the other me might even be better than this one

Using mod_md to manage Let's Encrypt certificates

February 11, 2021 — Gideon Mayhak

I've been using certbot to manage my Let's Encrypt certificates since I first started using them. Today, I switched to using mod_md to simplify the whole process and remove one dependency from my setup.

Read the friendly manual

There's not much color for me to add here. I pretty much just followed the instructions. Specifically, I made sure I had the prerequisites in place (many of which were already set up from my certbot configuration). The main thing I needed to do to get ready on CentOS 8 was install the mod_md package as root:

# dnf install mod_md

I then followed the instructions for migrating an existing https: host. The only snag I ran into was that SELinux seemed to be preventing httpd from reaching out to Let's Encrypt during the initial setup phase (after enabling mod_md and restarting httpd the first time). I was able to remedy that with this command:

# setsebool -P httpd_can_network_connect on

After restarting httpd again, the rest went as documented. Because I prefer to have all traffic use HTTPS when possible, I added the appropriate MDRequireHttps permanent line to my config as well.

That was easy

I was nervous about switching over, and I put this off for a while. However, it ended up being about as simple as the instructions made it seem. Next, I might attempt switching to Caddy.


I may be misunderstanding the exact intended behavior of MDRequireHttps, but it doesn't seem to redirect all HTTP requests to HTTPS on my server. I went ahead and added a more traditional redirect to my main httpd.conf:

<VirtualHost *:80>
ServerAlias *
Redirect "/" ""

That seems to do what I want.

"My eyes weaken looking upward.
Lord, I am oppressed.
Be my security."

Isaiah 38:14b, WEB

Tags: how-to, server-info