In the past I was able to Install Let’s Encrypt on windows by following the steps in Install Let’s Encrypt with Apache 2.4 on Windows Server 2019 but then I had to manually renew my Let’s Encrypt certificates. So I decided to switch to auto-renew with Apache mod_md Here are the steps I followed to make that happen:
- Creating a Self-Signed SSL Certificate for Apache (according to stackoverflow)
I ran the following commands in windows terminal:
openssl genrsa -out www.wopr.gov.key 4096
openssl req -new -out www.wopr.gov.csr -sha256 -key www.wopr.gov.key
openssl x509 -req -in www.wopr.gov.csr -days 365 -signkey www.wopr.gov.key -out www.wopr.gov.crt -outform PEM
I had to fill the information:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:Colorado Springs
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Stephen FALKEN
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.wopr.gov
Email Address []:beringer@norad.gov
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- Secure Apache with mod_md Let’s Encrypt (per this tutorial)
I used the following config file:
## Secure Apache with mod_md Let's Encrypt directives ##
ServerAdmin beringer@norad.gov
MDCertificateAgreement accepted
MDomain www.wopr.gov
MDPrivateKeys RSA 4096
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
<VirtualHost *:443>
SSLEngine on
## Only enable TLS v1.3 and avoid older protocols ##
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder off
SSLSessionTickets off
## Turn on OCSP Stapling ##
SSLUseStapling on
ServerAdmin beringer@norad.gov
DocumentRoot "path/to/document/root/public"
ServerName www.wopr.gov
ErrorLog "path/to/document/root/logs/error.log"
TransferLog "path/to/document/root/logs/access.log"
CustomLog "path/to/document/root/logs/ssl_request.log" "combined"
# Turn on HTTP/2
Protocols h2 http/1.1
# Set HTTP Strict Transport Security
Header always set Strict-Transport-Security "max-age=63072000"
SSLCertificateFile "path/to/document/root/certificates/www.wopr.gov.crt"
SSLCertificateKeyFile "path/to/document/root/certificates/www.wopr.gov.key"
</VirtualHost>
the *.key and *.crt files appearing in the virtual host are the ones generated previously (step 1.)
I uncommented the following lines in httpd.conf
LoadModule headers_module modules/mod_headers.so
LoadModule md_module modules/mod_md.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
As I was trying to run the server so that I can obtain the SSL certificate, the server crashed. Here is what's in the error log :
[Thu Jun 15 01:44:02.937925 2023] [ssl:error] [pid 9148:tid 340] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=beringer@norad.gov,CN=www.wopr.gov,O=Stephen FALKEN,L=Colorado Springs,ST=Colorado,C=US / issuer: emailAddress=beringer@norad.gov,CN=www.wopr.gov,O=Stephen FALKEN,L=Colorado Springs,ST=Colorado,C=US / serial: 5974DD38443614978D87D5F8086ACF509CCA4154 / notbefore: Jun 14 15:37:38 2023 GMT / notafter: Jun 13 15:37:38 2024 GMT]
[Thu Jun 15 01:44:02.939926 2023] [ssl:error] [pid 9148:tid 340] AH02604: Unable to configure certificate www.wopr.gov:443:0 for stapling
[Thu Jun 15 01:44:03.064234 2023] [ssl:error] [pid 9148:tid 340] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=beringer@norad.gov,CN=www.wopr.gov,O=Stephen FALKEN,L=Colorado Springs,ST=Colorado,C=US / issuer: emailAddress=beringer@norad.gov,CN=www.wopr.gov,O=Stephen FALKEN,L=Colorado Springs,ST=Colorado,C=US / serial: 5974DD38443614978D87D5F8086ACF509CCA4154 / notbefore: Jun 14 15:37:38 2023 GMT / notafter: Jun 13 15:37:38 2024 GMT]
[Thu Jun 15 01:44:03.064234 2023] [ssl:error] [pid 9148:tid 340] AH02604: Unable to configure certificate www.wopr.gov:443:0 for stapling
I tried removing the lines mentioning SSLCertificateFile and SSLCertificateKeyFile (as per this stackoverflow post) but I get these errors:
[Thu Jun 15 02:09:24.411823 2023] [ssl:warn] [pid 44596:tid 348] AH10085: Init: www.wopr.gov:443 will respond with '503 Service Unavailable' for now. There are no SSL certificates configured and no other module contributed any.
[Thu Jun 15 02:09:24.431901 2023] [ssl:error] [pid 44596:tid 348] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=Apache Managed Domain Fallback / issuer: CN=Apache Managed Domain Fallback / serial: 1347195D9AC5DD2A157D5EDC4470F2AD0E06BC28 / notbefore: Jun 14 14:24:21 2023 GMT / notafter: Jun 28 14:24:21 2023 GMT]
[Thu Jun 15 02:09:24.431901 2023] [ssl:error] [pid 44596:tid 348] AH02604: Unable to configure certificate www.wopr.gov:443:0 for stapling
[Thu Jun 15 02:09:24.500275 2023] [ssl:warn] [pid 44596:tid 348] AH10085: Init: www.wopr.gov:443 will respond with '503 Service Unavailable' for now. There are no SSL certificates configured and no other module contributed any.
[Thu Jun 15 02:09:24.511373 2023] [ssl:error] [pid 44596:tid 348] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=Apache Managed Domain Fallback / issuer: CN=Apache Managed Domain Fallback / serial: 1347195D9AC5DD2A157D5EDC4470F2AD0E06BC28 / notbefore: Jun 14 14:24:21 2023 GMT / notafter: Jun 28 14:24:21 2023 GMT]
[Thu Jun 15 02:09:24.511373 2023] [ssl:error] [pid 44596:tid 348] AH02604: Unable to configure certificate www.wopr.gov:443:0 for stapling
I tried turning SSLUseStapling off by following that same stackoverflow post and the errors disappear but the server is still crashing.
