Parliament Hill Computers LtdParliament Hill Computers Ltd

Install Certificates in Apache


What is being aimed at

is to produce a web server with multiple virtual hosts that listen on port 443, ie serve up via https. Even if this is not what you want today it is worth configuring like this: there is not any disadvantage and it makes it easy if/when you want to in the future.

For every web site listening on port 443, you will want an equivalent that listens on port 80 (ie unencrypted). What we shall do is to arrange for the unencrypted site to redirect to the encrypted on — except for the challenge/response needed by Let's Encrypt.

Apache standard configurations

These have a file ssl.conf but what it contains differs:

Forward non SSL to SSL sites

This means that all visitors will be forced to the SSL site.

Below the configuration that you inserted earlier to allow the challenge/response, insert:

    RewriteRule ^(.*)$ https://www.example.com$1 [R=301,L]
    

Then remove all of the site specific directives below that point. There is no point — the redirect makes sure of that.

Set up the first SSL site

Do one first, get that working then worry about the others.

Start a new virtual host just below the port 80 (non SSL) one. Insert the line:

    <virtualhost _default_:443>
    

Next you have the ServerName, etc, directives. Then:

    Include conf/GenericSSL.conf
    SSLCertificateFile /var/www/acme/SignedCertificates/example.crt
    SSLCertificateKeyFile /var/www/acme/RSAprivateKeys/example.key
    SSLCertificateChainFile /var/www/acme/lets-encrypt-x3-cross-signed.pem
    

Finally put all the site directives that you just removed from the port 80 site.

Set up the other SSL sites

These you do in the manner of the first one, the only difference is the very first line where you put * instead of _default_:

    <virtualhost *:443>
    

Complete examples

Here is a complete example of the port 80 & port 443 vhosts.

Here is an example of GenericSSL.conf.

Points to check

It is likely that these instructions will not work first time, partly due to differences between standard Apache configuration files.

Mozilla has a configuration generator that can help you to keep abreast of current best practice:


Next page: Ongoing maintenance

Return to How to Configure Let's Encrypt with acme_tiny.py

Return to tutorial home.

If you want any help using the above, or have any comments or suggestions, please contact us.