject
Alternative Name)
Configuration
SSL only on port 443
No vhosts
Listen 443
Protocols h2 http/1.1 acme-tls/1
MDomain apachelounge.nl www.apachelounge.nl vosadministraties.nl
www.vosadministraties.nl
MDCertificateAgreement
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
MDRenewMode Always
ServerName land10web.com
SSLEngine on
...
...
Apache does not start. It exits with a mod_ssl error, no SSL
certificates configured and no other module contributed any
See attachment serror1.log
When I add to the config a valid certificate
SSLCertificateFile conf/land10web.com-chain.pem
SSLCertificateKeyFile conf/land10web.com key.pem
Then Apache starts but mod_md gives error in the log.
See attachment serror2.log
See now e.g. : .
- server seems not reachable via http: (port 80->80) and reachable via
https: (port 443->443)
- The https: challenge 'tls-alpn-01' is disabled because the Protocols
configuration does not include the 'acme-tls/1' protocol. (it is in
the protocols directive).
Or what I want is not supported, or I do some wrong. Appreciate some
help.
- Steffen
Re: mod_md with no vhosts, sni and ssl only, no go
Posted by Stefan Eissing <st...@greenbytes.de>.
I think mod_md is not particularly suited to server setups without any VirtualHosts. I have at least no tests for this.
You can try (with a 2.4.40):
# the new, shorter form
MDCertificateAgreement accepted
# we want the base server to be managed
MDBaseServer on
# the list of domains, including one from the base server
MDomain apachelounge.nl www.apachelounge.nl vosadministraties.nlwww.vosadministraties.nl land10web.com
# since we have no vhost, we need to say where https requests arrive
MDPortMap https:443
# since we have only https, we need to enable the new ACME tls challenge protocol
Protocols h2 http/1.1 acme-tls/1
...
- Stefan
> Am 05.08.2019 um 14:06 schrieb Steffen <in...@apachelounge.com>:
>
>
> I read in the new docu that you can generate a certificate for domains(s) that does not appear in any host.
>
> So I did a try to generate one certificate for two domains (in Subject Alternative Name)
>
> Configuration
>
> SSL only on port 443
> No vhosts
>
>
>
> Listen 443
>
> Protocols h2 http/1.1 acme-tls/1
>
> MDomain apachelounge.nl www.apachelounge.nl vosadministraties.nlwww.vosadministraties.nl
> MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
> MDRenewMode Always
>
> ServerName land10web.com
>
> SSLEngine on
> ...
> ...
>
> Apache does not start. It exits with a mod_ssl error, no SSL certificates configured and no other module contributed any
> See attachment serror1.log
>
>
> When I add to the config a valid certificate
>
> SSLCertificateFile conf/land10web.com-chain.pem
> SSLCertificateKeyFile conf/land10web.com key.pem
>
> Then Apache starts but mod_md gives error in the log.
> See attachment serror2.log
>
> See now e.g. : .
> - server seems not reachable via http: (port 80->80) and reachable via https: (port 443->443)
> - The https: challenge 'tls-alpn-01' is disabled because the Protocols configuration does not include the 'acme-tls/1' protocol. (it is in the protocols directive).
>
>
> Or what I want is not supported, or I do some wrong. Appreciate some help.
>
>
> - Steffen
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>