Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: generating SSL certificates on first access to domain |
|
| Author |
|
asters
Joined: 09 Nov 2020
Posts: 2
|
 Posted: Mon 09 Nov '20 18:02 Post subject: generating SSL certificates on first access to domain |
 |
|
Hi,
I'm trying to build an Apache module that will generate ssl certificates on-fist-access to the requested domains.
We provide a service that ends up with a lot of Apache virtual hosts for domains that have to be available, but might never be used. Right now we're generating the ssl certificates when the virtual hosts are created, but it takes a lot of time and resources.
I thought it might be possible to create those certificates on-demand instead:
1. Intercept the request.
2. Check if a certificate for this domain exists.
3. If it doesn't, generate it using Let's Encrypt.
4. Load the page over ssl.
Is this even possible?
I wrote a basic module, but I'm not sure how to hook it so it executes before the ssl module does its ssl stuff.
Any help will be appreciated! Thank you! |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Wed 11 Nov '20 17:46 Post subject: |
|
|
James is right; there's no direct way to hook a custom module to generate and apply the certificate on first request.
If you're using a script to create the virtual hosts, from a template structure with edits, etc., then can't you include a further script to trigger the Let's Encrypt side of requesting the site certificate, using certbot or the like?
You'll still have to get past the Let's Encrypt server challenge to verify you control the domain you’re requesting a first new certificate for, so can't see you'd be able to fully automate the process. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Mon 16 Nov '20 12:38 Post subject: |
|
|
| mod_md creates certs. |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU
|
| Posted: Mon 16 Nov '20 16:44 Post subject: |
|
|
| But not on the fly. It needs a restart of Apache to acticate a generated certificate. |
|
| Back to top |
|
asters
Joined: 09 Nov 2020
Posts: 2
|
| Posted: Wed 18 Nov '20 11:29 Post subject: |
|
|
| tangent wrote: | | If you're using a script to create the virtual hosts, from a template structure with edits, etc., then can't you include a further script to trigger the Let's Encrypt side of requesting the site certificate, using certbot or the like? |
Yes, we're doing this right now: the script creates virtual hosts and generates certificates for them using certbot. But the goal is to create the virtual hosts using the script, but create certificates on first access to the domains. We're expecting hundreds of domains being added in bulk but in the end only a fraction of them actually being used. It's fine if we create virtual hosts for them all, but we don't want to create the certificates because it takes a long time and then they have to be renewed every two months... for no reason if the domains won't be used.
What we need to do is figure out a way to intercept that https connection before it tries to load the certificate. Doesn't mod_ssl do that somehow? Or what about setting up a reverse proxy and redirecting the https request somewhere where a certificate would be generated and then redirecting it back? |
|
| Back to top |
|
|
|
|
|
|
