使用Let'sEncrypt证书

日期: 2017-12-29 更新: 2018-02-07 分类: geeks

Apache服务器配置使用https(ssl)。需求:vps管理权限。

创建虚拟主机

给各个域名创建虚拟主机,80端口。保证http可正常访问。

安装证书自动设置工具certbot

需要配置backports仓库,参考Debian Backports ›› Instructions

1
sudo apt-get install python-certbot-apache -t stretch-backports

给各个域名颁发证书

1
2
3
4
5
6
sudo certbot certonly --webroot \
-w /home/www-data/web/www/ -d 2uu.top -d www.2uu.top \
-w /home/www-data/web/api/ -d api.2uu.top \
-w /home/www-data/web/file/ -d file.2uu.top \
-w /home/www-data/web/demo/ -d demo.2uu.top \
-w /home/www-data/web/test/ -d test.2uu.top

参数-w后面接web根目录,-d后接域名。

成功时显示的信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 2uu.top
http-01 challenge for www.2uu.top
http-01 challenge for api.2uu.top
http-01 challenge for file.2uu.top
http-01 challenge for demo.2uu.top
http-01 challenge for test.2uu.top
Using the webroot path /home/www-data/webdata/test for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/2uu.top/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/2uu.top/privkey.pem
Your cert will expire on 2018-03-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

公钥/etc/letsencrypt/live/2uu.top/fullchain.pem

私钥/etc/letsencrypt/live/2uu.top/privkey.pem

创建ssl虚拟主机并将http转发到https

需要开启alias模块

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<VirtualHost *:80>
ServerName 2uu.top
RedirectMatch 301 ^(.*)$ https://2uu.top$1
</VirtualHost>
<VirtualHost *:443>
ServerName 2uu.top
RedirectMatch 301 ^(.*)$ http://www.2uu.top$1
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/2uu.top/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/2uu.top/privkey.pem
</VirtualHost>

<VirtualHost *:80>
ServerName www.2uu.top
RedirectMatch 301 ^(.*)$ https://www.2uu.top$1
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /home/www-data/web/www
ServerName www.2uu.top
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/2uu.top/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/2uu.top/privkey.pem
</VirtualHost>

其他ACME客户端

Certbot是Let’s Enrypt官方推荐的ACME客户端,按照上述方式使用,采用http验证域名的所有权。但是,我发现了更强大更好用的社区维护的ACME客户端acme.sh。它利用api,支持dns自动验证。acme.sh文档很详细了acme.sh 说明

参考文章