After updating indi-allsky, it often happens that the local self-signed certificate (e.g. allsky.local) is suddenly used again, although a valid Let’s Encrypt certificate was previously set up. I will explain how to do this elsewhere!
***UPDATE: BETTER SOLUTION: custom-setup.sh***
The cause is almost always that the update routines change or reset the Apache configuration of the system. This article shows how to recognize the problem, fix it properly and configure the setup so that it will survive future updates.
1. Cause of the problem: indi-allsky overwrites the default Apache configuration
indi-allsky creates its own Apache configuration file during installation, typically:
/etc/apache2/sites-available/indi-allsky.conf
This file is occasionally overwritten or reactivated during updates. As it refers to a self-signed certificate by default, Apache falls back to this certificate after an update. In addition, the file is alphabetically far forward and is therefore often loaded as the “Default VirtualHost” for port 443.
2. Diagnosis: Which VirtualHost is active?
A quick look shows which host is actually providing the certificate:
sudo apachectl -S
The output should show, for example, if the setup is working:
*:443 access.allsky-rodgau.de (/etc/apache2/sites-enabled/000-access.allsky-rodgau.de.conf)
If it says localhost or indi-allsky.conf instead, Apache will not use the desired certificate.
3. Create and prioritize your own domain configuration
It is most stable to create your own Apache file that indi-allsky cannot overwrite. Example:
sudo cp /etc/apache2/sites-available/indi-allsky.conf \
/etc/apache2/sites-available/000-access.allsky-rodgau.de.confThen change the two SSL paths to Let’s Encrypt in this new file:
SSLCertificateFile /etc/letsencrypt/live/access.allsky-rodgau.de/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/access.allsky-rodgau.de/privkey.pem
In addition, a unique ServerName should be set:
ServerName access.allsky-rodgau.de
Activate the new file:
sudo a2ensite 000-access.allsky-rodgau.de.conf sudo systemctl reload apache2
4. Deactivate the old indi-allsky.conf
So that Apache no longer uses the self-signed certificate:
sudo a2dissite indi-allsky.conf sudo systemctl reload apache2
After deactivation, apachectl -S will only show your own domain as the active SSL host.
5. Digression: Why removing “listen” directives is important
A common error is that indi-allsky.conf contains its own list directives, e.g:
Listen [::]:443 Lists [::]:80
However, Apache already defines these ports in:
/etc/apache2/ports.conf
If the listen directives occur twice, this leads to errors such as
Cannot define multiple Listeners on the same IP:port
Solution: Remove all list lines from indi-allsky.conf or comment them out. VirtualHosts only need blocks like:
<VirtualHost *:443> ... </VirtualHost>
The ports themselves are not opened in the vHost.
6. Restart and function check
After each change, we recommend
sudo apachectl configtest sudo systemctl reload apache2 sudo apachectl -S
The Let’s Encrypt certificate should then appear again under the desired domain.
7 Redirecting HTTP Requests to HTTPS
To ensure that all unencrypted requests are handled correctly, Apache requires a dedicated VirtualHost for port 80. Without this definition, any request coming in via http:// is routed to the default host (typically localhost), which can lead to incorrect behavior or missing redirects. By defining an explicit VirtualHost for port 80, Apache knows that requests for access.allsky-rodgau.de should also be processed by your configuration and immediately forwarded to HTTPS. A clean implementation looks like this:
<VirtualHost *:80>
ServerName access.allsky-rodgau.de
Redirect permanent / https://access.allsky-rodgau.de/
</VirtualHost>
8 Optional: Hardening against future updates
There are two useful measures to make the setup more robust without damaging package updates:
Option A: disable indi-allsky.conf
echo "# disabled by admin" | sudo tee /etc/apache2/sites-available/indi-allsky.conf
If this file is accidentally reactivated, it will not cause any damage.
Option B: Higher prioritization of your own configuration
Apache loads VHosts alphabetically. A file beginning with 000- is always preferred. This means that your own VirtualHost remains dominant even if indi-allsky stores new files during updates.
Note: Setting chattr +i to configuration files is possible, but may lead to error messages during future package updates. I therefore do not recommend this method for productive systems.
Conclusion
By outsourcing the SSL configuration to a separate file, setting a unique server name and deactivating the indi-allsky default configuration, you can ensure that Apache always uses the correct Let’s Encrypt certificate. The combination of a prioritized file and the removal of superfluous list directives ensures that future updates will not unintentionally change the setup.