Additional features

Certificate renewal on demand

  1. Modify the MDRenewalPeriod directive in the configuration file.

    MDRenewalPeriods 365
  2. Reload the Apache service for the configuration to take effect and to get the new certificate from the Sectigo CA.

    systemctl reload apache2

Auto-renewal

Add the systemctl reload apache2 command to a cronjob for regular invocation of the Apache service reload to check and renew certificates which are nearing expiry. The cronjob will be executed at the defined time interval in the crontab file. See Crontab.guru for cron schedule expressions.

Example: A cronjob command which executes the reload command every 24 hours.

* */24 * * * “system reload apache2” > /dev/null 2>&1

You can check whether a cronjob is running by looking at the contents of the /var/log/apache2/error.log file. Run the following command to view the logs.

/var/log/apache2#  tail -f error.log

Revocation

The current version of mod_md doesn’t support checking the revocation status of a certificate. If you need to re-issue the certificate after it was revoked by the administrator in SCM, make the following change to the configuration file of the certificate and reload the Apache service to trigger re-issuance:

  1. Modify the MDRenewalPeriod directive in the configuration file.

    MDRenewalPeriods 365
  2. Reload the Apache service for the configuration to take effect and to get the new certificate from the Sectigo CA.

    systemctl reload apache2

Apache service and certificate monitoring

Apache uses the mod_watchdog module for continuous monitoring of the certificate lifecycle:

  • mod_watchdog is a facility similar to a crontab. It runs jobs provided by modules at intervals on the server.

  • mod_md runs a watchdog for certificate supervision, at least once a day and after every reload.

  • `mod_md’s watchdog checks if all certificates are present as needed (for example, covering all names) and if they expire any time soon (by default, this is when less than a third of their lifetime is left).

  • If an MDomain needs a new certificate, it starts the ACME job which you can then see in staging.

  • If that job encounters errors, a retry is scheduled shortly after. If more errors happen, retry attempts get more and more delayed (backoff).

The watchdog is unable to reload the service automatically, hence the cronjob is used to reload the service to update the certificates from the /etc/apache2/md/staging directory into the /etc/apache2/md/domains directory for the SSL module to use the latest certificate.

Certificate decommissioning

If you decide to revoke and decommission a certificate from further usage:

  1. Log in to SCM, find the certificate by its Common Name, and revoke it.

  2. Log in to your Apache server machine, navigate to the /etc/apache2/sites-enabled directory, and remove the corresponding configuration file that was created for the certificate. This will prevent a new certificate creation for the decommissioned virtual host.