From dehydrate to mod_md, Let’s Encrypt Tool.

Update information      Edit(Nov.16)  Edit2(Nov.30)

   Early this morning, I changed Let’s Encrypt Tool from dehydrated to mod_md. On August 17, Steffen announced “mod_md is available for 2.4.27 VC15”. I did nothing about it though I became curious, because I was busy and I already used ‘dehydrated’. But the day before yesterday, I found “ACME Support in Apache HTTP Server Project”. So I decided to use ‘mod_md’ yesterday.

   At this point, ‘mod_md’ version is 1.0.0 and Apache is 2.4.28. To our Windows users great pleasure, Steffen already built it for 2.4.28 VC15 we can download here. It easy to use. When you extract the mod_md-VC15.zip, you have bin and modules folders. As installing, copy content bin folder to your apache/bin folder and copy content modules folder to your apache/modules folder. Only the mod_ssl.so file is overwritten because this is a patched Apache mod_ssl.

[About the httpd.conf]
   Uncomment and add the next lines.
   LoadModule watchdog_module modules/mod_watchdog.so
   LoadModule md_module modules/mod_md.so

   In my case, I deleted the line Include conf/extra/letsencrypt.conf. <<--- This existed because of this.

[About the httpd-ssl.conf]
   Add the next lines. See https://github.com/icing/mod_md/wiki and https://httpd.apache.org/docs/trunk/mod/mod_md.html
   MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
   MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
      because of Updating our Subscriber Agreement to v1.2 on November 15, 2017.
   MDRenewWindow 80d
   MDRenewWindow 30d   The default value is MDRenewWindow 33%. So, it’s OK even if you set nothing.
   ManagedDomain example.com
   MDomain example.com
      because of MDomain Directive.

   You don’t need ‘SSLCertificateFile’ and ‘SSLCertificateKeyFile’ directives.

   In my case, I deleted the next lines.
   SSLOpenSSLConfCmd ECDHParameters secp384r1 and SSLOpenSSLConfCmd Curves secp384r1. <<--- This existed because of this.
   I re-wrote ECDSA to RSA about Server authentication in CipherSuite directive because mod_md creates RSA certs by Defaults.

   Reboot Apache. mod_md creates MD folder in ServerRoot.

   Here is SSLLABS Server Test result at this point:
https://test.o6asan.com/SSL_Server_Test_o6asan_com13.html

Edit(Nov.16):
   Certificates update by mod_md was completely at 16:07:35 UTC on Nov.8 on the server.
   The module works well. Good job!

Edit2(Nov.30):
   This morning, I found someone, who uses Internet Explorer 11 on Windows7, wouldn’t access my site because of my server cipher suite which I set after changing the tool. A month has passed, OOPS!
   So I added TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 to the httpd-ssl.conf. boo-hoo!!
   Here is SSLLABS Server Test result at this point:
https://test.o6asan.com/SSL_Server_Test_o6asan_com14.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.