Use letsencrypt for apache2, dovecot and sendmail (see /etc/apache2/acme-and-redirect.conf)

3 files changed, 26 insertions, 3 deletions

diff --git a/server/setup/05-service-settings/etc/apache2/acme-and-redirect.conf b/server/setup/05-service-settings/etc/apache2/acme-and-redirect.conf
new file mode 100644
index 0000000..60a41a6
--- /dev/null
+++ b/server/setup/05-service-settings/etc/apache2/acme-and-redirect.conf
@@ -0,0 +1,16 @@
+Alias "/.well-known/acme-challenge/" "/srv/www/jogamp.org/.well-known/acme-challenge/"
+<Directory "/srv/www/jogamp.org/.well-known/acme-challenge/">
+    Require all granted
+</Directory>
+
+RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/.*
+RewriteRule ^ - [L]
+
+# RewriteEngine On
+# RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.*
+# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,L,R=301]
+
+# Install letsencrypt `certbot` and create cert via `certbot certonly` 
+# using webroot `/srv/www/jogamp.org` for cert `jogamp.org mail.jogamp.org`.
+# Then ensure to reload apache, restart sendmail, dovecot etc via
+# /etc/letsencrypt/renewal-hooks/deploy scripts.
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
index 46582be..fe6124c 100644
--- a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
+++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org-ssl.conf
@@ -84,8 +84,11 @@ SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
 	# SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
 	# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 
-    SSLCertificateFile /etc/ssl/local/jogamp2025a.org.crt.pem
-    SSLCertificateKeyFile /etc/ssl/local/jogamp2025a.org.key.apache.pem
+    #SSLCertificateFile /etc/ssl/local/jogamp2025a.org.crt.pem
+    #SSLCertificateKeyFile /etc/ssl/local/jogamp2025a.org.key.apache.pem
+
+    SSLCertificateFile /etc/letsencrypt/live/jogamp.org/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/jogamp.org/privkey.pem
 
 	#   Server Certificate Chain:
 	#   Point SSLCertificateChainFile at a file containing the
@@ -100,7 +103,7 @@ SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
     #SSLCertificateChainFile /etc/ssl/local/thawte-ca-cert3-20151105.pem
     #SSLCertificateChainFile /etc/ssl/local/thawte-ca-cert4-20171102.pem
     #SSLCertificateChainFile /etc/ssl/local/thawte-ca-cert5-20181102.pem
-    SSLCertificateChainFile /etc/ssl/local/jogamp2025a.org.ca.pem
+    #SSLCertificateChainFile /etc/ssl/local/jogamp2025a.org.ca.pem
 
 	#   Certificate Authority (CA):
 	#   Set the CA certificate verification path where to find CA
@@ -214,6 +217,8 @@ SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
     # configures the footer on server-generated documents
     ServerSignature On
 
+    Include /etc/apache2/acme-and-redirect.conf
+
 	<Directory "/srv/www/jogamp.org">
 	    Options Indexes FollowSymLinks
 	    AllowOverride All
diff --git a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf
index 90ac67b..935d12e 100644
--- a/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf
+++ b/server/setup/05-service-settings/etc/apache2/sites-available/jogamp_org.conf
@@ -25,6 +25,8 @@
     # configures the footer on server-generated documents
     ServerSignature On
 
+    Include /etc/apache2/acme-and-redirect.conf
+
 	<Directory "/srv/www/jogamp.org">
 	    Options Indexes FollowSymLinks
 	    AllowOverride All