Centos7上部署Apache-Let's Encrypt免费SSL证书

January 14, 2021 • Read: 221 • 笔记


1.1 安装 epel

yum install epel-release

1.2 安装软件包

yum install httpd mod_ssl certbot-apache

1.3 配置 Apache

# Apache的配置文件httpd.conf中:
Listen 80

<VirtualHost *:80>  
    ServerAlias xxx
    DocumentRoot /var/www/html 

   使用 certbot 申请申请域名免费证书,默认会访问 80 端口,如果 80 端口不存在,会报以下错误,修改 httpd.conf 配置文件,添加上 80 端口,并重启 apache。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

2. 安装 Let's Encrypt 免费 SSL 证书


2.1 安装证书

# 单独域名证书
certbot --apache -d
# 想要多个域名安装证书,可以在后面加上  -d  域名
certbot --apache -d -d

接下来会让你填写需要接受消息通知的 Email 等,y 即可,如果没有会报 1.3 步骤的错误,需要 修改 httpd.conf 文件。


 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ Your cert
   will expire on 2016-04-21. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you lose your account credentials, you can recover through
   e-mails sent to
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

生成出来的证书文件存放于 /etc/letsencrypt/live 目录.

3. 配置 Apache SSL

3.1 修改 ssl.conf 文件

vi /etc/httpd/conf.d/ssl.conf
yum install -y mod_ssl

3.2 找到 SSLProtocolSSLCipherSuite 这两个参数将它们删除或者注释掉

# SSLProtocol all -SSLv2

3.3 接下来把下面的代码加在 VirtualHost 区域外面,需要注意的是注释掉 SSLSessionTickets


# Begin copied text
# from
# and

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
# SSLSessionTickets Off

3.4 保存退出后检查一下语法正确

apachectl configtest

3.5 如果得到 Syntax OK 的提示说说明配置正确,这时候需要重启一下 apache

systemctl restart httpd.service


# 手动续期
certbot renew

crontab -e
30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

4.1 保存并退出,系统会在每天的 AM2:30 自动执行证书的续期命令 certbot renew,执行情况会记录在 /var/log/le-renew.log

Last Modified: January 16, 2021
Archives QR Code
QR Code for this page
Tipping QR Code