is to produce a web server with multiple virtual hosts that listen on port 443,
ie serve up via
https. Even if this is not what you want today it
is worth configuring like this: there is not any disadvantage and it makes it easy
if/when you want to in the future.
For every web site listening on port 443, you will want an equivalent that listens on port 80 (ie unencrypted). What we shall do is to arrange for the unencrypted site to redirect to the encrypted on — except for the challenge/response needed by Let's Encrypt.
These have a file
ssl.conf but what it contains differs:
Everything that is needed to produce one port 443 virtual host, some of this
will be before/outside the
<virtualhost> and some within
If you have this, then you want to copy the generic virtualhost configuration to
a file (eg
conf/GenericSSL.conf) that you can include into all
of your virtual hosts.
This should not have site specific configuration such as
Then effectively comment out the site specific configuration within the
file as below.
(Why will be explained later):
<IfModule Bogus.c> <virtualhost _default_:443> ServerName ... .... </IfModule>
This means that all visitors will be forced to the SSL site.
Below the configuration that you inserted earlier to allow the challenge/response, insert:
RewriteRule ^(.*)$ https://www.example.com$1 [R=301,L]
Then remove all of the site specific directives below that point. There is no point — the redirect makes sure of that.
Do one first, get that working then worry about the others.
Start a new virtual host just below the port 80 (non SSL) one. Insert the line:
Next you have the
ServerName, etc, directives. Then:
Include conf/GenericSSL.conf SSLCertificateFile /var/www/acme/SignedCertificates/example.crt SSLCertificateKeyFile /var/www/acme/RSAprivateKeys/example.key SSLCertificateChainFile /var/www/acme/lets-encrypt-x3-cross-signed.pem
Finally put all the site directives that you just removed from the port 80 site.
These you do in the manner of the first one, the only difference is the
very first line where you put
* instead of
Here is an example of GenericSSL.conf.
It is likely that these instructions will not work first time, partly due to differences between standard Apache configuration files.
$ wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
NameVirtualHost *:80Below it put:
Mozilla has a configuration generator that can help you to keep abreast of current best practice:
Next page: Ongoing maintenance