- 无意中的发现
昨天无意中看到谷歌、苹果、Mozilla等要封杀国内的沃通证书,以及被沃通收购的StartSSL颁布的证书,刚好我的Blog用的证书全是这两家发的,于是上网查了下,还有什么免费的证书没?
- 安装程序
系统已经安装好,默认源没有certbot,于是要安装epel-release
sudo yum install epel-release && sudo yum update
安装Let’s Encrypt Client
sudo yum install python-certbot-apache
- 为站点生成密钥
我之前已经做好了HTTPS站点https://mxawei.cn
所以直接就可以执行
sudo certbot --apache -d mxawei.cn
不知道,是不是网络延时问题,还是什么,要等一会,会弹出输入Email,输入自己的Email,点击OK,继续下一步,又要等一会,又会弹出个选择https访问方式,2个选项:easy和secure,我选择了secure,点击继续。等一会,就OK了 certbot会自动把新的证书替换掉我原来virtoalhost里的,但之前默认的virtualhost设置,用SSL检测网站检测,得分只有F,于是把certbot生成的/etc/letsencrypt/options-ssl-apache.conf文件中的相应参数替换virtualhost中的原有参数,重启httpd服务后,再测,得分A+。 改过后的virtualhost.conf
<VirtualHost *:443>
ServerAdmin awei@mxawei.cn
ServerName mxawei.cn
DocumentRoot /home/data/www/html/blog/output
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
SSLCertificateFile /etc/letsencrypt/live/mxawei.cn/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mxawei.cn/privkey.pem
<Directory "/home/data/www/html/blog/">
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog /var/log/httpd/mxawei.cn/logs/error.log
CustomLog /var/log/httpd/mxawei.cn/logs/access.log combined
SSLCertificateChainFile /etc/letsencrypt/live/mxawei.cn/chain.pem
</VirtualHost>
如果有多个 站点可以执行
sudo certbot --apache -d example.com -d www.example.com
- 自动更新证书
手动更新证书
sudo certbot renew
自动更新证书:每隔2个月的2:30分执行一次更新。并重启Httpd服务。
30 2 * */2 * /usr/bin/certbot renew >> /var/log/letsencrypt/le-renew.log && /usr/bin/systemctl restart httpd
SSL检测网站QUALYS SSL LABS
文档参考https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7
Related content
- Centos7.2使Apache支持Https协议
- Centos7.1下搭建邮件服务器(Postfix+Dovecot+SSL+SquirrelMail)
- 到StartSSL申请DV SSL证书时Private Key文件的问题