acme-client and multiple domains periodic renewal

David Mehler dave.mehler at
Thu Jan 18 21:04:56 UTC 2018


Thanks for your response. What my eventual end goal is is to get
universal https access for all my domains except for the acme-client
validation which I understand must be done over http, so that is http
everything else https. I'm using FreeBSD 10.3 and apache 2.4.

I've got two domains each with a number of subdomains so they are SAN
certificates. I've taken out the redirects as that is appearing to
cause errors in validation.

Ideally i'd like my SAN certificates to be updated when they are due,
currently mine is not. Peter, if you could let me take a look at your
config, compare it to mine, i'd appreciate it.

Here's my configuration:

In httpd.conf:
# Access to .well-known for acme-challenge keys
        <Directory "/usr/local/www/.well-known/">
           Options None
           AllowOverride None
           Require all granted
           Header add Content-Type text/plain

In a virtual host file:
# Virtual host file

<VirtualHost *:80>
    ServerAdmin webmaster at
    DocumentRoot "/usr/vhosts/"

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's acme-client
    Alias /.well-known/ /usr/local/www/.well-known/

# The below block doesn't work with acme-challenges
    # Anything that isn't going to gets
forwarded to the https site
    #RewriteEngine on
    #RewriteCond %{REQUEST_URI} !^/.well-known
    #RewriteRule (.*)$1 [R=301,L]
# atempted to with redirect
#Redirect /

    ErrorLog "/usr/vhosts/"
<VirtualHost *:443>
    ServerAdmin webmaster at
    DocumentRoot "/usr/vhosts/"

SSLEngine on
SSLCertificateFile "/usr/local/etc/ssl/acme/"
SSLCertificateKeyFile "/usr/local/etc/ssl/acme/private/"
SSLCertificateChainFile "/usr/local/etc/ssl/acme/"

    <Directory "/usr/vhosts/">
Options FollowSymLinks
AllowOverRide None
Require all granted
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/ 86400" combined

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All


On 1/18/18, Peter Boosten <peter at> wrote:
> I have a SAN certificate, and it has been renewed several times now.
> Let me know what you want to know exactly (will be home in a couple of
> minutes)
> Peter
>> On 18 Jan 2018, at 20:07, David Mehler <dave.mehler at> wrote:
>> Hello,
>> If anyone has acme-client going with multiple domains and updating
>> through periodic.conf please email me i'd like to know your
>> configuration?
>> Everytime I think I get this going three months later the certificates
>> don't renew and I get invalid ssl certificates when attempting to
>> access the web sites.
>> Thanks.
>> Dave.
>> _______________________________________________
>> freebsd-questions at mailing list
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list