Auto updating SSL certs with custom Apache site config

From a basic test, if I have customised /etc/apache2/sites-enabled/subdomain.domain.tld.conf to add some commands to say allow the running of Passenger for a ruby web app, I can get the SSL updates with sudo sympl-ssl --force subdomain.domain.tld, however when I run sudo sympl-web-configure --verbose the following output is provided:

Configuration: subdomain.domain.tld.conf
	Not updating configuration, as it has been edited by hand.
	Already enabled.

On checking the Apache config the SSL certificate has been kept at the older version, and isn’t using latest.

Is there any way to support SSL updates with a custom Apache config?

OS is Debian Buster.
On the testing version of Sympl.
(subdomain.domain.tld is adjusted to the appropriate domain).

Yes, edit the file /etc/apache2/sites-enabled/subdomain.domain.tld.conf and locae the the path to the SSL cert and key, which will be something like /srv/subdomain.domain.tld/config/ssl/sets/1/.

Change this to /srv/subdomain.domain.tld/config/ssl/current/ and it should be fine an pick up any changes to the cert when Apache is reloaded (which happens as part of the hooks for sympl-ssl).

The plan is that a later version of Sympl will simply default to using the config/ssl/current/ path, making this unnecessary, but it’s a workaround for now.

2 Likes

One of the ways around this under symbiosis was to add an IncludeOptional directive to the master templates (ssl.template.erb & non_ssl.template.erb) with customisations kept in, say, config…

IncludeOptional /srv/<% domain %>/config/apache-*.conf

1 Like

@alphacabbage1 That’s a really good idea. Do you mind if I steal it for the next update?

1 Like

Feel free. Thanks :slight_smile:

1 Like

That’s done the trick, thanks.

For more complex adjustments, the IncludeOptional might not work.

This is now live in all versions of Sympl (and required some creative workarounds for Stretch due to an old Apache bug).

If you now add files in config/apache.d/ with the .config
.conf extension, then they will be read on Apache reload/start.

Caution should be taken however, as a faulty config file can still prevent Apache from starting/reloading, but that was the case previously.

When it’s time for the sympl-web rewrite, it should be possible to identify and disable invalid configurations, but for now, take care!

That should be ‘.conf’ extension!

I’ve been using this a lot in the previously suggested version with files config/apache*.conf and it’s been fantastically useful. Now moved them all to apache.d after the upgrade and it seems to be working as it should.
Thank you for this.

1 Like

It should yes, edited!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.