[LON-CAPA-admin] SSL setup

Lars ljensen at tmcc.edu
Wed Aug 22 00:59:21 EDT 2018 

Hi Stuart,

Thanks for your reply.

We're on CentOS7, and I added a file to my /etc/httpd/conf.d firectory
containing only these 3 lines:
<VirtualHost *:80>
    RewriteOptions Inherit
</VirtualHost>

and now automatic renewal with certbot seems to work.

I have one more question regarding the installation of certbot.
certbot would not install without first adding the epel repository:
yum install epel-release
so added this repository, and certbot installed. However, when I next
did a yum update, suddenly there were updates available, including
mod-perl, maxima, R, and lots more. (I worried that I broke my system,
but after uninstalling the updates, removing epel, and re-running
.UPDATE the server seems to be fine.) Could we add certbot to the
lon-capa distribution so one doesn't have to worry about the epel
repository?

Lars.
On Tue, Aug 21, 2018 at 8:28 PM Raeburn, Stuart <raeburn at msu.edu> wrote:
>
> Lars,
>
> >
> > Is it OK to leave the VirtualHost sequence above permanently in httpd.conf?
> >
>
> You can leave a <VirtualHost *:80></VirtualHost> block permanently in httpd.conf on CentOS/RedHat/Scientific Linux if you so wish.  (For other Linux distros you would put <VirtualHost *:80> in a different file).
>
> However, if you do, you should also include this line inside the virtualhost block:
> RewriteOptions Inherit
> so that the rewrite rules in /etc/httpd/conf/loncapa_rewrite.conf apply, assuming you have: RewriteEngine on
> within that file (recommended).
>
> My own experience with the Let's Encrypt certbot has been that a <VirtualHost *:443></VirtualHost> block within /etc/httpd/conf.d/ssl.conf means I don't need a <VirtualHost *:80> block in httpd.conf to satisfy certbot's requirements when renewing certs.
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
>
> ________________________________________
> From: LON-CAPA-admin <lon-capa-admin-bounces at mail.lon-capa.org> on behalf of Lars <ljensen at tmcc.edu>
> Sent: Sunday, August 19, 2018 11:24:20 PM
> To: list about administration and system updating
> Subject: [LON-CAPA-admin] SSL setup
>
> Hi Everyone,
>
> We just configured our server for https, and things seems to be
> working well, except for some issues related to the generation of the
> certificate. We're using Letsencrypts free certificates, generated by
> certbot.
>
> First, we had an issue generating the initial certificate, apparently
> because the loncapa httpd.conf file does not include a VirtualHost
> configuration. So I tricked certbot and included a
> <VirtualHost *:80>
>     ServerAdmin admin at example.com
>     ServerName myserver.tmcc.edu
>     ServerAlias myserver.tmcc.edu
>     DocumentRoot /home/httpd/html
> </VirtualHost>
> sequence in httpd.conf. That worked and certbot generated the
> certificate, and then I removed the VirtualHost entry again from
> httpd.comf.
>
> However, the certificate is only valid for 89 days, and needs to be
> updated at regular intervals because of this, so I created a certbot
> renew entry in my crontab. However, when crontab runs it, we get the
> same error that  httpd.conf doesn't have a virtualhost entry, so no
> new certificate is generated
>
> How can I fix this? Is it OK to leave the VirtualHost sequence above
> permanently in httpd.conf?
>
> Thanks,
> Lars.
>
> --
>
>
> --
>
> *Public Records Notice:* In accordance with Nevada Revised Statutes
> (NRS) Chapter 239, this email and responses, unless otherwise made
> confidential by law, may be subject to the Nevada Public Records laws and
> may be disclosed to the public upon request.
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mail.lon-2Dcapa.org_mailman_listinfo_lon-2Dcapa-2Dadmin&d=DwIGaQ&c=nE__W8dFE-shTxStwXtp0A&r=VsGo3jOm8tGLd6f-KlhT-g&m=liYkEpLV4NS53ig_Fql36ORd32ijnf1YJlvEhfTTYqg&s=MQX79tNRTTEFHUinehNhAPzvqEtIQ-BT0bDojjAXrC8&e=
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

-- 


--

*Public Records Notice:* In accordance with Nevada Revised Statutes 
(NRS) Chapter 239, this email and responses, unless otherwise made 
confidential by law, may be subject to the Nevada Public Records laws and 
may be disclosed to the public upon request.

More information about the LON-CAPA-admin mailing list