I don’t normally like linking documentation, but I recently deployed this feature and I found it very enjoyable. (Some caveats noted in a blog post, I didn’t link it because it’s just a brief note plus a link to this page.)
The tl;dr is that it enables Apache to automatically request and renew ACME (you know, Let’s Encrypt) certificates with one line in httpd.conf per virtual host. (Well, plus one globally to accept the EULA.) There’s no need to mention the location of the certificates or anything like that - Apache will automatically handle it for you. It’s a great leap in terms of usability, for standing up a quick web server with a TLS certificate.
It makes me wish ACME was further integrated into applications or perhaps even OSes. It’d be great if having a certificate for a server was simply part of standing it up.
That’s why I started using Caddy originally, although the breaking changes (and complete re-architecture of the configuration interface) between v1 and v2 soured me on it a little.
It’s still really nice, though!
Obligatory NixOS shilling. This is my nginx config for my machine that hosts a bunch of different domains and gets one certificate to cover them all (I can’t use wildcard certs for annoying reasons). The forceSSL config enables automatic SSL redirects (and I believe HSTS as well). Behind the scenes, of course, this all gets transformed into nginx/acme configuration. But I don’t have to worry about file locations or any of that myself.
Neat! How generalization is this? This could be really interesting if it’s just some kind of trait you can implement when defining a kind of service in Nix; i.e. any instance of a server with TLS could have this applied.
I think it ultimately winds up making changes to security.acme.certs, which is the underlying configuration mechanism for ACME. So that logic is between anything that uses TLS. You’d still need to write the plumbing that tells your server where to find the certs and how to deal with when they rotate, of course.
After experimenting with this, I am not sure how to solve the “graceful restart” automatically after a certificate has been obtained (or renewed). It seems you have to reload/restart Apache manually to actually start using the certificate. Just configuring it will not be enough! This is quite unfortunate and I wonder why the watchdog requirement does not take care of this?