Skip to content

Apache 2.4 basic usage

Wouter Tinus edited this page Jul 2, 2019 · 14 revisions

Getting .pem files

To get the certificate in the correct format for Apache (i.e. .pem files), you have to active the PemFiles store plugin for each of your renewals. For new renewals this can be done either from the command line with --store pemfiles or from the main menu with the M option, where it will be posed as a question ("How would you like to store this certificate?").

Existing renewals that are set up without the PemFiles store plugin (which unfortunately includes those imported from 1.9.x) cannot be modified with a command line switch or settings change. You will have to re-create them one by one, or manually modify the .json files on disk.

To create a certificate using win-acme for Apache servers, follow these steps

Interactive

  • Choose M - Create new certificate (full options)
  • Choose 4 - Manually input host names
  • Input the domain name(s)
  • Choose or accept the friendly name
  • Pick a validation method. Most common would be 5 - Save file on local or network path
  • Pick your key type
  • Now the critical part: at "How would you like to store this certificate?" pick 3 - Write .pem files to folder (Apache, nginx, etc.)
  • And so on...

Unattended

wacs.exe --target manual --host www.example.com --validation filesystem --webroot "C:\htdocs\www\mywebsiteroot" --store pemfiles --pemfilespath C:\PEM

Tip

If you don't want to have to specify the path for the .pem files each time, you can edit settings.config in the program directory and set the DefaultPemFilesPath option.

Then you get a lot of thingies that are running (see sample output below)

 [INFO] Windows Acme Simple (WACS)
 [INFO] Software version 198.4.6605.15190 (RELEASE)
 [INFO] IIS not detected
 [INFO] ACME Server https://acme-v02.api.letsencrypt.org
 [INFO] Please report issues at https://github.com/PKISharp/win-acme

 [INFO] Running in Unattended mode
 [INFO] Plugin Manual generated target [Manual] [1 binding - www.domainname.com]
 [INFO] Authorize identifier: www.domainname.com
 [INFO] Authorizing www.domainname.com using http-01 validation (FileSystem)
 [INFO] Answer should now be browsable at http://www.domainname.com/.well-known/acme-challenge/6u6NbnLxhDMbj6u1yjMg35AOvxNe1WQl7DP8-QCps_w
 [INFO] Authorization result: valid
 [INFO] Requesting certificate www.domainname.com 2018/2/12 5:25:05 PM
 [INFO] Saving certificate to C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
 [INFO] Installing certificate in the certificate store
 [INFO] Adding certificate www.domainname.com 2018/2/12 5:25:05 PM to store My
 [INFO] Adding Task Scheduler entry with the following settings
 [INFO] - win-acme renew (acme-v02.api.letsencrypt.org)
 [INFO] - Path C:\Program Files (x86)\win-acme
 [INFO] - Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
 [INFO] - Start at 09:00:00
 [INFO] - Time limit 02:00:00
 [INFO] Adding renewal for www.domainname.com
 [INFO] Next renewal scheduled at 2018/4/8 9:25:10 AM 

Configuring Apache

To use certificates obtained with the help of WACS with the Apache 2.4 server, you need to make settings in Apache24\conf\extra\httpd-vhosts.conf file; you could also make these changes in the \Apache24\conf\extra\httpd-ssl.conf file as well instead if you so wish:

Define CERTROOT "C:/apache-certs"
Define SITEROOT "C:/htdocs/www"
....
<VirtualHost *:443>
    ServerName www.domainname.com
    DocumentRoot "${SITEROOT}/mywebsiteroot"
....
    SSLEngine on
    SSLCertificateFile "${CERTROOT}/www.domainname.com-chain.pem"
    SSLCertificateKeyFile "${CERTROOT}/www.domainname.com-key.pem"
</VirtualHost>

Obviously replace www.domainname.com with your actual domain name or IP address if that's what you signed up with and your siteroot to where your hosting your files at and certroot, just copy whatever is spat out from the cmd prompt when you created the certificate file, in my case it was under the programdata folder in C:.

Note: For XAMPP users, you don't need the /mywebsiteroot at the end after "${SITEROOT}" so it should just read as: DocumentRoot "${SITEROOT}" for that one line or else (at least according to my case), would result in an object not found 404 error when you visit your domain page.

Also, according to Apache standards, backslash means escaping characters so if you wanted to use backslash as a way for defining directories, then you're supposed to use another one so it looks like C:\\XAMPP\\Apache\\somestuff but apparently the developers have modded it so that it doesn't really matter if you double slash or not or use forward slash instead of a single back slash - they all work the same regardless, at least as of version 3.2.2 of XAMPP...

Addendum

If you want to use your own folder to store certificates, you can use this cmd script is for copying (for example, with name installcert.cmd):

@echo off
if "%~1" == "" exit
if not exist "%2" md "%2" >nul
set certlist=%3-chain.pem,%3-key.pem
echo Script running...
for %%a in (%certlist%) do copy /y "%ProgramData%\win-acme\%1\%%a" "%2\" >nul && echo. [INFO] Install %%a to Certificate Store in %2... OK || echo. [WARN] Install certificate %%a fieled!
echo. [INFO] Restarting service...
C:\Apache24\bin\httpd.exe -k restart
echo. [INFO] Service restarted.
echo. [INFO] Script finished.

This script is called with parameters: LEWSuriDirectory CertFolder DomainName

For example:

wacs.exe --target manual --host www.domainname.com --webroot "C:\htdocs\www\mywebsiteroot" --validation filesystem --script "installcert.cmd" --scriptparameters "httpsacme-v01.api.letsencrypt.org C:\cert www.domainname.com"

Also you must specify a new path to the folder with certificates in your httpd-vhosts.conf.

NOTE: Do not forget to uncomment LoadModule ssl_module modules/mod_ssl.so in Apache24\conf\httpd.conf file if it's not already uncommented. You also need to add Listen 443 or Listen 80 443. If you use this guide, check that the all paths are correct for your case.

Reference: https://github.com/PKISharp/win-acme/issues/738

Verifying the generated Scheduled Task for renewal

  • open the windows "Task Scheduler"
  • click on "Task Scheduler Library"
  • look for a task with a name similar to "win-acme renew"
  • double-click the task
    • select "History" to see recent actions
    • select "Triggers" to edit the scheduled time

Renew Manually

You can manually renew by simply executing at the commandline:

wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
You can’t perform that action at this time.