From 1fcd48667e06c565ff49051dcf270b49d87325e1 Mon Sep 17 00:00:00 2001 From: David Thurstenson Date: Mon, 20 Mar 2017 18:06:28 -0500 Subject: [PATCH] Update LetsEncrypt documentation regarding corrected auto-renewal process --- LetsEncrypt.wiki | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/LetsEncrypt.wiki b/LetsEncrypt.wiki index 3f2c6a3..d7c2d1b 100644 --- a/LetsEncrypt.wiki +++ b/LetsEncrypt.wiki @@ -53,6 +53,14 @@ That will get the basic framework ready for your virtualhost definition. Here is {{{class="prettyprint linenums" ServerName wiki.thurstylark.com + + DocumentRoot "/srv/wiki/" + + AllowOverride None + Options None + Require all granted + + # Redirect all except the '.wellk-known' path to https. # This allows automated renewal of ssl certs by certbot RedirectMatch permanent ^/(?!\.well-known)(.*) https://wiki.thurstylark.com/$1 @@ -79,7 +87,7 @@ That will get the basic framework ready for your virtualhost definition. Here is A couple things to note here: First, this defines two virtualhosts, one for port 80 and one for port 443. This is in order to redirect _all_ traffic to HTTPS except for a very small exception. -This exception is what you see on line 5 in the code above. Only `*/.well-known/*` is not redirected because this is the dir that certbot uses for domain validation. Certbot will only validate over http, and will fail if given a 301 redirect. This allows validation to complete successfuly without a configuration change, thus aiding our automation efforts. Everything else gets a 301 redirect to HTTPS. +This exception is what you see on line 5 in the code above. Only `*/.well-known/*` is not redirected because this is the dir that certbot uses for domain validation. Certbot will only validate over http, and will fail if given a 301 redirect. This allows validation to complete successfuly without a configuration change, thus aiding our automation efforts. Everything else gets a 301 redirect to HTTPS. Be sure to define `DocumentRoot` with the correct location for *both* VirtualHosts, or certbot will fail to renew things correctly. (found this one out the hard way) Lines 20-23 configure Apache to look for the necessary files in the right places. The locations listed here are actually symlinks to the real files, which are kept in an archive. These links are maintained by certbot automagically.