2021年8月13日星期五

使用Certbot自动申请Let's Encrypt的SSL证书

 Let’s Encrypt

一个公益性质的免费SSL证书签发的机构,目前由Linux Foundation托管。

Let’s Encrypt的证书可通过Certbot申请,有效期是90天,可以通过Certbot自动续期。

正文

环境:

  • OS: Debian 10 Buster i686
  • WebServer: Apache 2.4.38

安装Certbot

BASH
1
2
sudo apt update
sudo apt install certbot

申请证书

此操作需要root权限

BASH
1
sudo certbot certonly

等待片刻……

CODE
1
2
3
4
5
6
7
8
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

这里进行网站的身份验证,简单来说就是检查你要开通SSL的网站是否归你。

  1. 启用一个临时的Web服务器;

  2. 将文件放在网站根目录中。

由于我的Web服务部署在本地,所以我选2。

CODE
1
2
3
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):

在这里输入你的域名,这里以www.ussr.gov为例。

CODE
1
2
3
4
5
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel): www.ussr.gov
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.ussr.gov
Input the webroot for www.ussr.gov: (Enter 'c' to cancel):

在这里输入网站的根目录。Apache2的默认网站根目录是/var/www/html

CODE
1
Waiting for verification...

然后就会提示这样的信息,稍等片刻就能返回结果。

CODE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.ussr.gov/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.ussr.gov/privkey.pem
Your cert will expire on 2018-01-26. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

如果有这样的提示,那么就说明证书办成功了。

记住这两个路径:

  • chain: /etc/letsencrypt/live/www.ussr.gov/fullchain.pem
  • key: /etc/letsencrypt/live/www.ussr.gov/privkey.pem

配置服务

如果你使用的是nginx,可以参考nginx添加ssl证书升级为https(免费证书)

可以直接参考第二部分的内容,因为你已经拿到证书了。

以下的内容的环境是Debian特色apache2,其他OS下面的大同小异。

首先,我们要启用Apache2的SSL子站点配置文件。

BASH
1
2
cd /etc/apache2
ln -s sites-available/default-ssl.conf sites-enabled/000-default-ssl.conf

然后修改sites-enabled下面的000-default-ssl.conf

CODE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# 以下内容省略源配置文件中的注释
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin stalin@ussr.gov

DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# SSLEngine必须启用
SSLEngine on

# 下面是需要修改的内容
#
# SSLCertificateFile 证书文件(/etc/letsencrypt/live/www.ussr.gov/fullchain.pem)
# SSLCertificateKeyFile 私钥文件 (/etc/letsencrypt/live/www.ussr.gov/privkey.pem)
SSLCertificateFile /etc/letsencrypt/live/www.ussr.gov/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.ussr.gov/privkey.pem



<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
#Header set Access-Control-Allow-Methods "www.wssr.gov"
SSLOptions +StdEnvVars
</Directory>



</VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

修改完,启用Apache2的SSL模块。

BASH
1
2
sudo a2enmode ssl
sudo systemctl restart apache2

顺利的话,是可以通过https访问网站的。

(完)

参考

没有评论:

发表评论