I’m trying to upgrade our ondemand deployments from possibly self-signed certs to lets encrypt.
I saw in this discussion that using certbot’s apache plugin instead of webroot was recommended, fine, makes sense. But when using OSC/ood-ansible, do I still need to provide the paths to the certbot certs?
Bascially, I’m trying to work out how to avoid apache config clashes between ansible and certbot. Plus a bit confused about the fact that presumably apache is initially going to start (with no certs?) then certbot will generate certs and insert apache config (and presumably reload config).
Currently I have
ssl:
- “SSLCertificateFile {{ openondemand_ssl_cert }}”
- “SSLCertificateKeyFile {{ openondemand_ssl_cert_key }}”
# following based on https://grok.lsu.edu/article.aspx?articleid=17596
- SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
- SSLCipherSuite ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL
- SSLHonorCipherOrder On
- SSLCompression off
- SSLSessionTickets Off
should I should just remove the Cert.. lines? Or is there something more complicated needed here?