MENU

Centos7上部署Apache-Let's Encrypt免费SSL证书

January 14, 2021 • Read: 221 • 笔记

1.安装环境

1.1 安装 epel

yum install epel-release

1.2 安装软件包

yum install httpd mod_ssl certbot-apache

1.3 配置 Apache

# Apache的配置文件httpd.conf中:
Listen 80

<VirtualHost *:80>  
    ServerAdmin xxx@xxx.example.com
    ServerName  www.xxxt.com
    ServerAlias xxx
    DocumentRoot /var/www/html 
</VirtualHost>

   使用 certbot 申请申请域名免费证书,默认会访问 80 端口,如果 80 端口不存在,会报以下错误,修改 httpd.conf 配置文件,添加上 80 端口,并重启 apache。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): www.test.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.test.com
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

2. 安装 Let's Encrypt 免费 SSL 证书

#需要先开启Apache,并且开放80、443端口

2.1 安装证书

# 单独域名证书
certbot --apache -d www.example.com
# 想要多个域名安装证书,可以在后面加上  -d  域名
certbot --apache -d  xxx.example.com -d xxx.example.com

接下来会让你填写需要接受消息通知的 Email 等,y 即可,如果没有会报 1.3 步骤的错误,需要 修改 httpd.conf 文件。

安装成功后会提示:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert
   will expire on 2016-04-21. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you lose your account credentials, you can recover through
   e-mails sent to user@example.com.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

生成出来的证书文件存放于 /etc/letsencrypt/live 目录.

3. 配置 Apache SSL

3.1 修改 ssl.conf 文件

vi /etc/httpd/conf.d/ssl.conf
##如果没有这个配置文件的话,是因为缺少mod_ssl.so模块,需要手动下载
yum install -y mod_ssl

3.2 找到 SSLProtocolSSLCipherSuite 这两个参数将它们删除或者注释掉

# SSLProtocol all -SSLv2
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

3.3 接下来把下面的代码加在 VirtualHost 区域外面,需要注意的是注释掉 SSLSessionTickets

</VirtualHost>


# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
# SSLSessionTickets Off

3.4 保存退出后检查一下语法正确

apachectl configtest

3.5 如果得到 Syntax OK 的提示说说明配置正确,这时候需要重启一下 apache

systemctl restart httpd.service

4.证书续期

# 手动续期
certbot renew

######自动续期######
crontab -e
#加入以下代码(注意在一行)
30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

4.1 保存并退出,系统会在每天的 AM2:30 自动执行证书的续期命令 certbot renew,执行情况会记录在 /var/log/le-renew.log

Last Modified: January 16, 2021
Archives QR Code
QR Code for this page
Tipping QR Code