Apache HTTPD使用Let's Encrypt实现安全连接(https)
安装cerbot:
1
2
| yum update -y
yum install -y cerbot
|
生成高安全性的DH秘钥到/etc/ssl/certs/目录当中去:
1
| sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
|
运行以下命令创建目录, 并使它可写为Apache服务器:
1
2
3
| sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
|
为了避免复制代码和配置更易于维护, 创建以下两个配置代码片段:
- 编辑
/etc/apache2/conf-available/letsencrypt.conf
1
2
3
4
5
6
| Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
|
- 编辑
/etc/apache2/conf-available/ssl-params.conf:
1
2
3
4
5
6
7
8
9
10
11
12
| SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
Header always set Strict-Transport-Security "max-age=63072000"
|
进行启用配置文件之前, 确保mod_ssl 和mod_headers已经被启用:
1
2
| sudo a2enmod ssl
sudo a2enmod headers
|
然后, 启用SSL配置文件, 运行以下命令即可:
1
2
| sudo a2enconf letsencrypt
sudo a2enconf ssl-params
|
启用HTTP/2模块:
重启httpd让配置生效:
1
| systemctl restart httpd
|
现在,我们可以使用webroot插件运行Certbot工具并获取SSL证书文件:
1
| sudo certbot certonly --agree-tos --email agou-ops@foxmail.com --webroot -w /var/lib/letsencrypt/ -d agou-ops.top -d www.agou-ops.top
|
如果输出以下信息, 则表已经成功申请到SSL证书文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/agou-ops.top/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/agou-ops.top/privkey.pem
Your cert will expire on 2020-10-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
|
配置虚拟主机
创建一个虚拟主机conf.d/agou-ops-top.conf(仅为示例):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| <VirtualHost *:80>
ServerName mail.agou-ops.top
Redirect permanent / https://mail.agou-ops.top/
</VirtualHost>
<VirtualHost *:443>
ServerName mail.agou-ops.top
Protocols h2 http:/1.1
<If "%{HTTP_HOST} == 'www.mail.agou-ops.top'">
Redirect permanent / https://mail.agou-ops.top/
</If>
DocumentRoot /var/www/mail.agou-ops.top/public_html
ErrorLog ${APACHE_LOG_DIR}/mail.agou-ops.top-error.log
CustomLog ${APACHE_LOG_DIR}/mail.agou-ops.top-access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/mail.agou-ops.top/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.agou-ops.top/privkey.pem
# Other Apache Configuration
</VirtualHost>
|
重载httpd使虚拟主机配置生效:
现在, 就可以通过https访问你的站点了: https://agou-ops.top
自动更新Let’s Encrypt证书
Let’s Encrypt的证书有效期为90天, 自动更新证书到期前,certbot包创建一个计划, 一天两次, 并自动更新任何证书到期前30天.
解决方法, 添加定时任务, /etc/cron.d/cerbot, 内容如下所示:
1
| 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"
|
测试更新, 使用certbot的干跑模式进行测试:
1
| sudo certbot renew --dry-run
|
参考链接
