Automating certificates for httpd webservers with mod_md which has been considered a stable release from httpd version 2.4.30 onwards. If using mod_md please ensure your apache/httpd version is above =<2.4.30. Automation has been made a lot easier with this method as it does not require to install additional software like certbot and configuring system timers.

Full module documentation can be found here.

Prerequisites:

mod_md requires mod_watchdog to be loaded by apache
SSLEngine on needs to be present in the <VirtualHost *:443> section of the config files

Listing the modules can be done with:

httpd -M

mod_md is present in most distro repositories and can be installed via the package managers:

dnf install mod_md

mod_md defaults to LetsEncrypt but can be used with any ACME server through the MDCertificateAuthority directive.

Plain example with mod_md:

MDomain example.org
MDHttpProxy http://example-proxy.com:port
MDContactEmail <EMAIL>
MDCertificateAgreement accepted
MDNotifyCmd /usr/bin/systemctl reload httpd

<VirtualHost *:443>
    ServerName example.org
    DocumentRoot htdocs/a

    SSLEngine on
    # no certificates specification
</VirtualHost>

MDomain – tells the module which domain to pull certificates for
MDHttpProxy – useful in secure environments where the webserver cannot reach out to LetsEncrypt API’s
MDContantEmail – email where LetsEncrypt sends info about renewals etc.
MDCertificateAgreement – set to accept else certificates will hang waiting to be accepted
MDNotifyCmd – reloads apache gracefully when set with the value /usr/bin/systemctl reload httpd

This setup will, on server start, contact Let’s Encrypt to request a certificate for the domain. If Let’s Encrypt can verify the ownership of the domain, the module will retrieve the certificate and its chain, store it in the local file system (see MDStoreDir) and provide it, on next restart, to mod_ssl.

This happens while the server is already running. All other hosts will continue to work as before. While a certificate is not available, requests for the managed domain will be answered with a ‘503 Service Unavailable’.

Useful locations post implementation:

mod_md default directory:

/var/lib/httpd/md/

Certificate / keys post deployment found in:

/var/lib/httpd/md/domains/

Check error_log log for issues:

grep -i "md\|acme\|challenge" /var/log/httpd/error_log