Dustin C. Hatch
0eb6220672
Apache supports fetching server certificates via ACME (e.g. from Let's Encrypt) using a new module called _mod_md_. Configuring the module is fairly straightforward, mostly consisting of `MDomain` directives that indicate what certificates to request. Unfortunately, there is one rather annoying quirk: the certificates it obtains are not immediately available to use, and the server must be reloaded in order to start using them. Fortunately, the module provides a notification mechanism via the `MDNotifyCmd` directive, which will run the specified command after obtaining a certificate. The command is executed with the privileges of the web server, which does not have permission to reload itself, so we have to build in some indirection in order to trigger the reload: the notification runs a script that creates an empty file in the server's state directory; systemd is watching for that file to be created, then starts another service unit to trigger the actual reload, then removes trigger file. Website roles, etc. that want to switch to using _mod_md_ to manage their certificates should depend on this role and add an `MDomain` directive to their Apache configuration file fragments.
17 lines
394 B
Django/Jinja
17 lines
394 B
Django/Jinja
MDCertificateAgreement accepted
|
|
MDContactEmail {{ mod_md_contact_email }}
|
|
|
|
MDNotifyCmd /usr/local/libexec/md-notify
|
|
{% if mod_md_private_keys is defined %}
|
|
MDPrivateKeys {{ mod_md_private_keys }}
|
|
{% endif %}
|
|
{% if mod_md_status_enabled %}
|
|
|
|
<Location "/md-status">
|
|
SetHandler md-status
|
|
{% if mod_md_status_config %}
|
|
{{ mod_md_status_config | indent(2) }}
|
|
{% endif %}
|
|
</Location>
|
|
{% endif %}
|