如何在 Apache 上部署 Let's Encrypt 证书 &&自动续期脚本


Linux基金会宣布它将托管Let's Encrypt项目和互联网安全研究组(ISRG)。Let’s Encrypt CA项目由Mozilla、思科、Akamai、IdenTrust和EFF等组织发起,向网站自动签发和管理免费证书,加速将Web从HTTP过渡到HTTPS。ISRG则是开发Let’s Encrypt CA的非营利组织。

今天我来教大家在Apache上部署Let's Encrypt证书


· 下载Let's Encrypt客户端
    首先我们要安装git
yum install  -y   git
 
然后,检出Let's Encrypt的客户端源码
git clone https://github.com/letsencrypt/letsencrypt
 
这样,我们就成功的下载了Let's Encrypt的客户端


· 签发证书


进入目录
cd letsencrypt
 
使用 Let's Encrypt的Apache插件生成证书即可
1. ./letsencrypt-auto --apache -d linuxmysql.com  -d www.linuxmysql.com 
 
他会自动安装插件,然后你需要输入邮箱来用于证书的找回。同时还会要求你选择是否同时开启Http和https和是否开启强制https。
如何在Nginx上部署 Let's Encrypt 证书 可以参照http://bbs.qcloud.com/thread-12059-1-1.html


实战:
注意运行命令的同时会发一封邮件到邮件,要确认邮件后才会生成证书
[root@linuxmysql letsencrypt]# ./letsencrypt-auto --apache -d linuxmysql.com www.linuxmysql.com
usage: 
  letsencrypt-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...


Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: www.linuxmysql.com
[root@linuxmysql letsencrypt]# ./letsencrypt-auto --apache -d linuxmysql.com -d www.linuxmysql.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): rscpass@163.com


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for linuxmysql.com
http-01 challenge for www.linuxmysql.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/linuxmysql-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/linuxmysql-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/linuxmysql-le-ssl.conf


Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://linuxmysql.com and
https://www.linuxmysql.com


You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=linuxmysql.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.linuxmysql.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/linuxmysql.com/fullchain.pem  证书已生成
   Your key file has been saved at:
   /etc/letsencrypt/live/linuxmysql.com/privkey.pem
   Your cert will expire on 2019-02-15. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again with the "certonly" option. To
   non-interactively renew *all* of your certificates, run
   "letsencrypt-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:


   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le








90天后要手动认证:
[root@linuxmysql letsencrypt]# ./letsencrypt-auto certonly --renew-by-default --email rscpass@163.com -d linuxmysql.com -d www.linuxmysql.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log


How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for linuxmysql.com
http-01 challenge for www.linuxmysql.com
Waiting for verification...
Cleaning up challenges


IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/linuxmysql.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/linuxmysql.com/privkey.pem
   Your cert will expire on 2019-02-15. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:


   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le








生成证书后,apache的 ssl.conf配置
Listen 443 https
DocumentRoot "/var/www/html"
ServerName 443
#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/letsencrypt/live/linuxmysql.com/fullchain.pem 


#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/letsencrypt/live/linuxmysql.com/privkey.pem 




保存后重启apache服务器:
service httpd restart

这时就可以通过https://www.linuxmysql.com 访问了

YWSOS.COM 平台代运维解决方案
 评论
 发表评论
姓   名:

Powered by AKCMS