Получаем сертификат Let's Encrypt за 5 минут с помощью модуля mod_md.

Исходные данные

• Debian 12
• Apache 2.4.57-2
• Домен pupupu.site

Документация

• https://icing.github.io/mod_md/ / https://github.com/icing/mod_md
• https://httpd.apache.org/docs/2.4/mod/mod_md.html

Включаем модули

a2enmod mod_md mod_ssl

Минимальный конфиг

• MDCertificateAgreement accepted - принять условия LE
• MDContactEmail - контактный email, иначе будет использоваться из ServerAdmin
• MDomain foobar.com www.foobar.com - для каких доменов выпустить сертификат

Пример виртуального хоста Apache

# mod_md
MDCertificateAgreement accepted
MDContactEmail admin@pupupu.site
MDomain pupupu.site www.pupupu.site 
MDomain mail.pupupu.site admin.pupupu.site
 
MDStapling on
 
# md-status
<Location "/md-status">
  SetHandler md-status
  Require ip 127.0.0.1 172.16.10.0/24
</Location>
 
# server-status
<Location "/server-status">
  SetHandler server-status
  Require ip 127.0.0.1 172.16.10.0/24
</Location>
 
# https://github.com/icing/mod_md#certificate-status
#<Location "/certificate-status">
#  SetHandler certificate-status
#  Require ip 127.0.0.1 172.16.10.0/24
#</Location>
 
# http 301 redirect
<VirtualHost *:80>
  ServerName pupupu.site
  ServerAlias www.pupupu.site
  Redirect 301 / https://pupupu.site/
</VirtualHost>
 
# https
<VirtualHost *:443>
    Protocols h2 http/1.1 acme-tls/1
    DocumentRoot /srv/www/pupupu_main
    ServerAdmin admin@pupupu.site
    ServerName pupupu.site
    ServerAlias www.pupupu.site
 
    CustomLog "/var/log/apache2/pupupu.site_access.log" combined
    ErrorLog  "/var/log/apache2/pupupu.site_error_log"
 
    # php-fpm handler
    <FilesMatch ".+\.ph(ar|p|tml)$">
      SetHandler "proxy:unix:/run/php/php8.1-foobar.sock|fcgi://localhost"
    </FilesMatch>
 
    SSLEngine on
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
 
    # OCSP managed by mod_md, so turning off
    #SSLUseStapling On
    #SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
</VirtualHost>
 
<Directory /srv/www/pupupu_main>
    # rewrite www2non-www
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^www.pupupu.site [NC]
    RewriteRule ^(.*)$ https://pupupu.site/$1 [L,R=301]
 
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
 
# mail vhost
<VirtualHost *:443>
    Protocols h2 http/1.1 acme-tls/1
    SSLEngine on
    DocumentRoot /srv/www/pupupu_mail
    ServerAdmin admin@pupupu.site
    ServerName mail.pupupu.site
 
<Directory /srv/www/pupupu_mail>
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
</VirtualHost>
 
# admin vhost
<VirtualHost *:443>
    Protocols h2 http/1.1 acme-tls/1
    SSLEngine on
    DocumentRoot /srv/www/pupupu_admin
    ServerAdmin admin@pupupu.site
    ServerName admin.pupupu.site
 
<Directory /srv/www/pupupu_admin>
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
</VirtualHost>

Перезапускаем Apache

systemctl restart apache2

По адресу https://pupupu.site/md-status можно посмотреть информацию о SSL сертификате.

pupupu.site, www.pupupu.site

mail.pupupu.site, admin.pupupu.site

Что такое OCSP stapling

• Техническое: OCSP stapling в Firefox
• Вшивание OCSP в nginx
• How does OCSP stapling work?
• RFC 2560, RFC 5019

Как включить - Just the Stapling, Mam!

Информацию о OCSP можно посмотреть через Apache Module mod_status

Пример

Для OCSP можно использовать и mod_ssl и mod_md.

Виды проверок у Let's Encrypt.

Для wildcard можно использовать только dns-01.

Если например недоступен 80 порт извне, то может быть подобная ошибка

Error[Internal error (specific information not available)]: None of the ACME challenge methods configured for this domain are suitable. The http: challenge 'http-01' is disabled because the server seems not reachable on public port 80. The https: challenge 'tls-alpn-01' is disabled because the Protocols configuration does not include the 'acme-tls/1' protocol. The DNS challenge 'dns-01' is disabled because the directive 'MDChallengeDns01' is not configured. Next run in ~3 seconds

Если доступен только 443 порт, то в Protocols добавляем acme-tls/1

• TLS ALPN Challenges
• MDPortMap, Ports Ports Ports

EOM