Using SSL Wildcard Cert on Apache
-
@JaredBusch said in Using SSL Wildcard Cert on Apache:
Along this line, if you setup LE with certbot and then setup a timer to renew it daily, you will never see this again.
If you use your wildcard cert, you will have to update it again when it expires.
But, that said, setting up SSL on Apache is not all that hard. Let me look for an example.certbot
renews wildcards as well using a DNS plugin.https://certbot.eff.org/docs/using.html#dns-plugins
You don't always have to setup a timer, Ubuntu for example automatically sets up a cron job when the package is installed.
-
@mattbagan said in Using SSL Wildcard Cert on Apache:
@JaredBusch said in Using SSL Wildcard Cert on Apache:
For basic SSL you need only a couple things in your vhost file.
The vhost file goes in
/etc/httpd/conf.d/
<VirtualHost *:443> DocumentRoot /var/www/html/nextcloud ServerName www.yourdomain.com SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/you_ca_chain.crt </VirtualHost>
Would I combine the new information with the existing nextcloud conf?
You should. It doens't technically matter, but for organization, I would keep things in one file.
It is simply a second
VirtualHost
block. -
@aaronstuder said in Using SSL Wildcard Cert on Apache:
@JaredBusch said in Using SSL Wildcard Cert on Apache:
Along this line, if you setup LE with certbot and then setup a timer to renew it daily, you will never see this again.
If you use your wildcard cert, you will have to update it again when it expires.
But, that said, setting up SSL on Apache is not all that hard. Let me look for an example.certbot
renews wildcards as well.You don't always have to setup a timer, Ubuntu for example automatically sets up a cron job when the package is installed.
Would you just stop?
-
@JaredBusch ???
-
Your not allowed to talk @aaronstuder shhhhh
-
@aaronstuder said in Using SSL Wildcard Cert on Apache:
@JaredBusch ???
Learning process, not for production.
-
@travisdh1 said in Using SSL Wildcard Cert on Apache:
@aaronstuder said in Using SSL Wildcard Cert on Apache:
@JaredBusch ???
Learning process, not for production.
He did state this to be fair that he didn't want to use the automation of LE and to learn the manual process of adding a SSL cert to Apache.
-
@mattbagan said in Using SSL Wildcard Cert on Apache:
@scottalanmiller said in Install Nextcloud 13.0.0 on Fedora 27:
@mattbagan said in Install Nextcloud 13.0.0 on Fedora 27:
@aaronstuder I would like to use my wildcard because I've already paid for it.
Sunk cost. Using the LE one is also "already paid for" and using it doesn't cause you to lose the other wildcard.
But the logic of wanting to use something inferior only because it cost money doesn't make sense. That's like paying for it again. First you paid money, now you are paying with your time and effort.
Nothing wrong with wanting to use it, but if it costs you one second of additional effort, it was a bad choice. And it isn't like you want to renew it, so you will want to switch to LE eventually anyway. The sooner to go to LE, the less cost to you overall.
I've used LE on my original nextcloud installation but I wanted to see if I can set it up without the awesome automation help. So I can get a better understanding on how apache works. I'm not saying my cert is better then LE, I just want to use it because I have it.
You will waste a lot more time, effort, and money using this cert you already "paid" for than if you use LE.
Once you set up LE, that's it. You're done. Forever. No more buying a new one. No more setting up a new one (LE is 100% automated).
If you use your "paid" cert, you'll have to do some work at least two more times on this server...
- Install and configure your paid cert on Apache.
- Once paid cert expires, remove it from Apache.
- Set up LE cert anyways.
IMO, I'd rather skip 1 and 2 and go right to 3. It's cheaper, easier, and safer.
-
@JaredBusch said in Using SSL Wildcard Cert on Apache:
@mattbagan said in Using SSL Wildcard Cert on Apache:
@JaredBusch said in Using SSL Wildcard Cert on Apache:
For basic SSL you need only a couple things in your vhost file.
The vhost file goes in
/etc/httpd/conf.d/
<VirtualHost *:443> DocumentRoot /var/www/html/nextcloud ServerName www.yourdomain.com SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/you_ca_chain.crt </VirtualHost>
Would I combine the new information with the existing nextcloud conf?
You should. It doens't technically matter, but for organization, I would keep things in one file.
It is simply a second
VirtualHost
block.After looking at my conf, I only have one virtualhost block. That config layout for sure doesn't work.
<VirtualHost *:443> DocumentRoot /var/www/html/nextcloud ServerName www.cloud.example.com SSLEngine on SSLCertificateFile /etc/pki/tls/certs/ your_domain_name.crt SSLCertificateKeyFile /etc/pki/tls/certs /your_private.key SSLCertificateChainFile /etc/pki/tls/certs /you_ca_chain.crt </VirtualHost> Alias /nextcloud "/var/www/html/nextcloud/" <Directory "/var/www/html/nextcloud"> Options +FollowSymLinks AllowOverride All <IfModule mod_dav.c> Dav off </IfModule> SetEnv HOME /var/www/html/nextcloud SetEnv HTTP_HOME /var/www/html/nextcloud </Directory> <Directory "/var/www/nextcloud/data/"> # just in case if .htaccess gets disabled Require all denied </Directory>
-
@aaronstuder said in Using SSL Wildcard Cert on Apache:
@JaredBusch said in Using SSL Wildcard Cert on Apache:
Along this line, if you setup LE with certbot and then setup a timer to renew it daily, you will never see this again.
If you use your wildcard cert, you will have to update it again when it expires.
But, that said, setting up SSL on Apache is not all that hard. Let me look for an example.certbot
renews wildcards as well using a DNS plugin.https://certbot.eff.org/docs/using.html#dns-plugins
You don't always have to setup a timer, Ubuntu for example automatically sets up a cron job when the package is installed.
cron is being phased out