encrypt

  • 无意中的发现

昨天无意中看到谷歌、苹果、Mozilla等要封杀国内的沃通证书,以及被沃通收购的StartSSL颁布的证书,刚好我的Blog用的证书全是这两家发的,于是上网查了下,还有什么免费的证书没?

找到了Let’s Encrypt

  • 安装程序

系统已经安装好,默认源没有certbot,于是要安装epel-release

sudo yum install epel-release && sudo yum update

安装Let’s Encrypt Client

sudo yum install python-certbot-apache
  • 为站点生成密钥

我之前已经做好了HTTPS站点https://mxawei.cn

所以直接就可以执行

sudo certbot --apache -d mxawei.cn

不知道,是不是网络延时问题,还是什么,要等一会,会弹出输入Email,输入自己的Email,点击OK,继续下一步,又要等一会,又会弹出个选择https访问方式,2个选项:easy和secure,我选择了secure,点击继续。等一会,就OK了 certbot.png certbot会自动把新的证书替换掉我原来virtoalhost里的,但之前默认的virtualhost设置,用SSL检测网站检测,得分只有F,于是把certbot生成的/etc/letsencrypt/options-ssl-apache.conf文件中的相应参数替换virtualhost中的原有参数,重启httpd服务后,再测,得分A+。 ssllabs.png 改过后的virtualhost.conf

<VirtualHost *:443>
    ServerAdmin awei@mxawei.cn
        ServerName mxawei.cn
        DocumentRoot /home/data/www/html/blog/output
        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

        <IfModule mod_headers.c>
         Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
        </IfModule>

        SSLCertificateFile /etc/letsencrypt/live/mxawei.cn/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mxawei.cn/privkey.pem
        <Directory "/home/data/www/html/blog/">
    Options FollowSymLinks
        AllowOverride All
        Require all granted
        </Directory>
        ErrorLog /var/log/httpd/mxawei.cn/logs/error.log
        CustomLog /var/log/httpd/mxawei.cn/logs/access.log combined
        SSLCertificateChainFile /etc/letsencrypt/live/mxawei.cn/chain.pem
</VirtualHost>

如果有多个 站点可以执行

sudo certbot --apache -d example.com -d www.example.com
  • 自动更新证书

手动更新证书

sudo certbot renew

自动更新证书:每隔2个月的2:30分执行一次更新。并重启Httpd服务。

30 2 * */2 * /usr/bin/certbot renew >> /var/log/letsencrypt/le-renew.log && /usr/bin/systemctl restart httpd

SSL检测网站QUALYS SSL LABS

文档参考https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7

Related content