[LON-CAPA-admin] SSL setup

Raeburn, Stuart raeburn at msu.edu
Tue Aug 21 23:24:07 EDT 2018 

Lars,

>
> Is it OK to leave the VirtualHost sequence above permanently in httpd.conf?
>

You can leave a <VirtualHost *:80></VirtualHost> block permanently in httpd.conf on CentOS/RedHat/Scientific Linux if you so wish.  (For other Linux distros you would put <VirtualHost *:80> in a different file).

However, if you do, you should also include this line inside the virtualhost block:
RewriteOptions Inherit
so that the rewrite rules in /etc/httpd/conf/loncapa_rewrite.conf apply, assuming you have: RewriteEngine on
within that file (recommended).

My own experience with the Let's Encrypt certbot has been that a <VirtualHost *:443></VirtualHost> block within /etc/httpd/conf.d/ssl.conf means I don't need a <VirtualHost *:80> block in httpd.conf to satisfy certbot's requirements when renewing certs.

Stuart Raeburn
LON-CAPA Academic Consortium

________________________________________
From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Lars <ljensen at tmcc.edu>
Sent: Sunday, August 19, 2018 11:24:20 PM
To: list about administration and system updating
Subject: [LON-CAPA-admin] SSL setup

Hi Everyone,

We just configured our server for https, and things seems to be
working well, except for some issues related to the generation of the
certificate. We're using Letsencrypts free certificates, generated by
certbot.

First, we had an issue generating the initial certificate, apparently
because the loncapa httpd.conf file does not include a VirtualHost
configuration. So I tricked certbot and included a
<VirtualHost *:80>
    ServerAdmin admin at example.com
    ServerName myserver.tmcc.edu
    ServerAlias myserver.tmcc.edu
    DocumentRoot /home/httpd/html
</VirtualHost>
sequence in httpd.conf. That worked and certbot generated the
certificate, and then I removed the VirtualHost entry again from
httpd.comf.

However, the certificate is only valid for 89 days, and needs to be
updated at regular intervals because of this, so I created a certbot
renew entry in my crontab. However, when crontab runs it, we get the
same error that  httpd.conf doesn't have a virtualhost entry, so no
new certificate is generated

How can I fix this? Is it OK to leave the VirtualHost sequence above
permanently in httpd.conf?

Thanks,
Lars.

--


--

*Public Records Notice:* In accordance with Nevada Revised Statutes
(NRS) Chapter 239, this email and responses, unless otherwise made
confidential by law, may be subject to the Nevada Public Records laws and
may be disclosed to the public upon request.
_______________________________________________
LON-CAPA-admin mailing list
LON-CAPA-admin at mail.lon-capa.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__mail.lon-2Dcapa.org_mailman_listinfo_lon-2Dcapa-2Dadmin&d=DwIGaQ&c=nE__W8dFE-shTxStwXtp0A&r=VsGo3jOm8tGLd6f-KlhT-g&m=liYkEpLV4NS53ig_Fql36ORd32ijnf1YJlvEhfTTYqg&s=MQX79tNRTTEFHUinehNhAPzvqEtIQ-BT0bDojjAXrC8&e=

More information about the LON-CAPA-admin mailing list