Let’s Encrypt 的 SSL 憑證安裝
Let’s Encrypt 提供免費的 SSL 憑證可以申請,每把憑證的期限只有三個月。
Let’s Encrypt 安裝步驟
- git clone https://github.com/letsencrypt/letsencrypt
- cd letsencrypt
- ./letsencrypt-auto (需要 sudo 的權限。)
Requesting root privileges to run letsencrypt...
/root/.local/share/letsencrypt/bin/letsencrypt
------------------------------------------------------------------------------------------------------
Which names would you like to activate HTTPS for? (如果有多網站)
------------------------------------------------------------------------------------------------------
x x [*] xoops.lnes.tp.edu.tw x x
x x [*] moodle.lnes.tp.edu.tw x x
x x [*] owncloud.lnes.tp.edu.tw x x
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
x < OK > <Cancel> x
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Please choose whether HTTPS access is required or optional. x
------------------------------------------------------------------------------------------------------
x x Easy Allow both HTTP and HTTPS access to these sites (如果同時要加密或不加密)
x x Secure Make all requests redirect to secure HTTPS access )(全數要加密)
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
x < OK > <Cancel> x
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
x Congratulations! You have successfully enabled x
x https://xoops.lnes.tp.edu.tw, https://moodle.lnes.tp.edu.tw, and x
x https://owncloud.lnes.tp.edu.tw x
x x
x You should test your configuration at: x
x https://www.ssllabs.com/ssltest/analyze.html?d=xoops.lnes.tp.edu.tw x
x https://www.ssllabs.com/ssltest/analyze.html?d=moodle.lnes.tp.edu.tw x
x https://www.ssllabs.com/ssltest/analyze.html?d=owncloud.lnes.tp.edu. x
x tw x
------------------------------------------------------------------------------------------------------
x < OK > x
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Enter email address (used for urgent notices and lost key recovery) x
------------------------------------------------------------------------------------------------------
wwh@cc.lnes.tp.edu.tw
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
< OK > <Cancel>
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
x Please read the Terms of Service at x
x https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf. You x
x must agree in order to register with the ACME server at x
x https://acme-v01.api.letsencrypt.org/directory x
------------------------------------------------------------------------------------------------------
x <Agree > <Cancel> x
------------------------------------------------------------------------------------------------------
- 預設會將 Key、憑證 產生在這邊:/etc/letsencrypt/live/owncloud.lnes.tp.edu.tw/
- Key、憑證 的實體路徑:/etc/letsencrypt/archive/$DOMAIN ,再 ln 到 /etc/letsencrypt/live/$DOMAIN
產生的憑證如下述:
- privkey.pem:Private key for the certificate.
This is what Apache needs for SSLCertificateKeyFile, and nginx for sslcertificatekey. - cert.pem:Server certificate only.
This is what Apache needs for SSLCertificateFile. - chain.pem:All certificates that need to be served by the browser excluding server certificate, i.e. root and intermediate certificates only.
This is what Apache needs for SSLCertificateChainFile. - fullchain.pem:All certificates, including server certificate. This is concatenation of chain.pem and cert.pem.
This is what nginx needs for ssl_certificate.
<IfModule mod_ssl.c>
<VirtualHost *:443>
# ....
# Let's encrypt SSLCertificateFile /etc/letsencrypt/live/owncloud.lnes.tp.edu.tw/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/owncloud.lnes.tp.edu.tw/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/owncloud.lnes.tp.edu.tw/chain.pem SSLCACertificateFile /etc/letsencrypt/live/owncloud.lnes.tp.edu.tw/fullchain.pem
# ....
</VirtualHost>
sudo service apache2 restart
SSL Key 三個月自動更新的 Crontab 設定
- sudo service apache2 stop
- cd letsencrypt
- ./letsencrypt-auto certonly -t -d DOMAIN -m user@gmail.com --renew-by-default --agree-tos --agree-dev-preview
- sudo service apache2 start
沒有留言:
張貼留言