From 6219df1e1fdb4957c69865503ccc8292f1806a63 Mon Sep 17 00:00:00 2001 From: Simon Smith Date: Sun, 27 Apr 2025 20:51:31 +0100 Subject: [PATCH] changed letsecnrypt to fullchain for other ca providers, also removed 2.2 as doesnt exist anymore --- Deploy-ssl-certs-to-apache-server.md | 39 ++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 11 deletions(-) diff --git a/Deploy-ssl-certs-to-apache-server.md b/Deploy-ssl-certs-to-apache-server.md index 1bbed27..ffb173b 100644 --- a/Deploy-ssl-certs-to-apache-server.md +++ b/Deploy-ssl-certs-to-apache-server.md @@ -1,22 +1,22 @@ ## 1. run acme.sh to copy the certificates to the correct location on the disk ### 1.1) create a sensible directory to store your apache certificates -I chose /etc/apache2/2.2/ssl +I chose /etc/apache2/ssl ``` -mkdir -p /etc/apache2/2.2/ssl +mkdir -p /etc/apache2/ssl ``` ### 1.2) run acme.sh A few notes: * the parameters are stored in the .acme.sh configuration file, so get it right for your system as this file is read when the cron job runs -* "reloadcmd" is dependent on your operating system, system V Linux systems use the command "service apache2 force-reload", Solaris based systems use "svcadm restart apache22" or similar +* "reloadcmd" is dependent on your operating system, system V Linux systems use the command "service apache2 force-reload", Solaris based systems use "svcadm restart apache2" or similar ``` acme.sh --install-cert -d online.domain.com \ ---cert-file /etc/apache2/2.2/ssl/online.domain.com-cert.pem \ ---key-file /etc/apache2/2.2/ssl/online.domain.com-key.pem \ ---fullchain-file /etc/apache2/2.2/ssl/letsencrypt.pem \ +--cert-file /etc/apache2/ssl/online.domain.com-cert.pem \ +--key-file /etc/apache2/ssl/online.domain.com-key.pem \ +--fullchain-file /etc/apache2/ssl/fullchain.pem \ --reloadcmd "service apache2 force-reload" ``` @@ -25,10 +25,27 @@ acme.sh --install-cert -d online.domain.com \ There are so many ways to do this, it would take a long list to write every variant, however the specific codes you will need to set in your httpd.conf (or ssl.conf, or httpd-ssl.conf) are: ``` -SSLCertificateFile /etc/apache2/2.2/ssl/online.domain.com-cert.pem -SSLCertificateKeyFile /etc/apache2/2.2/ssl/online.domain.com-key.pem -SSLCertificateChainFile "/etc/apache2/2.2/ssl/letsencrypt.pem" +SSLCertificateFile /etc/apache2/ssl/online.domain.com-cert.pem +SSLCertificateKeyFile /etc/apache2/ssl/online.domain.com-key.pem +SSLCertificateChainFile "/etc/apache2/ssl/fullchain.pem" -SSLCACertificatePath "/etc/apache2/2.2/ssl/" -SSLCACertificateFile "/etc/apache2/2.2/ssl/letsencrypt.pem" +SSLCACertificatePath "/etc/apache2/ssl/" +SSLCACertificateFile "/etc/apache2/ssl/fullchain.pem" +``` + +**Full sample apache ssl config** +``` + + ServerAdmin online@domain.com + ServerName online.domain.com + DocumentRoot /var/www/html + ErrorLog ${APACHE_LOG_DIR}/onlinedomaincom-ssl-error.log + CustomLog ${APACHE_LOG_DIR}/onlinedomaincom-ssl-access.log combined + SSLEngine on + SSLCertificateFile /etc/apache2/ssl/online.domain.com-cert.pem + SSLCertificateKeyFile /etc/apache2/ssl/online.domain.com-key.pem + SSLCertificateChainFile "/etc/apache2/ssl/fullchain.pem" + SSLCACertificatePath "/etc/apache2/ssl/" + SSLCACertificateFile "/etc/apache2/ssl/fullchain.pem" + ```