Install and configure mod_md to automate managing certificates from Let's Encrypt for each VirtualHost. Note that sites with mod_md must be accessible from the Internet for Let's Encrypt verification.
mod_mdInstall mod_md and restart httpd. mod_md is enabled after installation.
# Install mod_md
[root@www ~]# dnf -y install mod_md
# Restart httpd
[root@www ~]# systemctl restart httpd
# Check if mod_md is enabled
[root@www ~]# cat /etc/httpd/conf.modules.d/01-md.conf
LoadModule md_module modules/mod_md.so
mod_mdCreate a new configuration file for mod_md.
# Create and edit the mod_md configuration
[root@www ~]# vi /etc/httpd/conf.d/acme.conf
# Add the following configuration
MDBaseServer on
MDCertificateProtocol ACME
MDCAChallenges http-01
MDDriveMode auto
MDPrivateKeys RSA 2048
MDRenewWindow 33%
MDStoreDir md
MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
<Location "/md-status">
SetHandler md-status
Require ip 127.0.0.1 10.0.0.0/24
</Location>
If SELinux is enabled, change the policy to support mod_md.
# Set SELinux boolean for httpd network connectivity
[root@www ~]# setsebool -P httpd_can_network_connect on
# Create and apply a custom SELinux policy
[root@www ~]# vi httpd-md.te
# Add the policy content
...
# Compile and apply the policy
[root@www ~]# checkmodule -m -M -o httpd-md.mod httpd-md.te
[root@www ~]# semodule_package --outfile httpd-md.pp --module httpd-md.mod
[root@www ~]# semodule -i httpd-md.pp
mod_mdSpecify a valid email address for the ServerAdmin directive in each VirtualHost. Let's Encrypt will send notifications to this address.
# Edit the VirtualHost configuration for mod_md
[root@www ~]# vi /etc/httpd/conf.d/rx-9.emc.world.conf
# Add the following configuration
MDomain rx-9.emc.world
MDCertificateAgreement accepted
DirectoryIndex index.html
ServerAdmin root@rx-9.emc.world
<VirtualHost *:80>
DocumentRoot /var/www/rx-9.emc.world
ServerName rx-9.emc.world
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
DocumentRoot /var/www/rx-9.emc.world
ServerName rx-9.emc.world
</VirtualHost>
# Reload httpd to apply changes
[root@www ~]# systemctl reload httpd
Confirm the expiration date and other details of the certificate.
# Check the certificate details with openssl
[root@www ~]# openssl s_client -connect rx-9.emc.world:443 | openssl x509 -noout -startdate -enddate
Alternatively, check the certificate status by accessing the URL of md-status configured in step 2.
This setup automates the management of SSL/TLS certificates for your Apache httpd server, simplifying the process of securing your web applications with HTTPS.