| 144 | | The argument `-h /usr/share/uacme/uacme.sh` makes uacme using a hook script to handle the output. With this, uacme can run unattended which is required when running as a cronjob. |
| | 144 | The argument `-h /usr/share/uacme/uacme.sh` makes uacme using a hook script to handle the output. With this, uacme can run unattended which is required when running as a cronjob. To automate reloading any service which uses the certificates, reload them if the call to uacme terminates with result code 0: |
| | 145 | {{{ |
| | 146 | 6 15 * * * /usr/bin/uacme -c /etc/uacme.d -h /usr/share/uacme/uacme.sh issue www.yourdomain.tld && /path/to/reload-script.sh |
| | 147 | }}} |
| | 148 | |
| | 149 | == Configure Apache http |
| | 150 | When certificates are created they are stored in |
| | 151 | - /etc/uacme.d/www.yourdomain.tld/ when using `uacme`, or |
| | 152 | - ??? when using `certbot` |
| | 153 | Apache needs to be configured to use those certificates in order to enable access to the site via `https`. |
| | 154 | |
| | 155 | Enable SSL at all by loading the ssl_module in `/etc/httpd/httpd.conf`: |
| | 156 | {{{ |
| | 157 | LoadModule ssl_module /usr/lib/httpd/modules/mod_ssl.so |
| | 158 | ... |
| | 159 | Include /etc/httpd/extra/httpd-ssl.conf |
| | 160 | ... |
| | 161 | <IfModule ssl_module> |
| | 162 | SSLRandomSeed startup builtin |
| | 163 | SSLRandomSeed connect builtin |
| | 164 | </IfModule> |
| | 165 | }}} |
| | 166 | |
| | 167 | Now, setup SSL for the virtual hosts in `/etc/httpd/extra/httpd-ssl.conf`: |
| | 168 | {{{ |
| | 169 | <VirtualHost _default_:443> |
| | 170 | |
| | 171 | # General setup for the virtual host |
| | 172 | DocumentRoot "/srv/www" |
| | 173 | ServerName www.yourdomain.tld:443 |
| | 174 | ... |
| | 175 | |
| | 176 | # SSL Engine Switch: |
| | 177 | # Enable/Disable SSL for this virtual host. |
| | 178 | SSLEngine on |
| | 179 | |
| | 180 | # Server Certificate: |
| | 181 | # Point SSLCertificateFile at a PEM encoded certificate. If |
| | 182 | # the certificate is encrypted, then you will be prompted for a |
| | 183 | # pass phrase. Note that a kill -HUP will prompt again. Keep |
| | 184 | # in mind that if you have both an RSA and a DSA certificate you |
| | 185 | # can configure both in parallel (to also allow the use of DSA |
| | 186 | # ciphers, etc.) |
| | 187 | # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) |
| | 188 | # require an ECC certificate which can also be configured in |
| | 189 | # parallel. |
| | 190 | SSLCertificateFile "/etc/uacme.d/www.yourdomain.tld/cert.pem" |
| | 191 | |
| | 192 | # Server Private Key: |
| | 193 | # If the key is not combined with the certificate, use this |
| | 194 | # directive to point at the key file. Keep in mind that if |
| | 195 | # you've both a RSA and a DSA private key you can configure |
| | 196 | # both in parallel (to also allow the use of DSA ciphers, etc.) |
| | 197 | # ECC keys, when in use, can also be configured in parallel |
| | 198 | SSLCertificateKeyFile "/etc/uacme.d/private/www.yourdomain.tld/key.pem" |
| | 199 | ... |
| | 200 | </VirtualHost> |
| | 201 | }}} |
| | 202 | After restarting Apache by issuing |
| | 203 | {{{ |
| | 204 | /etc/rc.d/init.d/httpd restart |
| | 205 | }}} |
| | 206 | or |
| | 207 | {{{ |
| | 208 | systemctl restart httpd |
| | 209 | }}} |
| | 210 | access to the website via `https` should be ok and the browser should not complain any longer about self-signed certs or something like that. |
