Using SSL Wildcard Cert on Apache



  • Anyone have a guide on how to setup SSL without using LE? I have a wildcard cert that I would like to use but can't figure it out. I've been cruising the apache website for some information but I cannot figure out what I need.



  • @mattbagan Most of us here are running a reverse proxy using NGINX.

    Any reason you don't want to use LE?



  • @aaronstuder I would like to use my wildcard because I've already paid for it.



  • @mattbagan said in Install Nextcloud 13.0.0 on Fedora 27:

    @aaronstuder I would like to use my wildcard because I've already paid for it.

    Right, I get that but LE is free, so I see no downsides 🙂

    You can still setup a NGINX reverse proxy with your existing cert if you want, you would just need to change the .conf file to point to your cert.

    https://mangolassi.it/topic/16651/install-nginx-as-a-reverse-proxy-on-fedora-27



  • @mattbagan said in Install Nextcloud 13.0.0 on Fedora 27:

    @aaronstuder I would like to use my wildcard because I've already paid for it.

    Sunk cost. Using the LE one is also "already paid for" and using it doesn't cause you to lose the other wildcard.

    But the logic of wanting to use something inferior only because it cost money doesn't make sense. That's like paying for it again. First you paid money, now you are paying with your time and effort.

    Nothing wrong with wanting to use it, but if it costs you one second of additional effort, it was a bad choice. And it isn't like you want to renew it, so you will want to switch to LE eventually anyway. The sooner to go to LE, the less cost to you overall.



  • @aaronstuder said in Install Nextcloud 13.0.0 on Fedora 27:

    @mattbagan said in Install Nextcloud 13.0.0 on Fedora 27:

    @aaronstuder I would like to use my wildcard because I've already paid for it.

    Right, I get that but LE is free, so I see no downsides 🙂

    You can still setup a NGINX reverse proxy with your existing cert if you want, you would just need to change the .conf file to point to your cert.

    https://mangolassi.it/topic/16651/install-nginx-as-a-reverse-proxy-on-fedora-27

    This is the wrong logic. Setting up LE is the right thing. setting up a Reverse Proxy for no reason is not.

    These are not two tied together things.



  • @scottalanmiller said in Install Nextcloud 13.0.0 on Fedora 27:

    @mattbagan said in Install Nextcloud 13.0.0 on Fedora 27:

    @aaronstuder I would like to use my wildcard because I've already paid for it.

    Sunk cost. Using the LE one is also "already paid for" and using it doesn't cause you to lose the other wildcard.

    But the logic of wanting to use something inferior only because it cost money doesn't make sense. That's like paying for it again. First you paid money, now you are paying with your time and effort.

    Nothing wrong with wanting to use it, but if it costs you one second of additional effort, it was a bad choice. And it isn't like you want to renew it, so you will want to switch to LE eventually anyway. The sooner to go to LE, the less cost to you overall.

    I've used LE on my original nextcloud installation but I wanted to see if I can set it up without the awesome automation help. So I can get a better understanding on how apache works. I'm not saying my cert is better then LE, I just want to use it because I have it.



  • @scottalanmiller said in Install Nextcloud 13.0.0 on Fedora 27:

    @mattbagan said in Install Nextcloud 13.0.0 on Fedora 27:

    @aaronstuder I would like to use my wildcard because I've already paid for it.

    Sunk cost. Using the LE one is also "already paid for" and using it doesn't cause you to lose the other wildcard.

    But the logic of wanting to use something inferior only because it cost money doesn't make sense. That's like paying for it again. First you paid money, now you are paying with your time and effort.

    Nothing wrong with wanting to use it, but if it costs you one second of additional effort, it was a bad choice. And it isn't like you want to renew it, so you will want to switch to LE eventually anyway. The sooner to go to LE, the less cost to you overall.

    Along this line, if you setup LE with certbot and then setup a timer to renew it daily, you will never see this again.

    If you use your wildcard cert, you will have to update it again when it expires.

    But, that said, setting up SSL on Apache is not all that hard. Let me look for an example.



  • @mattbagan said in Install Nextcloud 13.0.0 on Fedora 27:

    I just want to use it because I have it.

    But by that logic, you already have the LE cert, too. Using something just because you "already have it" is bad logic.

