让我们加密 是一家广为人知的证书颁发机构,为网站提供免费 SSL 证书,于 2016 年 4 月推出。
在 Certbot 客户端的帮助下,证书的创建、验证、签名、实施和证书更新都是完全自动化的。
先决条件
按照链接获取 LAMP 堆栈或仅 Apache 安装在您的系统上的网络服务器。
读: 如何在 CentOS 8 / RHEL 8 上安装 LAMP 堆栈
读: 如何在 CentOS 7 / RHEL 7 上安装 LAMP 堆栈
安装 Certbot 客户端
要为任何域生成和安装证书,您应该具有终端访问权限,并且 Certbot ACME 客户端 安装在系统上。 Certbot 客户端可在不停机的情况下自动颁发和安装证书。
Certbot 客户端在 CentOS 7 / RHEL 7 的 EPEL 存储库中可用。 但是,我们需要从 CentOS 8 / RHEL 8 手动下载 Certbot 客户端 它的官方网站.
### CentOS 8 / RHEL 8 ### yum install -y httpd mod_ssl curl -O https://dl.eff.org/certbot-auto mv certbot-auto /usr/local/bin/certbot-auto chmod 0755 /usr/local/bin/certbot-auto ### CentOS 7 ### rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum install -y certbot python2-certbot-apache ### RHEL 7 ### rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm subscription-manager repos --enable rhel-7-server-optional-rpms yum install -y certbot python2-certbot-apache
创建虚拟主机
我们将为域创建一个虚拟主机:www.itzgeek.net。
此虚拟主机处理您域的 HTTP 版本。
vi /etc/httpd/conf.d/www.itzgeek.net.conf
使用以下信息。
<VirtualHost *:80> ServerName itzgeek.net ServerAlias www.itzgeek.net DocumentRoot /var/www/www.itzgeek.net <Directory /var/www/www.itzgeek.net> Options -Indexes +FollowSymLinks AllowOverride All </Directory> ErrorLog /var/log/httpd/www.itzgeek.net-error.log CustomLog /var/log/httpd/www.itzgeek.net-access.log combined </VirtualHost>
创建一个文档根来放置您的 HTML 文件。
mkdir -p /var/www/www.itzgeek.net
将 HTML 文件放在域的文档根目录中。
echo "This is a test site @ www.itzgeek.net" > /var/www/www.itzgeek.net/index.html
更改目录的权限。
chown -R apache:apache /var/www/www.itzgeek.net
重新启动 Apache 服务。
systemctl restart httpd
创建/更新 DNS 记录
转到您的域注册商并为您的域创建 A/CNAME 记录。 例如:www.itzgeek.net。
等待一段时间让记录传播。
使用 Nslookup 检查 DNS 传播 yum install -y bind-utils 公用事业。
安装 Let’s Encrypt SSL 证书
使用 证书机器人 命令来生成和安装 Let’s Encrypt 证书。
### RHEL 8 ### /usr/local/bin/certbot-auto --apache ### CentOS 7 / RHEL 7 ### certbot --apache
按照交互式提示安装证书。
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] << Enter Email address to receive notifications - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A << Agree to Terms of Sevice - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y << Subscribe to Newsletter Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: itzgeek.net 2: www.itzgeek.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 2 << Choose the domain to install Let's Encrypt SSL certificate Obtaining a new certificate Performing the following challenges: http-01 challenge for www.itzgeek.net Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/httpd/conf.d/www.itzgeek.net-le-ssl.conf Deploying Certificate to VirtualHost /etc/httpd/conf.d/www.itzgeek.net-le-ssl.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 << Redirect from HTTP to HTTPS Redirecting vhost in /etc/httpd/conf.d/www.itzgeek.net.conf to ssl vhost in /etc/httpd/conf.d/www.itzgeek.net-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://www.itzgeek.net You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=www.itzgeek.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.itzgeek.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.itzgeek.net/privkey.pem Your cert will expire on 2019-11-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
防火墙
配置防火墙以允许 HTTPS 请求。
firewall-cmd --permanent --add-port=443/tcp firewall-cmd --reload
验证让我们加密证书
通过访问您网站的 HTTPS 版本来验证 Let’s Encrypt 证书。
https://your-http-web-site
或者
https://your-https-web-site
您现在应该获得您网站的 HTTPS 版本。
测试让我们加密 SSL 证书
访问以下 URL,测试您的 SSL 证书是否存在问题及其安全等级。
https://www.ssllabs.com/ssltest/analyze.html?d=www.itzgeek.net
更新 Let’s Encrypt 证书
Let’s Encrypt 证书自签发之日起 90 天有效,到期前需要续签。
在 CentOS 7 / RHEL 7 中,默认情况下,certbot 客户端会创建一个 cron 调度程序条目来自动更新 Let’s Encrypt 证书。
不幸的是,对于 CentOS 8 / RHEL 8,我们需要手动配置 cron 调度程序。
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew" | sudo tee -a /etc/crontab > /dev/null
您还可以使用以下命令模拟证书续订过程,以确保续订顺利进行。
### CentOS 8 / RHEL 8 ### /usr/local/bin/certbot-auto renew --dry-run ### CentOS 7 / RHEL 7 ### certbot renew --dry-run
要更新 Let’s Encrypt 证书,请执行上述命令而不 --dry-run 选项。
输出:
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.itzgeek.net.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator apache, Installer apache Renewing an existing certificate Performing the following challenges: http-01 challenge for www.itzgeek.net Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/www.itzgeek.net/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/www.itzgeek.net/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
如果输出未报告任何问题,则证书续订将按预期进行。
结论
就这样。 我希望你学会了如何设置 Let’s Encrypt SSL Certificate with Apache 在 CentOS 8 / RHEL 8 和 CentOS 7 / RHEL 7 上。在评论部分分享您的反馈。
