One of my new favourite features in Apache is managed domains (MDomains). While before, you might need certbot or another client to manage the certificates and even massage the configuration, MDomains provides a nice idiomatic way to automatically fetch and install the certificates.
The linked documentation covers the basics better than I can, but it’s just a matter of adding an MDomain directive for each virtual host (outside of the VirtualHost block) and making sure they have TLS on. Some gotchas I noticed:
- You may need
MDCertificateAgreement acceptedin the config; this will pop up in the error log or in the JSON blob if you have the status route enabled. - Make sure you’re listening on 443; at least on FreeBSD, it doesn’t, won’t tell you about if if your vhost is on 443.
That easy. I wish other software, or perhaps entire platforms would get the hint – ACME is here to stay, so let’s make it as easy as turning on TLS in the first place.
This reminds me of what https://caddyserver.com/ Caddy has been doing for a number of years. I’m glad to see this kind of functionality coming to Apache; IMO the various “beat ACME onto your web server” tools — certbot, et al — were a fine holdover while Let’s Encrypt was still working to gain popularity, but at this point there’s no reason every general use HTTPd shouldn’t have built in ACME functionality.