3

What is the proper way to edit /etc/apache2/sites-enabled when there is example.com.conf and example.com-le-ssl.conf?

Should I edit both the files when changing something? Or only one and then somehow force certbot-auto to fix it?

Yaron
  • 13,173
devondre
  • 145
  • Not familiar with Encrypt, but first off you edit site-available not sites-enabled and reload apache. And if example.com-le-ssl.conf is linked to example.com.conf I would think reloading apache would also update and changes made. – George Udosen Mar 15 '17 at 18:13
  • @George, I meant sites-available :-) – devondre Mar 15 '17 at 19:40

1 Answers1

4

I'm not sure what is the right answer of your question, but I would suggest you the following simplification:

1. Force all users to use HTTPS. The definition of the HTTP VirtualHost should look like this:

<VirtualHost *:80>

        ServerName example.com

        # Redirect Requests to HTTPS
        Redirect permanent "/" "https://example.com/"

        ErrorLog ${APACHE_LOG_DIR}/example.com.error.log
        CustomLog ${APACHE_LOG_DIR}/example.com.access.log combined

</VirtualHost>

In this way you will need maintain only the configuration of the HTTPS VirtualHost.

2. As soon as you generate "Let's Encrypt" ssl certificate files, describe them manually into the definition of the HTTPS VirtualHost:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>

        ServerName example.com
        ServerAdmin admin@example.com            

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

        ErrorLog ${APACHE_LOG_DIR}/example.com.error.log
        CustomLog ${APACHE_LOG_DIR}/example.com.access.log combined

        DocumentRoot /var/www/html    
        <Directory /var/www/html>
              # etc...
        </Directory>

        # etc...

    </VirtualHost>
</IfModule>

3. Insert the definitions of both VirtualHosts into a single configuration file:

<VirtualHost *:80>
        # etc...
</VirtualHost>

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        # etc...
    </VirtualHost>
</IfModule>

This file could be /etc/apache2/sites-available/example.com.conf.

4. Don't forget to a2dissite unnecessary VirtualHosts (respectively a2ensite the necessary ones) and restart Apache.

5. Edit root's crontab and add a job which will try to renew the certificates, every week, for example. Type sudo crontab -e and add this line at the bottom:

0 3 * * 0 /usr/bin/letsencrypt renew  >> /var/log/letsencrypt-renew.week-$(date +%W).log 2>&1

That's it.

pa4080
  • 29,831
  • This should be the accepted answer. One note though: some say to keep the VirtualHost definitions in two separate files as a general rule. It allows enabling and disabling each protocol independently. – Miro J. Oct 04 '18 at 21:48
  • @MiroJ., I"m agree with this but in case the HTTP VH is permanently redirected to the HTTPS VS the clients will end up with 404 Page not found, if the second is disabled, but the first is not. – pa4080 Nov 17 '18 at 09:46