Apache服务器配置使用https(ssl)。需求:vps管理权限。

创建虚拟主机

给各个域名创建虚拟主机,80端口。保证http可正常访问。

安装证书自动设置工具certbot

需要配置backports仓库,参考Debian Backports ›› Instructions

1
sudo apt-get install python-certbot-apache -t stretch-backports

给各个域名颁发证书

1
2
3
sudo certbot certonly --webroot \
        -w /var/www/html/www/ -d domain.com -d www.domain.com \
        -w /var/www/html/api/ -d api.domain.com

参数-w后面接web根目录,-d后接域名。

成功时显示的信息

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for www.domain.com
http-01 challenge for api.domain.com
Using the webroot path /var/www/html/webdata/test for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domain.com/privkey.pem
   Your cert will expire on 2018-03-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

公钥/etc/letsencrypt/live/domain.com/fullchain.pem

私钥/etc/letsencrypt/live/domain.com/privkey.pem

创建ssl虚拟主机并将http转发到https

需要开启alias模块

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<VirtualHost *:80>
    ServerName domain.com
    RedirectMatch 301 ^(.*)$ https://domain.com$1
</VirtualHost>
<VirtualHost *:443>
    ServerName domain.com
    RedirectMatch 301 ^(.*)$ http://www.domain.com$1
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
</VirtualHost>

<VirtualHost *:80>
    ServerName www.domain.com
    RedirectMatch 301 ^(.*)$ https://www.domain.com$1
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot /var/www/html/www
    ServerName www.domain.com
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
</VirtualHost>

其他ACME客户端

Certbot是Let’s Enrypt官方推荐的ACME客户端,按照上述方式使用,采用http验证域名的所有权。但是,我发现了更强大更好用的社区维护的ACME客户端acme.sh。它利用api,支持dns自动验证。acme.sh文档很详细了acme.sh 说明

参考文章