List ecs-isp@2rosenthals.com Arkiverade meddelande #797

Från: "Massimo S." <ecs-isp@2rosenthals.com> Meddelandehuvud
Oavkodat meddelande
Ämne: Re: [eCS-ISP] Apache HTTPS
Datum: Tue, 23 Jul 2024 13:30:54 +0200
Till: eCS ISP Mailing List <ecs-isp@2rosenthals.com>

Now the apache httpd.conf part:


this rewrite http requests to the https vhost:

<VirtualHost *:80>
    ServerAdmin webmaster@yourwebsite.com
    ServerName www.yourwebsite.com
    ServerAlias yourwebsite.com
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^(www\.)?yourwebsite\.com [NC]
    RewriteCond %{HTTPS} off
    RewriteRule ^/(.*)$ https://www.yourwebsite.com/$1 [R,L]
</VirtualHost>


now the https vhost:

<VirtualHost *:443>
    ServerAdmin webmaster@yourwebsite.com
    DocumentRoot d:/apache/htdocs/yourwebsite
    ServerName www.yourwebsite.com
    ServerAlias yourwebsite.com

    SSLEngine on
    SSLCertificateFile c:/mptn/etc/ssl/uacme/www.yourwebsite.com/cert.pem
    SSLCertificateKeyFile c:/mptn/etc/ssl/uacme/private/www.yourwebsite.com/key.pem

</VirtualHost>


you don't need the chain certificate since UACME create automatically a certificate with also the chain certificate inside it


to verify your certificate you can use this web tool:

https://decoder.link/sslchecker/www.yourwebsite.com/443

that's all

massimo


Il 23/07/2024 12:20, Massimo S. ha scritto:
I use Paul's port of UACME, it can renew the www.yourwebsite.com (3rd level) cert and both the 2nd level yourwebsite.com at the same time too.


This is a simple reissue of just www.yourwebsite.. certificate.
I run uacme in a separate tree, not under the apache tree, i don't suggest
you to run it under \apache tree.
You need port 80 (HTTP) open on your webserver for this operation.
You need to create all these paths you can see down here.
You don't need Let's Encrypt chain certificates files, since uacme already by it's own
create a certificate with the chain certificate inside of the .cert, so
you have always the latest chain certificate from Let's Encrypt automatically.

I run the scripts scheduled once each 2 months (LE Certs only last 3 months),
so in case of issues i still have 1 month to fix them.
**don't forget** to add a Call SysSleep of about 10 seconds between a reissue
and another (if you runs tenths of renewals like me) or you can get problems,
i mean renewal that fails.
In your script after the renewal/s you can place the code to restart apache.



renewal (issue) script:

@attrib c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key.pem -R
@copy c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key_old.pem c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key_old2.pem
@copy c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key.pem c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key_old.pem
@del c:\mptn\etc\ssl\uacme\private\www.youwebsite.com\key.pem /N
@attrib c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert.pem -R
@copy c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert_old.pem c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert_old2.pem
@copy c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert.pem c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert_old.pem
@del c:\mptn\etc\ssl\uacme\www.youwebsite.com\cert.pem /N
uacme issue www.youwebsite.com -h hook_yourwebsite_com.cmd 2>>d:\services\uacme\re.log



hook script:

parse arg var1 var2 var3 var4 var5
myfile = 'X:\apache\htdocs\yourwebsite\.well-known\acme-challenge\'||var4
call SysFileDelete 'X:\apache\htdocs\yourwebsite\.well-known\acme-challenge\'||var4
rc= LINEOUT(myfile,var5)



i'm keeping 2 bkup of private keys + certs (you can see all those copies)
hope it's all explained well

massimo


Il 22/07/2024 15:33, Dan Napier ha scritto:
Has anyone installed let’s Encrypt Certbot on OS2 .  What did you use ?

HTTPS is needed.  Or how are you installing the certs?

Dan Napier, MS, CIH

DNA Industrial Hygiene

2520 Artesia Boulevard

Redondo Beach, CA 90278-3210

310-644-1924 X 103

CSLB #773462

DNA Industrial Hygiene 800-644-1924


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message is sent to you because you are subscribed to
  the mailing list <ecs-isp@2rosenthals.com>.
To unsubscribe, E-mail to: <ecs-isp-off@2rosenthals.com>
To switch to the DIGEST mode, E-mail to <ecs-isp-digest@2rosenthals.com>
To switch to the INDEX mode, E-mail to <ecs-isp-index@2rosenthals.com>
Send administrative queries to  <ecs-isp-request@2rosenthals.com>
To subscribe (new addresses), E-mail to: <ecs-isp-on@2rosenthals.com> and reply to the confirmation email.
Web archives are publicly available at: http://lists.2rosenthals.com

This list is hosted by Rosenthal & Rosenthal, LLC
P.O. Box 281, Deer Park, NY 11729-0281. Non-
electronic communications related to content
contained in these messages should be directed
to the above address. (CAN-SPAM Act of 2003)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Prenumerera: Sändning, Uppsamling, Index.
Stoppa prenumeration
Meddelande till ListMaster