====== mod_md: сертификаты Let's Encrypt  ======

----

{{:linux:apache:apache_mod_md.jpg?nolink|}}

Получаем сертификат Let's Encrypt за 5 минут с помощью модуля **mod_md**.

Исходные данные
  * Debian 12
  * Apache 2.4.57-2
  * Домен pupupu.site

Документация
  * https://icing.github.io/mod_md/ / https://github.com/icing/mod_md
  * https://httpd.apache.org/docs/2.4/mod/mod_md.html

===== Настройка mod_md =====

Включаем модули

<code bash>a2enmod mod_md mod_ssl</code>

Минимальный конфиг
  * MDCertificateAgreement accepted - принять условия LE
  * MDContactEmail - контактный email, иначе будет использоваться из ServerAdmin
  * MDomain foobar.com www.foobar.com - для каких доменов выпустить сертификат

Пример виртуального хоста Apache

<code bash>
# mod_md
MDCertificateAgreement accepted
MDContactEmail admin@pupupu.site
MDomain pupupu.site www.pupupu.site 
MDomain mail.pupupu.site admin.pupupu.site

MDStapling on

# md-status
<Location "/md-status">
  SetHandler md-status
  Require ip 127.0.0.1 172.16.10.0/24
</Location>

# server-status
<Location "/server-status">
  SetHandler server-status
  Require ip 127.0.0.1 172.16.10.0/24
</Location>

# https://github.com/icing/mod_md#certificate-status
#<Location "/certificate-status">
#  SetHandler certificate-status
#  Require ip 127.0.0.1 172.16.10.0/24
#</Location>

# http 301 redirect
<VirtualHost *:80>
  ServerName pupupu.site
  ServerAlias www.pupupu.site
  Redirect 301 / https://pupupu.site/
</VirtualHost>
 
# https
<VirtualHost *:443>
    Protocols h2 http/1.1 acme-tls/1
    DocumentRoot /srv/www/pupupu_main
    ServerAdmin admin@pupupu.site
    ServerName pupupu.site
    ServerAlias www.pupupu.site
 
    CustomLog "/var/log/apache2/pupupu.site_access.log" combined
    ErrorLog  "/var/log/apache2/pupupu.site_error_log"
 
    # php-fpm handler
    <FilesMatch ".+\.ph(ar|p|tml)$">
      SetHandler "proxy:unix:/run/php/php8.1-foobar.sock|fcgi://localhost"
    </FilesMatch>

    SSLEngine on
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
      
    # OCSP managed by mod_md, so turning off
    #SSLUseStapling On
    #SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
</VirtualHost>
 
<Directory /srv/www/pupupu_main>
    # rewrite www2non-www
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^www.pupupu.site [NC]
    RewriteRule ^(.*)$ https://pupupu.site/$1 [L,R=301]
 
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

# mail vhost
<VirtualHost *:443>
    Protocols h2 http/1.1 acme-tls/1
    SSLEngine on
    DocumentRoot /srv/www/pupupu_mail
    ServerAdmin admin@pupupu.site
    ServerName mail.pupupu.site

<Directory /srv/www/pupupu_mail>
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
</VirtualHost>

# admin vhost
<VirtualHost *:443>
    Protocols h2 http/1.1 acme-tls/1
    SSLEngine on
    DocumentRoot /srv/www/pupupu_admin
    ServerAdmin admin@pupupu.site
    ServerName admin.pupupu.site
	
<Directory /srv/www/pupupu_admin>
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
</VirtualHost>
</code>

Перезапускаем Apache

<code bash>systemctl restart apache2</code>

===== Проверка md-status =====

По адресу https://pupupu.site/md-status можно посмотреть информацию о SSL сертификате.

pupupu.site, <nowiki>www.pupupu.site</nowiki>

{{:linux:apache:md_status_1.png?nolink|}}

mail.pupupu.site, admin.pupupu.site

{{:linux:apache:md_status_2.png?nolink|}}

===== OCSP =====

Что такое OCSP stapling
  * [[https://dxdt.ru/2013/12/19/6420/|Техническое: OCSP stapling в Firefox]]
  * [[http://vladimir-stupin.blogspot.com/2017/02/ocsp-nginx.html|Вшивание OCSP в nginx]]
  * [[https://security.stackexchange.com/questions/29686/how-does-ocsp-stapling-work|How does OCSP stapling work?]]
  * [[https://datatracker.ietf.org/doc/html/rfc2560|RFC 2560]], [[https://datatracker.ietf.org/doc/html/rfc5019|RFC 5019]]

Как включить - [[https://github.com/icing/mod_md#just-the-stapling-mam|Just the Stapling, Mam!]]

Информацию о OCSP можно посмотреть через [[https://httpd.apache.org/docs/2.4/mod/mod_status.html|Apache Module mod_status]]

Пример

{{:linux:apache:mod_md_server-status.png?nolink|}}

Для OCSP можно использовать и mod_ssl и mod_md.

===== Нюансы =====

[[https://letsencrypt.org/ru/docs/challenge-types/|Виды проверок]] у Let's Encrypt.

Для wildcard можно использовать только [[https://github.com/icing/mod_md#mdchallengedns01|dns-01]].

Если например недоступен 80 порт извне, то может быть подобная ошибка

<code bash>
Error[Internal error (specific information not available)]: None of the ACME challenge methods configured for this domain are suitable. The http: challenge 'http-01' is disabled because the server seems not reachable on public port 80. The https: challenge 'tls-alpn-01' is disabled because the Protocols configuration does not include the 'acme-tls/1' protocol. The DNS challenge 'dns-01' is disabled because the directive 'MDChallengeDns01' is not configured. Next run in ~3 seconds
</code>

Если доступен только 443 порт, то в Protocols добавляем **acme-tls/1**

  * [[https://github.com/icing/mod_md#tls-alpn-challenges|TLS ALPN Challenges]]
  * [[https://github.com/icing/mod_md#mdportmap|MDPortMap]], [[https://github.com/icing/mod_md#ports-ports-ports|Ports Ports Ports]]

EOM

{{tag>linux debian ssl lets_encrypt apache mod_md}}