>From Apache docs. This directive points to a file with certificate data in PEM format. At a minimum, the file must include an end-entity (leaf) certificate. The directive can be used multiple times (referencing different filenames) to support multiple algorithms for server authentication - typically RSA, DSA, and ECC. The number of supported algorithms depends on the OpenSSL version being used for mod_ssl: with version 1.0.0 or later, openssl list-public-key-algorithms will output a list of supported algorithms, see also the note below about limitations of OpenSSL versions prior to 1.0.2 and the ways to work around them.
The files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes SSLCertificateChainFile <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile>. When running with OpenSSL 1.0.2 or later, this allows to configure the intermediate CA chain on a per-certificate basis. Custom DH parameters and an EC curve name for ephemeral keys, can also be added to end of the first file configured using SSLCertificateFile <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile>. This is supported in version 2.4.7 or later. Such parameters can be generated using the commands openssl dhparam and openssl ecparam. The parameters can be added as-is to the end of the first certificate file. Only the first file can be used for custom parameters, as they are applied independently of the authentication algorithm type. Finally the end-entity certificate's private key can also be added to the certificate file instead of using a separate SSLCertificateKeyFile <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatekeyfile> directive. This practice is highly discouraged. If it is used, the certificate files using such an embedded key must be configured after the certificates using a separate key file. If the private key is encrypted, the pass phrase dialog is forced at startup time. Looks like if full file, can since Apache 2.4.8 contain certificate chain if exists. Am a bit murky about it including key file part. It says it can handle that too, but suggests that 'this practice is highly discouraged'. Anyway, at least it is working. :-) Graham > On 9 Apr 2018, at 2:56 pm, Michael Kirk <[email protected]> wrote: > > Hi Graham, > > You are right, there was a server_args file applying a > --ssl-ca-certificate-file > option with a wrong file name. > > FYI - it's working now - and it will use the fullchain.pem file as the > --ssl-certificate-file > and it seems to work. So no need to extract things from the pem perhaps. > > Thank you! > > > > On Monday, 9 April 2018 14:25:59 UTC+10, Michael Kirk wrote: > Hi, > > I'm trying to setup HTTPS on a cloud server running mod_wsgi-docker. > > I've used LetsEncrypt on the host to get a certificate, but it provides a > fullchain.pem file (along with privkey.pem). > > From the information provided by LetsEncrypt, it seems Apache should > be able to use fullchain.pem. But I'm not sure how to specify this via > the Docker CMD. > > Tried this for example (and a few other things): > > CMD [\ > "--https-port","443",\ > "--ssl-certificate-file","/app/sslCerts/fullchain.pem",\ > "--ssl-certificate-key-file","/app/sslCerts/privkey.pem",\ > "--server-name","foo.bar.com <http://foo.bar.com/>",\ > "app_entry.wsgi" ] > > But on startup, however, it exits with an error: > > server | AH00526: Syntax error on line 531 of > /tmp/mod_wsgi-localhost:80:1001/httpd.conf: > server | SSLCACertificateFile: file '/app/sslCerts/ca.crt' does not > exist or is empty > > Basically LetsEncrypt provides fullchain.pem, privkey.pem, cert.pem, and > chain.pem. > I can copy all these into the container, but am not sure what, if any, > switches I can use > in the CMD to have Apache use them. > > > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at https://groups.google.com/group/modwsgi > <https://groups.google.com/group/modwsgi>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.
