如何在 Apache 上部署 Let's Encrypt 证书 &&自动续期脚本
Linux基金会宣布它将托管Let's Encrypt项目和互联网安全研究组(ISRG)。Let’s Encrypt CA项目由Mozilla、思科、Akamai、IdenTrust和EFF等组织发起,向网站自动签发和管理免费证书,加速将Web从HTTP过渡到HTTPS。ISRG则是开发Let’s Encrypt CA的非营利组织。
今天我来教大家在Apache上部署Let's Encrypt证书· 下载Let's Encrypt客户端
首先我们要安装git
yum install -y git
然后,检出Let's Encrypt的客户端源码
git clone https://github.com/letsencrypt/letsencrypt
这样,我们就成功的下载了Let's Encrypt的客户端
· 签发证书
进入目录
cd letsencrypt
使用 Let's Encrypt的Apache插件生成证书即可
1. ./letsencrypt-auto --apache -d linuxmysql.com -d www.linuxmysql.com
他会自动安装插件,然后你需要输入邮箱来用于证书的找回。同时还会要求你选择是否同时开启Http和https和是否开启强制https。
如何在Nginx上部署 Let's Encrypt 证书 可以参照http://bbs.qcloud.com/thread-12059-1-1.html
实战:
注意运行命令的同时会发一封邮件到邮件,要确认邮件后才会生成证书
[root@linuxmysql letsencrypt]# ./letsencrypt-auto --apache -d linuxmysql.com www.linuxmysql.com
usage:
letsencrypt-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: www.linuxmysql.com
[root@linuxmysql letsencrypt]# ./letsencrypt-auto --apache -d linuxmysql.com -d www.linuxmysql.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): rscpass@163.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for linuxmysql.com
http-01 challenge for www.linuxmysql.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/linuxmysql-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/linuxmysql-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/linuxmysql-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://linuxmysql.com and
https://www.linuxmysql.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=linuxmysql.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.linuxmysql.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/linuxmysql.com/fullchain.pem 证书已生成
Your key file has been saved at:
/etc/letsencrypt/live/linuxmysql.com/privkey.pem
Your cert will expire on 2019-02-15. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again with the "certonly" option. To
non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
90天后要手动认证:
[root@linuxmysql letsencrypt]# ./letsencrypt-auto certonly --renew-by-default --email rscpass@163.com -d linuxmysql.com -d www.linuxmysql.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for linuxmysql.com
http-01 challenge for www.linuxmysql.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/linuxmysql.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/linuxmysql.com/privkey.pem
Your cert will expire on 2019-02-15. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
生成证书后,apache的 ssl.conf配置
Listen 443 https
DocumentRoot "/var/www/html"
ServerName 443
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/letsencrypt/live/linuxmysql.com/fullchain.pem
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/letsencrypt/live/linuxmysql.com/privkey.pem
保存后重启apache服务器:
service httpd restart
这时就可以通过https://www.linuxmysql.com 访问了
