Wanting to "join the modern age" of enabling https on established Apache-server based virtual hosts (some 54 of them!) I finally got around to trying "Let's Encrypt" (by EFF.org), which, by the way, now seems to be renamed "certbot". As I have so many domains, I decided to be conservative and start with just one domain. I installed certbot
and then ran:
$ certbot run -d mydomain.com
It ran, selected the right authenticator (apache), obtained a new certificate, performed challenges, verified the challenge, cleaned up, created a new conf file, deployed certificates and then asked if I wanted permanent re-direct to the encrypted version. I said yes (option 2). It then claimed it was successful and gave a testing URL that goes to SSLLabs.com.
I tried the site myself and the site did not come up. So, I tried the testing URL and it ran lots of test and concluded an overall rating of B. So, I tried to bring up the site myself and Firefox
again claimed "Problem loading page" and "The connection has timed out" (just as it had previously done). I tried the not-encrypted http:// approach and it also failed.
I edited the appropriate conf file to remove the redirect and the site then came up with the non-encrypted protocol.
So, I edited the conf file again and added for this domain:
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Oh, and in the opening line for this domain's config grouping I added the 443 bit as follows here:
<VirtualHost *:80 *:443>
Running apachectl configtest
responded with "Syntax OK"
, so I then tried both protocols and got nothing from Firefox. And then tried the SSLLab.com URL and it again gave a B rating...
OK, I'm puzzled; what do I do next?
Note that I'd like to be able to serve both encrypted and non-encrypted protocols, I just tried the permanent redirect to see how certbot
would do it.
Insofar as it might matter, I'm running Fedora Core Server 30 from the summer of 2019, with current updates, Apache 2.4.42 for Fedora built October 3, 2019, and certbot 1.0.0. ... Also note that the Apache httpd server is from an ancient installation, maybe 20 years old, which has been updated many times; it may contain some old directives that no longer matter / function as intended, etc.