黄氏寻宗

使用let’s encrypt让自己的博客启用https(基于debian7+apache2)

jicky

使用let’s encrypt让自己的博客启用https(基于debian7+apache2)
之前用过starssl的免费ssl证书,现在到期了,因为申请和续期都很麻烦,所以懒得再弄。最近在网上看到去年底,成立了个新机构(from wiki):
Let’s Encrypt 是一个将于2015年末推出的数字证书认证机构,将通过旨在消除当前手动创建和安装证书的复杂过程的自动化流程,为安全网站提供免费的SSL/TLS证书。
一是简单,二是免费,为啥不用呢,于是看了看文档,就开始弄了:
假如你是example.com 的所有者,只要在server端登录,并执行:

Shell

1
2
3
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto certonly –webroot -w /var/www/example -d example.com -d www.example.com

如果之前域名解析正常可以访问的话,会有如下提示:

Vim

1
2
3
4
5
6
7
8
9
10
11
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
?? /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
?? expire on 2016-08-29. To obtain a new or tweaked version of this
?? certificate in the future, simply run certbot-auto again. To
?? non-interactively renew *all* of your ceriticates, run
?? “certbot-auto renew”
– If you like Certbot, please consider supporting our work by:
?
?? Donating to ISRG / Let’s Encrypt:?? https://letsencrypt.org/donate
?? Donating to EFF:????????????????????https://eff.org/donate-le

说明证书链和私钥、证书已经产生了。。。
如果失败,则会有类似提示:

Vim

1
2
3
4
5
6
7
8
9
10
Failed authorization procedure. www.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.example.com/.well-known/acme-challenge/OJvVsXKC4odxeV4darP05x4T7-ymOykX0UT6jqh0rees: “

403 Forbidden

Forbidden


ServerName ip地址,防止直接ip访问

Order Allow,Deny
Deny from all


?
?
?

??
????????Header always set Strict-Transport-Security “max-age=15553000; includeSubDomains; preload”
??
??RewriteEngine on
??RewriteCond %{SERVER_PORT} !^443$
??RewriteRule ^(.*)?$ https://routeragency.com/$1 [L,R]

?
?

??DirectoryIndex index.html index.php
??DocumentRoot /var/www/example.com/public_html/
??ServerName routeragency.com:443
??ServerAlias routeragency.com example.com www.routeragency.com
??SSLEngine On
??SSLProtocol ALL -SSLv2 -SSLv3
??SSLHonorCipherOrder on
??SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
??SSLCompression Off
??SSLOptions +StrictRequire
??SSLCertificateFile??/etc/letsencrypt/live/routeragency.com/fullchain.pem
??SSLCertificateKeyFile /etc/letsencrypt/live/routeragency.com/privkey.pem
??SSLCACertificateFile /etc/letsencrypt/live/routeragency.com/chain.pem

?

??DirectoryIndex index.html index.php
??DocumentRoot /var/www/example.com/public_html/
??ServerName routeragency.com
??ServerAlias www.example.com www.routeragency.com example.com

然后重启apache服务:

Shell

1
service apache2 restart

最后在crotab中设置2个月更新一次证书(因为这个机构的证书只有3个月有效期):

Shell

1
crontab -e

添加定时任务

Shell

1
0 0 1 */2 * xxx/certbot/certbot-auto renew && /etc/init.d/apache2 restart

搞定,简单吧。。。
可以到www.ssllabs.com测试一下评级,满足一下虚荣心。。。

参考资料:
1.https://letsencrypt.org/getting-started/
2.https://certbot.eff.org/#debianwheezy-apache
3.https://ksmx.me/letsencrypt-ssl-https/?utm_source=v2ex&utm_medium=forum&utm_campaign=20160529
4.http://blog.rlove.org/2013/12/strong-ssl-crypto.html