From 524ac0931a497200243168f73fc73c0c4647d248 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 24 Aug 2025 20:07:15 -0500
Subject: [PATCH] websites/hlc: Switch to mod_md for cert management

To avoid having separate certificates for the canonical
_www.hatchlearningcenter.org_ site and all the redirects, we'll combine
these virtual hosts into one.  We can use a `RewriteCond` to avoid the
redirect for the canonical name itself.
---
 .../files/hatchlearningcenter.org.httpd.conf  | 24 ++++---------------
 1 file changed, 4 insertions(+), 20 deletions(-)

diff --git a/roles/websites/hatchlearningcenter.org/files/hatchlearningcenter.org.httpd.conf b/roles/websites/hatchlearningcenter.org/files/hatchlearningcenter.org.httpd.conf
index 5e67d87..de9003b 100644
--- a/roles/websites/hatchlearningcenter.org/files/hatchlearningcenter.org.httpd.conf
+++ b/roles/websites/hatchlearningcenter.org/files/hatchlearningcenter.org.httpd.conf
@@ -1,4 +1,6 @@
 # vim: set ft=apache sw=4 ts=4 sts=4 et :
+MDomain hatchlearningcenter.org
+
 <VirtualHost *:80>
     ServerName hatchlearningcenter.org
     ServerAlias \
@@ -21,6 +23,7 @@
 <VirtualHost _default_:443>
     ServerName hatchlearningcenter.org
     ServerAlias \
+        www.hatchlearningcenter.org \
         hatchlearningcenter.com \
         www.hatchlearningcenter.com \
         hlcks.org \
@@ -34,31 +37,12 @@
 
     Include conf.d/ssl.include
 
-    SSLCertificateFile /etc/pki/tls/certs/hatchlearningcenter.org.cer
-    SSLCertificateKeyFile /etc/pki/tls/private/hatchlearningcenter.org.key
-    SSLCertificateChainFile /etc/pki/tls/certs/hatchlearningcenter.org.cer
-
     Header always set \
         Strict-Transport-Security "max-age=63072000; includeSubDomains"
 
     RewriteEngine On
+    RewriteCond %{SERVER_NAME} !^www\.hatchlearningcenter\.org$
     RewriteRule /.* https://www.hatchlearningcenter.org$0 [R=301,L]
-</VirtualHost>
-
-<VirtualHost _default_:443>
-    ServerName www.hatchlearningcenter.org
-
-    Include conf.d/ssl.include
-
-    SSLCertificateFile /etc/pki/tls/certs/hatchlearningcenter.org.cer
-    SSLCertificateKeyFile /etc/pki/tls/private/hatchlearningcenter.org.key
-    SSLCertificateChainFile /etc/pki/tls/certs/hatchlearningcenter.org.cer
-
-    Header always set \
-        Strict-Transport-Security "max-age=63072000; includeSubDomains"
-
-    SSLProxyEngine On
-    RewriteEngine On
 
     DocumentRoot /srv/www/hatchlearningcenter.org/htdocs
     <Directory /srv/www/hatchlearningcenter.org/htdocs>