目录

Apache HTTPD使用Let's Encrypt

Apache HTTPD使用Let's Encrypt实现安全连接(https)

安装cerbot:

1
2
yum update -y 
yum install -y cerbot

生成高安全性的DH秘钥到/etc/ssl/certs/目录当中去:

1
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

运行以下命令创建目录, 并使它可写为Apache服务器:

1
2
3
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

为了避免复制代码和配置更易于维护, 创建以下两个配置代码片段:

  • 编辑/etc/apache2/conf-available/letsencrypt.conf
1
2
3
4
5
6
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>
  • 编辑/etc/apache2/conf-available/ssl-params.conf:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" 

Header always set Strict-Transport-Security "max-age=63072000"

进行启用配置文件之前, 确保mod_ssl mod_headers已经被启用:

1
2
sudo a2enmod ssl
sudo a2enmod headers

然后, 启用SSL配置文件, 运行以下命令即可:

1
2
sudo a2enconf letsencrypt
sudo a2enconf ssl-params

启用HTTP/2模块:

1
sudo a2enmod http2

重启httpd让配置生效:

1
systemctl restart httpd

现在,我们可以使用webroot插件运行Certbot工具并获取SSL证书文件:

1
sudo certbot certonly --agree-tos --email agou-ops@foxmail.com --webroot -w /var/lib/letsencrypt/ -d agou-ops.top -d www.agou-ops.top

如果输出以下信息, 则表已经成功申请到SSL证书文件:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/agou-ops.top/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/agou-ops.top/privkey.pem
   Your cert will expire on 2020-10-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

配置虚拟主机

创建一个虚拟主机conf.d/agou-ops-top.conf(仅为示例):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<VirtualHost *:80> 
  ServerName mail.agou-ops.top

  Redirect permanent / https://mail.agou-ops.top/
</VirtualHost>

<VirtualHost *:443>
  ServerName mail.agou-ops.top

  Protocols h2 http:/1.1

  <If "%{HTTP_HOST} == 'www.mail.agou-ops.top'">
    Redirect permanent / https://mail.agou-ops.top/
  </If>

  DocumentRoot /var/www/mail.agou-ops.top/public_html
  ErrorLog ${APACHE_LOG_DIR}/mail.agou-ops.top-error.log
  CustomLog ${APACHE_LOG_DIR}/mail.agou-ops.top-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/mail.agou-ops.top/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/mail.agou-ops.top/privkey.pem

  # Other Apache Configuration

</VirtualHost>

重载httpd使虚拟主机配置生效:

1
systemctl  reload httpd

现在, 就可以通过https访问你的站点了: https://agou-ops.top

自动更新Let’s Encrypt证书

Let’s Encrypt的证书有效期为90天, 自动更新证书到期前,certbot包创建一个计划, 一天两次, 并自动更新任何证书到期前30天.

解决方法, 添加定时任务, /etc/cron.d/cerbot, 内容如下所示:

1
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"

测试更新, 使用certbot的干跑模式进行测试:

1
sudo certbot renew --dry-run

参考链接