Made apache2 config certbot compatible

flybase uses certbot to provide a TLS certificate. To renew certificates a the server is challenged to host a file in a known place on port 80. All traffic was redirected from 80 to 443 so exception has been put in place for the direcory used by certbot. Config files have also been tidied and improved.

Made apache2 config certbot compatible
flybase uses certbot to provide a TLS certificate. To renew certificates a the server is challenged to host a file in a known place on port 80. All traffic was redirected from 80 to 443 so exception has been put in place for the direcory used by certbot. Config files have also been tidied and improved.
1ccd42b1 · James Nairn · b00e0bb9 · 1ccd42b1 · 1ccd42b1 · 1ccd42b1
Commit 1ccd42b1 authored 3 years ago by James Nairn
--- a/apache_config/canto_443.conf
+++ b/apache_config/canto_443.conf
 <IfModule mod_ssl.c>
 	<VirtualHost _default_:443>

-		# Basic server details
-		# ServerAdmin webmaster@localhost
-		# DocumentRoot /var/www/html/tls
+		ServerAdmin service-desk@uis.cam.ac.uk
 		ServerName flybase-vm.pdn.cam.ac.uk

 		# Log locations
@@ -48,8 +46,6 @@
                ProxyPass /pombe http://localhost:7000 retry=5
                ProxyPassReverse /pombe http://localhost:7000

-		#ProxyPass "/" "http://localhost:7000/" retry=5
-                #ProxyPassReverse "/" "http://localhost:7000/"

 		<IfModule mod_deflate.c>
    			SetOutputFilter DEFLATE
@@ -62,12 +58,6 @@
    			</IfModule>
  		</IfModule>

-  		# Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
-
-  		# <Location /pombe>
-    		#	RequestHeader set X-Request-Base /pombe
-  		# </Location>
-
 	</VirtualHost>
 </IfModule>


--- a/apache_config/canto_80.conf
+++ b/apache_config/canto_80.conf
 <VirtualHost *:80>
-	# The ServerName directive sets the request scheme, hostname and port that
-	# the server uses to identify itself. This is used when creating
-	# redirection URLs. In the context of virtual hosts, the ServerName
-	# specifies what hostname must appear in the request's Host: header to
-	# match this virtual host. For the default virtual host (this file) this
-	# value is not decisive as it is used as a last resort host regardless.
-	# However, you must set it for any further virtual host explicitly.
-	#ServerName www.example.com

-	#ServerAdmin webmaster@localhost
-	#DocumentRoot /var/www/html/temp
+	ServerAdmin servicedesk@uis.cam.ac.uk
+	DocumentRoot /var/www/html/
 	ServerName flybase-vm.pdn.cam.ac.uk
-	
-	#RewriteEngine On
-	#RewriteCond %{HTTPS} off
-	#RewriteRule ^/?(.*)$ https://flybase-vm.pdn.cam.ac.uk/$1 [NE,L,R=301]

-	Redirect permanent "/" "https://flybase-vm.pdn.cam.ac.uk/"
-
-	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
-	# error, crit, alert, emerg.
-	# It is also possible to configure the loglevel for particular
-	# modules, e.g.
-	#LogLevel info ssl:warn
+        # Redirect all requests to https proxy apart from .well-known/acme-challenge
+        # which is used for certbot certificate renewal challenge 			
+	RedirectMatch Permanent "^(/(?!.well-known/acme-challenge/).*)" https://flybase-vm.pdn.cam.ac.uk$1

 	ErrorLog ${APACHE_LOG_DIR}/error.log
 	CustomLog ${APACHE_LOG_DIR}/access.log combined

-	# For most configuration files from conf-available/, which are
-	# enabled or disabled at a global level, it is possible to
-	# include a line for only one particular virtual host. For example the
-	# following line enables the CGI configuration for this host only
-	# after it has been globally disabled with "a2disconf".
-	#Include conf-available/serve-cgi-bin.conf
 </VirtualHost>

 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
--- a/apache_config/certbot_commands.txt
+++ b/apache_config/certbot_commands.txt
+Certbot commands
+
+sudo add-apt-repository ppa:certbot/certbot
+sudo apt-get install python-certbot-apache
+sudo certbot --apache -d flybase-vm.pdn.cam.ac.uk
+sudo apt-get remove certbot --dry-run
+sudo snap install --classic certbot
+sudo ln -s /snap/bin/certbot /usr/bin/certbot
+sudo certbot certonly --apache
+
+jwrn3@flybase-vm:/var/www/html/.well-known/acme-challenge$ sudo certbot certonly
+Saving debug log to /var/log/letsencrypt/letsencrypt.log
+
+How would you like to authenticate with the ACME CA?
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+1: Apache Web Server plugin (apache)
+2: Spin up a temporary webserver (standalone)
+3: Place files in webroot directory (webroot)
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
+Please enter the domain name(s) you would like on your certificate (comma and/or
+space separated) (Enter 'c' to cancel): flybase-vm.pdn.cam.ac.uk
+Renewing an existing certificate for flybase-vm.pdn.cam.ac.uk
+Input the webroot for flybase-vm.pdn.cam.ac.uk: (Enter 'c' to cancel): /var/www/html
+
+Successfully received certificate.
+Certificate is saved at: /etc/letsencrypt/live/flybase-vm.pdn.cam.ac.uk/fullchain.pem
+Key is saved at:         /etc/letsencrypt/live/flybase-vm.pdn.cam.ac.uk/privkey.pem
+This certificate expires on 2022-05-01.
+These files will be updated when the certificate renews.
+Certbot has set up a scheduled task to automatically renew this certificate in the background.