关于证书签发机构

Let's Encrypt
Let’s Encrypt

一个公益性质的免费SSL证书签发的机构,目前由Linux Foundation托管。

Let’s Encrypt的证书可通过Certbot申请,有效期是90天,可以通过Certbot自动续期。

正文

环境:

  • OS: Debian 10 Buster i686
  • WebServer: Apache 2.4.38

安装Certbot

1
2
sudo apt update
sudo apt install certbot

申请证书

此操作需要root权限

1
sudo certbot certonly

等待片刻……

1
2
3
4
5
6
7
8
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

这里进行网站的身份验证,简单来说就是检查你要开通SSL的网站是否归你。

  1. 启用一个临时的Web服务器;

  2. 将文件放在网站根目录中。

由于我的Web服务部署在本地,所以我选2。

1
2
3
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel):

在这里输入你的域名,这里以www.ussr.gov为例。

1
2
3
4
5
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel): www.ussr.gov
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.ussr.gov
Input the webroot for www.ussr.gov: (Enter 'c' to cancel):

在这里输入网站的根目录。Apache2的默认网站根目录是/var/www/html

1
Waiting for verification...

然后就会提示这样的信息,稍等片刻就能返回结果。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.ussr.gov/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.ussr.gov/privkey.pem
   Your cert will expire on 2018-01-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

如果有这样的提示,那么就说明证书办成功了。

记住这两个路径:

  • chain: /etc/letsencrypt/live/www.ussr.gov/fullchain.pem
  • key: /etc/letsencrypt/live/www.ussr.gov/privkey.pem

配置服务

如果你使用的是nginx,可以参考nginx添加ssl证书升级为https(免费证书)

可以直接参考第二部分的内容,因为你已经拿到证书了。

以下的内容的环境是Debian特色apache2,其他OS下面的大同小异。

首先,我们要启用Apache2的SSL子站点配置文件。

1
2
cd /etc/apache2
ln -s sites-available/default-ssl.conf sites-enabled/000-default-ssl.conf

然后修改sites-enabled下面的000-default-ssl.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# 以下内容省略源配置文件中的注释
<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin stalin@ussr.gov

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

				# SSLEngine必须启用
                SSLEngine on

				# 下面是需要修改的内容
				# 
				# SSLCertificateFile 证书文件(/etc/letsencrypt/live/www.ussr.gov/fullchain.pem)
				# SSLCertificateKeyFile 私钥文件 (/etc/letsencrypt/live/www.ussr.gov/privkey.pem)
                SSLCertificateFile    /etc/letsencrypt/live/www.ussr.gov/fullchain.pem
                SSLCertificateKeyFile    /etc/letsencrypt/live/www.ussr.gov/privkey.pem



                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                #Header set Access-Control-Allow-Methods "www.wssr.gov"
                                SSLOptions +StdEnvVars
                </Directory>



        </VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

修改完,启用Apache2的SSL模块。

1
2
sudo a2enmode ssl
sudo systemctl restart apache2

顺利的话,是可以通过https访问网站的。

(完)

参考