    If this is purely for learning, that's fine. Just understand that you are making it harder purely for the purpose of learning and that there is no business value in the existing cert whether it was free or a billion dollars. It's value today is just a tiny bit lower than zero, because LE is the best and free.

    If the goal is learning how Apache can use certs, that'll be identical using LE or whatever cert you have.

    But really should be a new thread purely about applying SSL certs to Apache, as it isn't related to this thread or to NextCloud. It's purely just an Apache cert question at that point. Otherwise, you'll get people asking about Nginx and stuff.



  • @scottalanmiller said in Using SSL Wildcard Cert on Apache:

    If this is purely for learning, that's fine.

    He said, probably while you were replying, that is was to learn SSL setup on Apache. so, yeah, a great way to go about this.



  • For basic SSL you need only a couple things in your vhost file.

    The vhost file goes in /etc/httpd/conf.d/

    <VirtualHost *:443>
        DocumentRoot /var/www/html/nextcloud
        ServerName www.yourdomain.com
            SSLEngine on
            SSLCertificateFile /path/to/your_domain_name.crt
            SSLCertificateKeyFile /path/to/your_private.key
            SSLCertificateChainFile /path/to/you_ca_chain.crt
    </VirtualHost>
    


  • @JaredBusch said in Using SSL Wildcard Cert on Apache:

    For basic SSL you need only a couple things in your vhost file.

    The vhost file goes in /etc/httpd/conf.d/

    <VirtualHost *:443>
        DocumentRoot /var/www/html/nextcloud
        ServerName www.yourdomain.com
            SSLEngine on
            SSLCertificateFile /path/to/your_domain_name.crt
            SSLCertificateKeyFile /path/to/your_private.key
            SSLCertificateChainFile /path/to/you_ca_chain.crt
    </VirtualHost>
    

    Would I combine the new information with the existing nextcloud conf?



  • @JaredBusch said in Using SSL Wildcard Cert on Apache:

    Along this line, if you setup LE with certbot and then setup a timer to renew it daily, you will never see this again.
    If you use your wildcard cert, you will have to update it again when it expires.
    But, that said, setting up SSL on Apache is not all that hard. Let me look for an example.

    certbot renews wildcards as well using a DNS plugin.

    https://certbot.eff.org/docs/using.html#dns-plugins

    You don't always have to setup a timer, Ubuntu for example automatically sets up a cron job when the package is installed.



  • @mattbagan said in Using SSL Wildcard Cert on Apache:

    @JaredBusch said in Using SSL Wildcard Cert on Apache:

    For basic SSL you need only a couple things in your vhost file.

    The vhost file goes in /etc/httpd/conf.d/

    <VirtualHost *:443>
        DocumentRoot /var/www/html/nextcloud
        ServerName www.yourdomain.com
            SSLEngine on
            SSLCertificateFile /path/to/your_domain_name.crt
            SSLCertificateKeyFile /path/to/your_private.key
            SSLCertificateChainFile /path/to/you_ca_chain.crt
    </VirtualHost>
    

    Would I combine the new information with the existing nextcloud conf?

    You should. It doens't technically matter, but for organization, I would keep things in one file.

    It is simply a second VirtualHost block.



  • @aaronstuder said in Using SSL Wildcard Cert on Apache:

    @JaredBusch said in Using SSL Wildcard Cert on Apache:

    Along this line, if you setup LE with certbot and then setup a timer to renew it daily, you will never see this again.
    If you use your wildcard cert, you will have to update it again when it expires.
    But, that said, setting up SSL on Apache is not all that hard. Let me look for an example.

    certbot renews wildcards as well.

    You don't always have to setup a timer, Ubuntu for example automatically sets up a cron job when the package is installed.

    Would you just stop?





  • Your not allowed to talk @aaronstuder shhhhh 😂😂



  • @aaronstuder said in Using SSL Wildcard Cert on Apache:

    @JaredBusch ???

    Learning process, not for production.



  • @travisdh1 said in Using SSL Wildcard Cert on Apache:

    @aaronstuder said in Using SSL Wildcard Cert on Apache:

    @JaredBusch ???

    Learning process, not for production.

