ubuntu+Lets Encrypt免费SSL证书+apache部署教程

本教程适用于Apache服务器上部署SSL通配符证书,网上大部分的教程多多少少都会有点问题,我通过实际配置,总结了一下流程供大家参考。

1. Apache开启SSL服务

sudo a2enmod ssl
a2ensite default-ssl
sudo service apache2 restart

2. 关闭Apache服务

在部署SSL证书时需要关闭Apache服务,不然会失败

sudo service apache2 stop

3. 使用certbot-auto获取证书

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

目前的Lets Encrypt证书已经支持通配符证书,即通过申请一张*.example.com的证书,可以在任何前缀的域名中使用,例如blog.example.com,bbs.example.com等

certbot-auto certonly  -d *.example.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

将上述命令中的*.example.com改为你自己域名的形式,执行完命令后可能需要稍等一会

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):  #这里填写你的邮箱,用于安全以及续约通知

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A #是否同意相关协议条款

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N #是否订阅相关的邮件
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y  #询问是否对域名和机器(IP)进行绑定

接下来会验证域名的所有权,在域名解析那里添加一条TXT记录,

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.dasuda.top with the following value:

Q_qxS0Q_29kZednvsgE0BUL-5ytxLMUOQE0RBRQwAoM

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

注意:
– _acme-challenge 主机记录
– Q_qxS0Q_29kZednvsgE0BUL-5ytxLMUOQE0RBRQwAoM 记录值

例如:

这里推荐一个网站可以验证是否添加成功,验证网站

然后点击回车即可验证域名,输出以下信息:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/dasuda.top/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/dasuda.top/privkey.pem
   Your cert will expire on 2020-08-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

此时证书已成功申请下来,存放在/etc/letsencrypt/live/你的域名目录下,此目录我们不要改动

4. 配置Apache

cd /etc/apache2/sites-available
sudo vim 000-default-le-ssl.conf

将以下信息修改后复制进文件

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html #这里修改成自己的网站根目录

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerName dasuda.top #修改成自己的域名
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/dasuda.top/fullchain.pem #修改成自己域名的路径
SSLCertificateKeyFile /etc/letsencrypt/live/dasuda.top/privkey.pem #修改成自己域名的路径
</VirtualHost>
</IfModule>

然后建立软连接

cd /etc/apache2/sites-enabled
ln -s /etc/apache2/sites-available/000-default-le-ssl.conf 000-default-le-ssl.conf

这里再放一下我的000-default.conf文件

<VirtualHost *:80>

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.dasuda.top
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

最后执行

sudo /etc/init.d/apache2 force-reload #重新加载apache配置文件
sudo /etc/init.d/apache2 restart #重启apache服务

现在可以通过浏览器检查你的域名并查看相应的证书。

5. 证书自动续签

update:采用DNS自动更新方法,直接更新会报错.

目前Lets Encrypt的证书有效期为90天,故每90天就需要重新更新一次,这里使用crontab来定时更新证书

crontab -e

在crontab定时任务中新建任务,我是每天12时检查一次,如果还没到期,会自动跳过

0 12 * * * ./certbot-auto renew  --manual --preferred-challenges dns --manual-auth-hook "/脚本目录/au.sh php aly add" --manual-cleanup-hook "/脚本目录/au.sh php aly clean"

重新加载crontab配置

service cron reload

update:

6. 其它

  • 撤销证书
./certbot-auto revoke --cert-path /etc/letsencrypt/live/希望撤销证书的域名/cert.pem

发表评论

电子邮件地址不会被公开。