Sectigo.com
Shop Enterprise Partners Resources

Overview

mod_md Connector for Apache ("the connector") is a solution for automating the enrollment and installation of Sectigo certificates on Apache virtual hosts with Automatic Certificate Management Environment (ACME). The connector is based on the mod_md module.

Apache supports ACME integration with CA via the mod_md module for automatic certificate management on Apache virtual hosts. This module manages common properties of domains for one or more virtual hosts.

The module serves two main purposes:

  • Enrolls/renews certificates via the ACME protocol (RFC 8555). Certificates are renewed by the module ahead of their expiration to prevent disruption in internet services. You can monitor the status of all certificates and configurations that run your own notification commands on renewal, expiration, and errors.

  • Adds support External Account Binding (EAB) to extend support for CAs that require EAB values for an ACME account registration with their respective ACME servers. The EAB feature is supported in Apache starting with version 2.4.48 and in mod_md starting with version 2.4.9.

This guide is intended for security administrators and system administrators who manage an Apache server for an organization. It contains instructions for enrolling and managing Sectigo certificates on the Apache server’s virtual hosts. Setting up the Apache server is out of the scope of this guide.

Supported features of the module

  • Apache domain management

  • External account binding

  • RSA (2048, 4096) and ECDSA (secp256r1) support

  • SSL/TLS certificates (DV/OV/EV) enrollment and renewal

  • Single-domain, multi-domain, and wildcard certificates

  • Multiple certificates with different key types (RSA, ECDSA) for a single host

  • Multiple ACME private/public servers for DV, OV, and EV certificates

Execution flow

The module performs the following:

  1. Reads every configuration file from the /etc/apache2/sites-enabled directory.

  2. Checks whether the /etc/apache2/md/staging/<domain_name>/pubcert.pem file is already present:

    • If yes, checks whether the certificate is nearing expiry.

      • If the certificate is nearing expiry, a renewal request is sent to the Sectigo ACME server.

      • If not, then no changes are applied to the certificate.

    • If the file is not present, then the module performs the following actions:

      1. Connects to Sectigo ACME server using the EAB values.

      2. Registers the ACME account with the Sectigo ACME server.

      3. Generates a new key pair (private and public key).

      4. Generates a certificate signing request (CSR) using the public key.

      5. Connects to the Sectigo ACME server using the authenticated token created during the account registration.

      6. Submits the CSR to request a new certificate.

      7. Uploads the CA chain and new server certificate to the /etc/apache2/md/staging/<domain_name> directory. The following naming scheme is applied:

        • pubcert.pem for RSA keys. The pubcert.pem file contains the entire CA chain, including the server certificate.

        • pubcert.secp256r1.pem for ECDSA keys

      8. Moves the key and certificate from /etc/apache2/md/staging/<domain_name> to /etc/apache2/md/domains/<domain_name>.

      9. Enables SSL on the virtual hosts using the configuration provided in the <domain_name>.conf file.

Certificate lifecycle monitoring

Apache uses the mod_watchdog module for continuous monitoring of the certificate lifecycle. mod_watchdog is a facility similar to a crontab, it runs jobs provided by modules at intervals on the server. mod_md runs a watchdog for certificate supervision at least once a day, and after every reload.

The watchdog checks if all certificates are present as needed (for example, covering all names) and if they expire any time soon (by default, this is when less than a third of their lifetime is left). If an MDomain needs a new certificate, it starts an ACME job which you will see in staging. If the job encounters errors, a retry is scheduled shortly after. If more errors occur, retry attempts will get increasingly delayed (backoff).

The watchdog is unable to reload the service automatically, so a cronjob is used to reload the service and update the certificates from the /etc/apache2/md/staging directory into the /etc/apache2/md/domains directory, allowing the SSL module to use the latest certificate.

Audience

This guide is intended for IT administrators and network administrators who manage Apache.

Scope

This guide contains instructions for enrolling and managing Sectigo certificates on Apache. It doesn’t cover configuration of the Apache web server.

Additional resources