Re: [users@httpd] Let's Encrypt (LE) and port 80

2020-06-17 Thread Tom Browder 
On Wed, Jun 17, 2020 at 18:11 @lbutlr  wrote:

> On 17 Jun 2020, at 16:37, Tom Browder  wrote:
> > Thanks for the info--but all I'm only running a dozen or so hosts on a
> single

...

> Zero maintenance. Set it up once and forget it. It is all automated.


I wish I could use it (DNS-01) too, but it's difficult with my domain
registrar (Namecheap).  Their APIs are xml, hard to use, and don't allow
anything but tear all down and replace--too brute force for me at the
moment.

I've gone so far as to look at changing DNS registrars but I haven't found
one I like better so I'm stuck with it.

I would love a good rec for a better DNS provider but I haven't yet found
one that's cheap enough.

Cheers!

-Tom

Re: [users@httpd] Let's Encrypt (LE) and port 80

2020-06-17 Thread @lbutlr 
On 17 Jun 2020, at 16:37, Tom Browder  wrote:
> Thanks for the info--but all I'm only running a dozen or so hosts on a single 
> server

Same.

> and trying to minimize maintenance.

Zero maintenance. Set it up once and forget it. It is all automated.




-- 
'They're the cream!' Rincewind sighed. 'Cohen, they're the cheese.'



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Let's Encrypt (LE) and port 80

2020-06-17 Thread Tom Browder 
On Wed, Jun 17, 2020 at 11:50 dmallor  wrote:

> I have never used that module and always preferred to keep 80 open purely
> for redirects (and LE)
>
...

Thanks, Danny.

-Tom

Re: [users@httpd] Let's Encrypt (LE) and port 80

2020-06-17 Thread Tom Browder 
On Wed, Jun 17, 2020 at 11:47 @lbutlr  wrote:

> On 17 Jun 2020, at 07:05, Tom Browder  wrote:

...

> Most of the automation scripts for LE pretty much walk your through
> setting this up.

...

> Not making a suggestion, as this is harder to setup, but it is something
> to think about.


Thanks for the info--but all I'm only running a dozen or so hosts on a
single server and trying to minimize maintenance.

-Tom

Re: [users@httpd] Let's Encrypt (LE) and port 80

2020-06-17 Thread dmallor 
I have never used that module and always preferred to keep 80 open purely for 
redirects (and LE)Danny
 Original message From: Tom Browder  
Date: 6/17/20  11:20 AM  (GMT-06:00) To: users@httpd.apache.org Subject: Re: 
[users@httpd] Let's Encrypt (LE) and port 80 pOn Wed, Jun 17, 2020 at 09:55 
dmallor  wrote:You can just setup a global redirect on your 
80 listener but exclude LE root path...Thanks, Danny.I've never used rewrites 
before, but that looks like a good idea. But which of the two solutions would 
you prefer?What is the downside of blocking port 80 entirely since mod_md 
doesn't need it?Using my wife as an example, when looking for a site she 
usually doesn't specify http[s?] at all--she just clicks on what Google shows 
her.  [:-(Cheers!-Tom

Re: [users@httpd] Let's Encrypt (LE) and port 80

2020-06-17 Thread @lbutlr 
On 17 Jun 2020, at 07:05, Tom Browder  wrote:
> 
> Now with my new Apache 2.4.43 I'm ready to automate the process. Is there any 
> way to allow port 80 access but only from an LE server?

In addition to the other replies, you can use the DNS-01 method for 
establishing and rewriting a cert. That doesn't involved your Webserver at all 
(the methodology for doing this depends on your named server so is out of spec 
for this group).



Most of the automation scripts for LE pretty much walk your through setting 
this up.

One other reason you might want to consider doing this is that DNS-01 allows 
for a wildcard certificate for the domain so instead of listing www.example.com 
and smtp.example.com and 47 others, you can just list *.example.com example.com 
and have a set for all possibilities.

In addition, DNS-01 gives you a lot more flexibility in what servers handle the 
renewals, allowing you to easily have a non-web servers run the renewal tasks 
and get the certs then distribute them to you web, mail, and other servers. 
This makes your certificate chain more secure because your public facing 
machine (www) is not the one that is configured to do renewal. Which means that 
getting into your authentication chain is much much harder.

Not making a suggestion, as this is harder to setup, but it is something to 
think about.

HTH



-- 
Train Station: where the train stops. Work Station: …



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Let's Encrypt (LE) and port 80

2020-06-17 Thread Tom Browder 
pOn Wed, Jun 17, 2020 at 09:55 dmallor  wrote:

You can just setup a global redirect on your 80 listener but exclude LE
> root path
>
...

>
Thanks, Danny.

I've never used rewrites before, but that looks like a good idea. But which
of the two solutions would you prefer?

What is the downside of blocking port 80 entirely since mod_md doesn't need
it?

Using my wife as an example, when looking for a site she usually doesn't
specify http[s?] at all--she just clicks on what Google shows her.  [:-(

Cheers!

-Tom

RE: [users@httpd] Let's Encrypt (LE) and port 80

2020-06-17 Thread dmallor 
You can just setup a global redirect on your 80 listener but exclude LE root 
pathRewriteEngine On    RewriteCond %{REQUEST_URI} 
!^/.well-known/acme-challenge/.*    RewriteRule ^ 
https://%{HTTP_HOST}%{REQUEST_URI} [QSA,L,R=301]Danny
 Original message From: Tom Browder  
Date: 6/17/20  8:06 AM  (GMT-06:00) To: users@httpd.apache.org Subject: 
[users@httpd] Let's Encrypt (LE) and port 80 Before LE came along, I tightened 
my single server down to redirect http to https. With LE I've been using the 
cert generation method where I stop Apache, create the required certs with a 
Raku program, and restart Apache.Now with my new Apache 2.4.43 I'm ready to 
automate the process. Is there any way to allow port 80 access but only from an 
LE server?The only time that would be needed, as far as I know, is when I first 
add a new domain and it obviously would not have a cert yet.Thanks.Best 
regards,-Tom

Re: [users@httpd] Let's Encrypt (LE) and port 80

2020-06-17 Thread Tom Browder 
On Wed, Jun 17, 2020 at 08:11 Stefan Eissing 
wrote:

> There is a module called "mod_md" which gets and renews certificates from
> LE. It's part of 2.4.43.
> ...
> You do not need to have port 80 open to use it. It also works with port
> 443 alone.
>

Stefan, thanks. I've read a bit about mod_md but wasn't sure if I could add
a new, certless domain. I'll try it, then.

Cheers!

-Tom

Re: [users@httpd] Let's Encrypt (LE) and port 80

2020-06-17 Thread Stefan Eissing 
There is a module called "mod_md" which gets and renews certificates from LE. 
It's part of 2.4.43.

https://httpd.apache.org/docs/2.4/mod/mod_md.html
https://github.com/icing/mod_md

You do not need to have port 80 open to use it. It also works with port 443 
alone.

Cheers, Stefan

> Am 17.06.2020 um 15:05 schrieb Tom Browder :
> 
> Before LE came along, I tightened my single server down to redirect http to 
> https. With LE I've been using the cert generation method where I stop 
> Apache, create the required certs with a Raku program, and restart Apache.
> 
> Now with my new Apache 2.4.43 I'm ready to automate the process. Is there any 
> way to allow port 80 access but only from an LE server?
> 
> The only time that would be needed, as far as I know, is when I first add a 
> new domain and it obviously would not have a cert yet.
> 
> Thanks.
> 
> Best regards,
> 
> -Tom


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org