mod_md: is a restart always require for auto updates?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

mod_md: is a restart always require for auto updates?

Tom Browder
I'm running Apache 2.4.43 and just added my first managed virtual host
with mod_md and all worked fine. Now I want to move all my other
virtual host to the same process but I have a few questions first:

1. For an auto renewal for the current managed domain, will I have to
manually restart each time?

2. After I follow the recommendations for the move of the other
domains, will they require an initial manual restart?

3. According to my reading of the docs, using OCSP via mod_md looks to
be the best practice. Am I correct?

Thank you.

Best regards,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: mod_md: is a restart always require for auto updates?

Stefan Eissing


> Am 13.07.2020 um 18:10 schrieb Tom Browder <[hidden email]>:
>
> I'm running Apache 2.4.43 and just added my first managed virtual host
> with mod_md and all worked fine. Now I want to move all my other
> virtual host to the same process but I have a few questions first:
>
> 1. For an auto renewal for the current managed domain, will I have to
> manually restart each time?

Clarification: only a reload (graceful) is necessary, not stop+start.
 
Since the renewal is done usually a month in advance, you have plenty of time. My debian systemd controlled apache is restarted gracefully each day anyway, for example.

> 2. After I follow the recommendations for the move of the other
> domains, will they require an initial manual restart?

For a new domain mod_md initially installs a "fallback" certificate that is not trusted by browsers, but lets the server start with your configuration. It usually takes a minute to obtain the Lets Encrypt cert. Do a graceful reload afterwards and your site should be up.
>
> 3. According to my reading of the docs, using OCSP via mod_md looks to
> be the best practice. Am I correct?

It is designed to be more reliable and also offers monitoring. But it is a new thing and bugs may be found.

Cheers, Stefan

>
> Thank you.
>
> Best regards,
>
> -Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: mod_md: is a restart always require for auto updates?

Tom Browder
On Tue, Jul 14, 2020 at 02:01 Stefan Eissing <[hidden email]> wrote:
> 1. For an auto renewal for the current managed domain, will I have to
> manually restart each time?
Clarification: only a reload (graceful) is necessary, not stop+start.

Good point, thanks.

Since the renewal is done usually a month in advance, you have plenty of time. My debian systemd controlled apache is restarted gracefully each day anyway, for example.

Was that systemd installed by debian or did you modify debian's files or install your own? 

I haven't yet installed a systemd file because I'm not sure how best to create a satisfactory one.  I would like a daily graceful restart even if I have to create a manual cron job.

> 3. According to my reading of the docs, using OCSP via mod_md looks to
> be the best practice. Am I correct?

It is designed to be more reliable and also offers monitoring. But it is a new thing and bugs may be found.

I think I will try it. I have nothing really mission critical running.

Thank you very much, Stefan!

Cheers,

-Tom
Reply | Threaded
Open this post in threaded view
|

Re: mod_md: is a restart always require for auto updates?

Stefan Eissing


> Am 14.07.2020 um 16:48 schrieb Tom Browder <[hidden email]>:
>
> On Tue, Jul 14, 2020 at 02:01 Stefan Eissing <[hidden email]> wrote:
> > 1. For an auto renewal for the current managed domain, will I have to
> > manually restart each time?
> Clarification: only a reload (graceful) is necessary, not stop+start.
>
> Good point, thanks.
>
> Since the renewal is done usually a month in advance, you have plenty of time. My debian systemd controlled apache is restarted gracefully each day anyway, for example.
>
> Was that systemd installed by debian or did you modify debian's files or install your own?

I am using the plain debian sid setup.

> I haven't yet installed a systemd file because I'm not sure how best to create a satisfactory one.  I would like a daily graceful restart even if I have to create a manual cron job.
>
> > 3. According to my reading of the docs, using OCSP via mod_md looks to
> > be the best practice. Am I correct?
>
> It is designed to be more reliable and also offers monitoring. But it is a new thing and bugs may be found.
>
> I think I will try it. I have nothing really mission critical running.
>
> Thank you very much, Stefan!
>
> Cheers,
>
> -Tom


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]