Tech Monger

Programming, Web Development and Computer Science.

Skip to main content| Skip to information by topic

How Certbot Modify Apache Configuration Files

If you have installed letsencrypt ssl certficate via cerbot client on apache webserver then certbot program must have made configuration changes on your apache webserver. It is worth noting those changes in order to debug apache later on. We have installed certficates on debian running apache and below are the configuration changes made by certbot.


Lets Encrypt Certificate File Location

When you install SSL certificates from Letsencrypt on Linux, files get stored at following location.

File Location
Certificate File /etc/letsencrypt/live/www.example.com/fullchain.pem
Private Key File /etc/letsencrypt/live/www.example.com/privkey.pem

Let's Encrypt Apache SSL Configuration File

Certbot will create letsencrypt specific ssl configuration file 000-default-le-ssl.conf for the Apache webserver inside /etc/apache2/sites-available. For the most part it will inherit configuration from file default-ssl.conf in same directory. It will append following details related to ssl certificate.

If you are using fedora based distro like red hat then you shall see similar apache configuration files inside /etc/httpd/conf/.

ServerName www.example.com
SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Note that how last line includes SSL configuration for apache from let's encrypt's configuration directory options-ssl-apache.conf.


Letsencrypt Redirect Configuration

If you have opted for HTTP to HTTPS redirect during certificate installation then certbot will modify file 000-default.conf inside /etc/apache2/sites-available and create redirect rule like below.

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

WWW Redirect to HTTPS Website

It is very common practise to redirect non www traffic to www version of the website. If you want to configure non www to www redirect for your site then you will have to do it manually by modifying configuration file like below.

It is highly advised to backup configuration files before making any modification so that configuration can be restored if needed.

Redirect Non WWW Traffic to WWW

Redirect non www traffic to www coming over HTTP by adding following rule inside /etc/apache2/sites-available/000-default.conf below existing rule.

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://www.%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

It will redirect all non www traffic to www version of the website over http and www version of the website will in turn redirect it to secure version of the www website. This will avoid ssl security exception error in browser.

Redirect Non WWW HTTPS Traffic to HTTPS WWW

Redirect non www HTTPS traffic to www HTTPS by adding following rule inside /etc/apache2/sites-available/000-default.conf before closing VirtualHost tag..

ServerName www.example.com
SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://www.%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Conclusion

We have seen how certbot make modification to existing apache configuration files to add letsencrypt ssl details. We have also seen redirect configuration rules added by certbot and how to manually add additional rules to redirect www traffic to secure non www version of the website.

Tagged Under : Certbot Google Cloud Lets Encrypt Linux Web