Skip to content

Latest commit

 

History

History
104 lines (74 loc) · 4.5 KB

install_apache2_wsgi.md

File metadata and controls

104 lines (74 loc) · 4.5 KB

Installation on apache2 running on Ubuntu 22.04

A readymade shell script performing the below tasks will can be found in examples/install_scripts directory.

  1. Install apache2 and the corresponding wsgi module $ sudo apt-get install -y apache2 libapache2-mod-wsgi-py3 python3-pip apache2-data curl krb5-user libgssapi-krb5-2 libkrb5-3 python3-gssapi

  2. check if the wsgi module is activated in your apache configuration

sudo apache2ctl -M | grep -i wsgi
 wsgi_module (shared)

if the wsgi_module is not enabled please check the internet how to do...

  1. download the acme2certifier from master and unpack it.

  2. install the missing modules via pip

sudo pip3 install -r requirements.txt
  1. copy the file examples/apache2/apache_wsgi.conf to /etc/apache2/sites-available/acme2certifier.conf and modify it according to you needs.

  2. in case you would like to activate TLS copy the file examples/acme_wsgi_ssl.conf to /etc/apache2/sites-available/acme2certifier.conf and modify it according to your needs. Do not forget to place the key-bundle. This file must contain the following certificate data in pem format:

  • the private key
  • the end-entity certificate
  • intermediate CA certificates, sorted from leaf to root (root CA certificate should not be included for security reasons)

Further, the ssl module needs to be activated

sudo a2enmod ssl
  1. activate the virtual server(s)
sudo a2ensite acme2certifier.conf
sudo a2ensite acme2certifier_ssl.conf
  1. create a directory /var/www/acme2certifier
  2. copy the file examples/acme2certifier_wsgi.py to /var/www/acme2certifier
  3. copy the directories examples/ca_hander/, examples/eab_handler/, examples/hooks/ and tools to /var/www/acme2certifier/
sudo mkdir /var/www/acme2certifier/examples
sudo cp -R examples/ca_handler/ /var/www/acme2certifier/examples/ca_handler
sudo cp -R examples/eab_handler/ /var/www/acme2certifier/examples/eab_handler
sudo cp -R examples/hooks/ /var/www/acme2certifier/examples/hooks
sudo cp -R examples/acme_srv.cfg /var/www/acme2certifier/examples/
sudo cp -R tools/ /var/www/acme2certifier/tools
  1. create a directory /var/www/acme2certifier/acme_srv
  2. copy the content of the acme_srv directory to /var/www/acme2certifier/acme_srv
sudo cp -R acme_srv/ /var/www/acme2certifier/acme_srv
  1. create a configuration file acme_srv.cfg in /var/www/acme2certfier/acme or use the example stored in the examples directory
  2. modify the configuration file according to you needs
  3. Optional: pick the correct ca handler from the examples/ca_handler directory and copy it to /var/www/acme2certifier/acme_srv/ca_handler.py
  4. configure the the ca_handler in acme_srv.cfg. Example for Insta Certifier
  5. activate the wsgi database handler
sudo cp /var/www/acme2certifier/examples/db_handler/wsgi_handler.py /var/www/acme_srv/acme2certfier/db_handler.py
  1. ensure that the all files and directories under /var/www/acme2certifier are owned by the user running the webserver (www-data is just an example!)
sudo chown -R www-data.www-data /var/www/acme2certifier/
  1. set correct permissions to acme subdirectory
sudo chmod a+x /var/www/acme2certifier/acme_srv
  1. delete default apache configuration file and restart the apache2 service
sudo rm /etc/apache2/sites-enabled/000-default.conf
sudo systemctl reload apache2
  1. Check access to the directory resource to verify that everything works so far
[root@srv ~]# curl http://127.0.0.1/directory
{"newAccount": "http://127.0.0.1/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1/acme_srv/key-change", "newNonce": "http://127.0.0.1/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa <[email protected]>"}, "newOrder": "http://127.0.0.1/acme_srv/neworders", "revokeCert": "http://127.0.0.1/acme_srv/revokecert"}[root@srv ~]#

Try to enroll a certificate by using your favorite acme-client. If it fails check the configuration of your ca_handler, logs and enable debug mode in acme2certifier for further investigation.