How to install letsencrypt apache module by hand?

Letsencrypt might be a cool thing, but I just don't like to run a script that does many unknown and undocumented (possibly irreversible) modifications to my production machines. I want to understand how it works and how to install it completely by hand, not using any automatic secret script or tools.

So I obtained the certificate using their tool and installed it to my apache by hand, in order to do that I had to temporarily shut it down and run their built-in webserver in order to verify that domain really belongs to me. Unfortunately whole letsencrypt has really very bad documentation which is all about automatic stuff that is just supposed to work out of box using some black magic or something, with no need for user intervention so it doesn't describe at all how it actually works under the hood :(

Now I figured out that in order to renew the certificate I would either need to shut down my web server again (that isn't going to happen) or I could install some special apache module, which I suppose lives here: https://github.com/letsencrypt/letsencrypt/tree/master/letsencrypt-apache unfortunately with absolutely no documentation on how to do that whatsoever.

All I could find was that if I ran their black magic tool with more options it would have install it for me. But I don't want that, I want to install it by hand, so that I know and see what I am actually changing in my system.

How do I do that? How can I compile the module and configure it so that it works? I understand that letsencrypt uses something called "ACME" in order to verify if domain belongs to you, but other than that I couldn't find any more information.

Petr

Posted 2016-04-07T07:45:55.583

Reputation: 1 453

Answers

Now I figured out that in order to renew the certificate I would either need to shut down my web server again (that isn't going to happen) or I could install some special apache module

None of that is true.

The verification protocols used are described in great detail in the draft ACME specification. The simplest method is "http-01", where you need to serve a specific text file over HTTP.
If you already have an existing web server running, use the --webroot mode and tell LE to put its http-01 verification file directly under your /var/www/html or such. This doesn't require any special configuration most of the time.
If you do not want any automatic configuration, use letsencrypt certonly. This and the webroot mode are mentioned in the Getting Started page:
To obtain a cert using the “webroot” plugin, which can work with the webroot directory of any webserver software:
```
letsencrypt certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
```
This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.
letsencrypt-apache is not an Apache module; it's an addon for the LE client, and merely used for automatically installing the first LE certificate instead of doing that by hand. (Basically it's the thing you stated you do not want.)

user1686

Posted 2016-04-07T07:45:55.583

Reputation: 283 655

There is also the possibility of using DNS records to do your validation - depends on how your DNS is handled. See https://b3n.org/intranet-ssl-certificates-using-lets-encrypt-dns-01/

– ivanivan – 2017-03-21T18:09:19.290

Under the Advanced tab,

https://certbot.eff.org/#centosrhel6-apache

./path/to/certbot-auto --apache certonly

Then you can modify your httpd.conf and ssl.conf yourself.

Sorry I don't know how to run the ACME protocol by hand.

Chloe

Posted 2016-04-07T07:45:55.583

Reputation: 4 502