From owner-freebsd-questions@freebsd.org Thu Jan 18 21:04:56 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4CEB8EC30B3 for ; Thu, 18 Jan 2018 21:04:56 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wr0-x236.google.com (mail-wr0-x236.google.com [IPv6:2a00:1450:400c:c0c::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D342980CBD for ; Thu, 18 Jan 2018 21:04:55 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-wr0-x236.google.com with SMTP id 16so23997919wry.12 for ; Thu, 18 Jan 2018 13:04:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=vuu2Gtf+65yAipjPBr1oQKsEVKq5UYKWsCcPFXtdg1Q=; b=ocixfmlBosQZVOaHPnmzgO8NJTR7jbT2zS8svTEmEtonsvcr28bSF6Jt3BbpInOMBZ 23GGERBHCSA1hQFfRMROlJjTulFM+VZgqR2VwrSCmIymnyUJ+EVJDdzegvP+jV1/aRGw qFKEIEL3CjmPRYUbflOnSLQmFB6JWPitLg27bF5Dqww4AdLO0Vflx1TZOS6BsvJVK53D vUvWlOVH+zYGq7ugDJcU0qpjp/dMeX2mm4frkylfnMqzuLiB5zfT91mUta2sqa2SoMWY M8BvbOxWIfNNsALw5tKZq0jDpospLrOaob5gKX4rlPvMPg13uY2JcM4GgmxnYUfXoZO0 qdWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=vuu2Gtf+65yAipjPBr1oQKsEVKq5UYKWsCcPFXtdg1Q=; b=Ivk9F1+JLI7PtRbxiXq1S7NHbeVQwlgIPs3lusTeq39aqgr2UnTGNHiiAk25NFTxEx DB3oyjKuQuieiVhf7PXyxh9SqiSouQt9MtLWtNs7e90C4L3mDKdoZiqJYin5nShLLceo Xq/jBk+ivBSXWEy+u1o1xURzQhivC9F1tap4TLsvDsXbhMZPAHFQNheeNYb3WQk7a2M1 LbgKUJDd8oa7lJeYl/AOShPnwSkNwIvW/t8FYhKxpzAQyXuMHMhnv8xOcXpCc72e49QJ 7E007HJNOUaY+n8i8O+wOrQRTG5TCc0Mj7LfKKgHxW7P4cr0PzoUB5zn/Yymm8MfqpWY y+ng== X-Gm-Message-State: AKwxytefL7BMDtI3J5FLe+FD/+mfYKwM2+Dk6PdVmgSOb6l0ZuvFF1wy x065d8VfNSqHuJyMYaeECtyeJcnk4tRVHZKmQvg= X-Google-Smtp-Source: ACJfBoszeK8ism/tgPns60HJeRLswKRzYWLhYvDf6IN/zCiC/N4RRtAF5C0XqfGeyfJ8LiaxXsQ2dTK7RltcE7VKEYo= X-Received: by 10.223.151.41 with SMTP id r38mr6754106wrb.133.1516309494094; Thu, 18 Jan 2018 13:04:54 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.139.194 with HTTP; Thu, 18 Jan 2018 13:04:53 -0800 (PST) In-Reply-To: <21941967-64AB-4585-8F16-1323CF080E54@boosten.org> References: <21941967-64AB-4585-8F16-1323CF080E54@boosten.org> From: David Mehler Date: Thu, 18 Jan 2018 16:04:53 -0500 Message-ID: Subject: Re: acme-client and multiple domains periodic renewal To: Peter Boosten Cc: freebsd-questions Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2018 21:04:56 -0000 Hello, Thanks for your response. What my eventual end goal is is to get universal https access for all my domains except for the acme-client validation which I understand must be done over http, so that is http everything else https. I'm using FreeBSD 10.3 and apache 2.4. I've got two domains each with a number of subdomains so they are SAN certificates. I've taken out the redirects as that is appearing to cause errors in validation. Ideally i'd like my SAN certificates to be updated when they are due, currently mine is not. Peter, if you could let me take a look at your config, compare it to mine, i'd appreciate it. Here's my configuration: In httpd.conf: # Access to .well-known for acme-challenge keys Options None AllowOverride None Require all granted Header add Content-Type text/plain In a virtual host file: # # Virtual host file # ServerAdmin webmaster@example.com DocumentRoot "/usr/vhosts/example.com/htdocs/" ServerName www.example.com ServerAlias example.com www.example.com mail.example.com ErrorDocument 404 /errordocs/error404.htm # share well-known for renewal via Let's acme-client Alias /.well-known/ /usr/local/www/.well-known/ # The below block doesn't work with acme-challenges # Anything that isn't going to example.com/.well-known gets forwarded to the https site #RewriteEngine on #RewriteCond %{REQUEST_URI} !^/.well-known #RewriteRule (.*) https://www.example.com$1 [R=301,L] # atempted to with redirect #Redirect / https://www.example.com/ ErrorLog "/usr/vhosts/example.com/logs/error.log" ServerAdmin webmaster@example.com DocumentRoot "/usr/vhosts/example.com/htdocs/" ServerName www.example.com SSLEngine on SSLCertificateFile "/usr/local/etc/ssl/acme/example.com/cert.pem" SSLCertificateKeyFile "/usr/local/etc/ssl/acme/private/example.com/privkey.pem" SSLCertificateChainFile "/usr/local/etc/ssl/acme/example.com/chain.pem" Options FollowSymLinks AllowOverRide None Require all granted CustomLog "|/usr/local/sbin/rotatelogs -l /usr/vhosts/example.com/logs/access.log-%Y-%m-%d.log 86400" combined # Disc cache setup CacheQuickHandler off CacheLock on CacheLockPath /tmp/mod_cache-lock CacheLockMaxAge 5 CacheIgnoreHeaders Set-Cookie CacheEnable disk CacheHeader on CacheDefaultExpire 600 CacheMaxExpire 86400 CacheLastModifiedFactor 0.5 ExpiresActive on ExpiresDefault "access plus 5 minutes" Header merge Cache-Control public FileETag All Thanks. Dave. On 1/18/18, Peter Boosten wrote: > I have a SAN certificate, and it has been renewed several times now. > > Let me know what you want to know exactly (will be home in a couple of > minutes) > > Peter > >> On 18 Jan 2018, at 20:07, David Mehler wrote: >> >> Hello, >> >> If anyone has acme-client going with multiple domains and updating >> through periodic.conf please email me i'd like to know your >> configuration? >> >> Everytime I think I get this going three months later the certificates >> don't renew and I get invalid ssl certificates when attempting to >> access the web sites. >> >> Thanks. >> Dave. >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > >