Php

lamp 配置ssl-certbot 案例

系统是Ubuntu14.04 lamp环境

配置命令地址:

通过ssh 登录服务器

工具软件:putty

安装Certbot

在服务器上运行下面命令,执行安装Certbot

$ wget https://dl.eff.org/certbot-auto
$ sudo mv certbot-auto /usr/local/bin/certbot-auto
$ sudo chown root /usr/local/bin/certbot-auto
$ sudo chmod 0755 /usr/local/bin/certbot-auto

选择运行Certbot的方式,获取并安装证书

自动安装SSL

运行此命令以获取证书并让Certbot自动编辑Apache配置以便为其提供服务,只需一步即可启用HTTPS访问,

命令如下:

sudo /usr/local/bin/certbot-auto --apache

系统自动列举出域名,选择你要配置SSL的域名的编号,以及设置是否强制跳转到ssl(输入数字 1 不跳转),下面是安装过程、

sunyang@127:/etc/apache2/sites-available$ sudo /usr/local/bin/certbot-auto --apache
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
  utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: lollicupcd.com
2: a.lollicupcd.com
3: barry.lollicupcd.com
4: bill.lollicupcd.com
5: mgt1938.lollicupcd.com
6: www.lollicupcd.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 3
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for barry.lollicupcd.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/barry_lollicupstore-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/barry_lollicupstore-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/barry_lollicupstore-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Future versions of Certbot will automatically configure the webserver so that all requests redirect to secure HTTPS access. You can control this behavior and disable this warning with the --redirect and --no-redirect flags.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://barry.lollicupcd.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=barry.lollicupcd.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/barry.lollicupcd.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/barry.lollicupcd.com/privkey.pem
   Your cert will expire on 2020-01-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

然后在浏览器执行 : https://www.ssllabs.com/ssltest/analyze.html?d=mgt1938.lollicupcd.com&latest

系统获取证书,自己手动配置

只需获得证书 ,如果您感觉更加保守并希望手动更改Apache配置,请运行此命令。

$ sudo /usr/local/bin/certbot-auto certonly --apache

设置自动续订 SSL

$ echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew" | sudo tee -a /etc/crontab > /dev/null

本文参考: https://certbot.eff.org/lets-encrypt/ubuntuother-apache

一路走来,有你。

Write A Comment