From: "Massimo S." <ecs-isp@2rosenthals.com>
Reply-To: ml@ecomstation.it
Subject: Re: [eCS-ISP] Apache HTTPS
To: eCS ISP Mailing List <ecs-isp@2rosenthals.com>
References: <list-10350574@2rosenthals.com> <list-10352942@2rosenthals.com>
Organization: Massimo S.
Message-ID: <646b4437-17af-b689-4e9c-5fb8c769332c@ecomstation.it>
Date: Tue, 23 Jul 2024 13:30:54 +0200
User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; it-IT; rv:1.7.13) Gecko/20060424
 Thunderbird/1.0.8 Mnenhy/0.7.4.0
MIME-Version: 1.0
In-Reply-To: <list-10352942@2rosenthals.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: it-IT
Content-Transfer-Encoding: 8bit

Now the apache httpd.conf part:


this rewrite http requests to the https vhost:

<VirtualHost *:80>
     ServerAdmin webmaster@yourwebsite.com
     ServerName www.yourwebsite.com
     ServerAlias yourwebsite.com
     RewriteEngine on
     RewriteCond %{HTTP_HOST} ^(www\.)?yourwebsite\.com [NC]
     RewriteCond %{HTTPS} off
     RewriteRule ^/(.*)$ https://www.yourwebsite.com/$1 [R,L]
</VirtualHost>


now the https vhost:

<VirtualHost *:443>
     ServerAdmin webmaster@yourwebsite.com
     DocumentRoot d:/apache/htdocs/yourwebsite
     ServerName www.yourwebsite.com
     ServerAlias yourwebsite.com

     SSLEngine on
     SSLCertificateFile c:/mptn/etc/ssl/uacme/www.yourwebsite.com/cert.pem
     SSLCertificateKeyFile c:/mptn/etc/ssl/uacme/private/www.yourwebsite.com/key.pem

</VirtualHost>


you don't need the chain certificate since UACME create automatically a certificate with also the chain 
certificate inside it


to verify your certificate you can use this web tool:

https://decoder.link/sslchecker/www.yourwebsite.com/443

that's all

massimo


Il 23/07/2024 12:20, Massimo S. ha scritto:
> I use Paul's port of UACME, it can renew the www.yourwebsite.com (3rd level) cert and both the 2nd level 
> yourwebsite.com at the same time too.
> 
> 
> This is a simple reissue of just www.yourwebsite.. certificate.
> I run uacme in a separate tree, not under the apache tree, i don't suggest
> you to run it under \apache tree.
> You need port 80 (HTTP) open on your webserver for this operation.
> You need to create all these paths you can see down here.
> You don't need Let's Encrypt chain certificates files, since uacme already by it's own
> create a certificate with the chain certificate inside of the .cert, so
> you have always the latest chain certificate from Let's Encrypt automatically.
> 
> I run the scripts scheduled once each 2 months (LE Certs only last 3 months),
> so in case of issues i still have 1 month to fix them.
> **don't forget** to add a Call SysSleep of about 10 seconds between a reissue
> and another (if you runs tenths of renewals like me) or you can get problems,
> i mean renewal that fails.
> In your script after the renewal/s you can place the code to restart apache.
> 
> 
> 
> renewal (issue) script:
> 
> @attrib c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key.pem -R
> @copy c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key_old.pem 
> c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key_old2.pem
> @copy c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key.pem 
> c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key_old.pem
> @del c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key.pem /N
> @attrib c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert.pem -R
> @copy c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert_old.pem 
> c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert_old2.pem
> @copy c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert.pem c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert_old.pem
> @del c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert.pem /N
> uacme issue www.youwebsite.com -h hook_yourwebsite_com.cmd 2>>d:\services\uacme\re.log
> 
> 
> 
> hook script:
> 
> parse arg var1 var2 var3 var4 var5
> myfile = 'X:\apache\htdocs\yourwebsite\.well-known\acme-challenge\'||var4
> call SysFileDelete 'X:\apache\htdocs\yourwebsite\.well-known\acme-challenge\'||var4
> rc= LINEOUT(myfile,var5)
> 
> 
> 
> i'm keeping 2 bkup of private keys + certs (you can see all those copies)
> hope it's all explained well
> 
> massimo
> 
> 
> Il 22/07/2024 15:33, Dan Napier ha scritto:
>> Has anyone installed let’s Encrypt Certbot on OS2 .  What did you use ?
>>
>> HTTPS is needed.  Or how are you installing the certs?
>>
>> Dan Napier, MS, CIH
>>
>> DNA Industrial Hygiene
>>
>> 2520 Artesia Boulevard
>>
>> Redondo Beach, CA 90278-3210
>>
>> 310-644-1924 X 103
>>
>> CSLB #773462
>>
>> DNA Industrial Hygiene 800-644-1924
>>
> 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> This message is sent to you because you are subscribed to
>   the mailing list <ecs-isp@2rosenthals.com>.
> To unsubscribe, E-mail to: <ecs-isp-off@2rosenthals.com>
> To switch to the DIGEST mode, E-mail to <ecs-isp-digest@2rosenthals.com>
> To switch to the INDEX mode, E-mail to <ecs-isp-index@2rosenthals.com>
> Send administrative queries to  <ecs-isp-request@2rosenthals.com>
> To subscribe (new addresses), E-mail to: <ecs-isp-on@2rosenthals.com> and reply to the confirmation email.
> Web archives are publicly available at: http://lists.2rosenthals.com
> 
> This list is hosted by Rosenthal & Rosenthal, LLC
> P.O. Box 281, Deer Park, NY 11729-0281. Non-
> electronic communications related to content
> contained in these messages should be directed
> to the above address. (CAN-SPAM Act of 2003)
> 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>