is to produce a web server with multiple virtual hosts that listen on port 443,
ie serve up via https
. Even if this is not what you want today it
is worth configuring like this: there is not any disadvantage and it makes it easy
if/when you want to in the future.
For every web site listening on port 443, you will want an equivalent that listens on port 80 (ie unencrypted). What we shall do is to arrange for the unencrypted site to redirect to the encrypted on — except for the challenge/response needed by Let's Encrypt.
These have a file ssl.conf
but what it contains differs:
Everything that is needed to produce one port 443 virtual host, some of this
will be before/outside the <virtualhost>
and some within
eg: ServerName
& DocumentRoot
If you have this, then you want to copy the generic virtualhost configuration to
a file (eg conf/GenericSSL.conf
) that you can include into all
of your virtual hosts.
This should not have site specific configuration such as ServerName
, etc.
Then effectively comment out the site specific configuration within the ssl.conf
file as below.
(Why will be explained later):
<IfModule Bogus.c> <virtualhost _default_:443> ServerName ... .... </IfModule>
<virtualhost>
This means that all visitors will be forced to the SSL site.
Below the configuration that you inserted earlier to allow the challenge/response, insert:
RewriteRule ^(.*)$ https://www.example.com$1 [R=301,L]
Then remove all of the site specific directives below that point. There is no point — the redirect makes sure of that.
Do one first, get that working then worry about the others.
Start a new virtual host just below the port 80 (non SSL) one. Insert the line:
<virtualhost _default_:443>
Next you have the ServerName
, etc, directives. Then:
Include conf/GenericSSL.conf SSLCertificateFile /var/www/acme/SignedCertificates/example.crt SSLCertificateKeyFile /var/www/acme/RSAprivateKeys/example.key
Finally put all the site directives that you just removed from the port 80 site.
These you do in the manner of the first one, the only difference is the
very first line where you put *
instead of _default_
:
<virtualhost *:443>
Here is a complete example of the port 80 & port 443 vhosts.
Here is an example of GenericSSL.conf.
It is likely that these instructions will not work first time, partly due to differences between standard Apache configuration files.
NameVirtualHost *:80Below it put:
NameVirtualHost *:443
Mozilla has a configuration generator that can help you to keep abreast of current best practice:
https://wiki.mozilla.org/Security/Server_Side_TLS
Next page: Ongoing maintenance
Return to How to Configure Let's Encrypt with acme_tiny.py
Return to tutorial home.
If you want any help using the above, or have any comments or suggestions, please contact us.