lab10

Status quo:
redmine.d10r.net is served via Apache reverse proxy on h1.d10r.net, where the https config is also located.
The certificate is from "letsencrypt":https://letsencrypt.org/.
Setup was done using the cli tool letsencrypt installed via Debian package. Note that the package is flagged as obsolete due to the renaming of the tool to certbot, however this package can't be installed for unknown reason:

The following packages have unmet dependencies:
certbot : Depends: python-certbot (= 0.8.1-2~bpo8+1) but it is not going to be installed

Thus for now I just keep using the letsencrypt command.

In theory the tool can adjust the Apache config itself. However I use Apache Macros for the proxy config files, which the tool can't handle. Thus I used manual mode for renewing:

letsencrypt renew --manual

This is now also added ad a cronjob (executed monthly).
For now the only purpose of that cronjob is to trigger an email notification if anything is written to stderr. Once that happens, check if/how it can be further automated.

The manual method authorizes a domain by checking the existence of a specific file, e.g. in this case http://redmine.d10r.net/.well-known/acme-challenge/p3-78vtlmHKLSR0lKeqhnhk_TQ3A0ee43V6U1QpQ1Z0.
Needs to be seen if this file / its contents need to be changed for renewal.
The Apache config needs no update on renewal. Probably a reload of the Apache deamon is needed in order to read the updated pem file (service apache2 reload).