    He did state this to be fair that he didn't want to use the automation of LE and to learn the manual process of adding a SSL cert to Apache.



  • @mattbagan said in Using SSL Wildcard Cert on Apache:

    @scottalanmiller said in Install Nextcloud 13.0.0 on Fedora 27:

    @mattbagan said in Install Nextcloud 13.0.0 on Fedora 27:

    @aaronstuder I would like to use my wildcard because I've already paid for it.

    Sunk cost. Using the LE one is also "already paid for" and using it doesn't cause you to lose the other wildcard.

    But the logic of wanting to use something inferior only because it cost money doesn't make sense. That's like paying for it again. First you paid money, now you are paying with your time and effort.

    Nothing wrong with wanting to use it, but if it costs you one second of additional effort, it was a bad choice. And it isn't like you want to renew it, so you will want to switch to LE eventually anyway. The sooner to go to LE, the less cost to you overall.

    I've used LE on my original nextcloud installation but I wanted to see if I can set it up without the awesome automation help. So I can get a better understanding on how apache works. I'm not saying my cert is better then LE, I just want to use it because I have it.

    You will waste a lot more time, effort, and money using this cert you already "paid" for than if you use LE.

    Once you set up LE, that's it. You're done. Forever. No more buying a new one. No more setting up a new one (LE is 100% automated).

    If you use your "paid" cert, you'll have to do some work at least two more times on this server...

    1. Install and configure your paid cert on Apache.
    2. Once paid cert expires, remove it from Apache.
    3. Set up LE cert anyways.

    IMO, I'd rather skip 1 and 2 and go right to 3. It's cheaper, easier, and safer.



  • @JaredBusch said in Using SSL Wildcard Cert on Apache:

    @mattbagan said in Using SSL Wildcard Cert on Apache:

    @JaredBusch said in Using SSL Wildcard Cert on Apache:

    For basic SSL you need only a couple things in your vhost file.

    The vhost file goes in /etc/httpd/conf.d/

    <VirtualHost *:443>
        DocumentRoot /var/www/html/nextcloud
        ServerName www.yourdomain.com
            SSLEngine on
            SSLCertificateFile /path/to/your_domain_name.crt
            SSLCertificateKeyFile /path/to/your_private.key
            SSLCertificateChainFile /path/to/you_ca_chain.crt
    </VirtualHost>
    

    Would I combine the new information with the existing nextcloud conf?

    You should. It doens't technically matter, but for organization, I would keep things in one file.

    It is simply a second VirtualHost block.

    After looking at my conf, I only have one virtualhost block. That config layout for sure doesn't work.

    <VirtualHost *:443>
        DocumentRoot /var/www/html/nextcloud
        ServerName www.cloud.example.com
            SSLEngine on
            SSLCertificateFile /etc/pki/tls/certs/
            your_domain_name.crt
            SSLCertificateKeyFile /etc/pki/tls/certs
            /your_private.key
            SSLCertificateChainFile /etc/pki/tls/certs
            /you_ca_chain.crt
    </VirtualHost>
    
    Alias /nextcloud "/var/www/html/nextcloud/"
    <Directory "/var/www/html/nextcloud">
      Options +FollowSymLinks
      AllowOverride All
    
      <IfModule mod_dav.c>
            Dav off
      </IfModule>
    
      SetEnv HOME /var/www/html/nextcloud
      SetEnv HTTP_HOME /var/www/html/nextcloud
    </Directory>
    
    <Directory "/var/www/nextcloud/data/">
      # just in case if .htaccess gets disabled
        Require all denied
    </Directory>
    


  • @aaronstuder said in Using SSL Wildcard Cert on Apache:

    @JaredBusch said in Using SSL Wildcard Cert on Apache:

    Along this line, if you setup LE with certbot and then setup a timer to renew it daily, you will never see this again.
    If you use your wildcard cert, you will have to update it again when it expires.
    But, that said, setting up SSL on Apache is not all that hard. Let me look for an example.

    certbot renews wildcards as well using a DNS plugin.

    https://certbot.eff.org/docs/using.html#dns-plugins

    You don't always have to setup a timer, Ubuntu for example automatically sets up a cron job when the package is installed.

    cron is being phased out


Log in to reply