Let’s Encrypt是国外一个公共的免费SSL项目,由 Linux 基金会托管,它的来头不小,由Mozilla、思科、Akamai、IdenTrust和EFF等组织发起,目的就是向网站自动签发和管理免费证书,以便加速互联网由HTTP过渡到HTTPS,目前Facebook等大公司开始加入赞助行列
Let’s Encrypt免费SSL证书安装简单,官方提供脚本,配置方便,本篇文章就带大家了解一下如何获取Let’s Encrypt的SSL证书,以及在Apache中的配置方法:
Let’s Encrypt官网:
- 1、官方网站:https://letsencrypt.org/
- 2、项目主页:https://github.com/letsencrypt/letsencrypt
在获取SSL之前,我们需要准备一下我们的linux环境,安装git
yum install git
如果你的环境没有安装wget请先安装wget:
yum install wget
从GitHUB下载到你的主机根目录
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt进入letsencrypt目录,运行脚本
./letsencrypt-auto certonly –standalone –email [email protected] -d dacat.cc -d www.dacat.cc
脚本会自动安装一些依赖组件,比如Python、ca-certificates
系统弹出,直接回车即可,脚本会验证你的域名到服务器的指向
证书生成成功后提示
IMPORTANT NOTES:
– If you lose your account credentials, you can recover through
e-mails sent to [email protected].
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.xxx.xx/fullchain.pem. Your cert will
expire on 2016-11-27. To obtain a new version of the certificate in
the future, simply run Let’s Encrypt again.
– Your account credentials have been saved in your Let’s Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let’s
Encrypt so making regular backups of this folder is ideal.
– If like Let’s Encrypt, please consider supporting our work by:Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
/etc/letsencrypt/live是SSL的生成目录,查看一下是否有4个指向文件
接下来配置一下Apache2.2就可以访问自己的https了
修改Apache的配置文件,不同的环境,Apache的配置文件目录可能会不一样,我的在/etc/httpd/conf/httpd.conf
添加,如果存在不用修改
NameVirtualHost *:80
NameVirtualHost *:443
添加修改VirtualHost
设置自己的网站目录、绑定的公网域名,在443端口中添加
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/dacat.cc/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dacat.cc/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/dacat.cc/chain.pem
最后Service httpd restart,看看自己的网站是否可以使用SSL访问了~
*证书续期
./letsencrypt-auto certonly –standalone –email [email protected] -d dacat.cc -d www.dacat.cc
PS.附:自动续期(有效性待验证)
安装 Certbot
cd /root/letsencrypt/
chmod a+x certbot-auto
新建一个脚本:renew.sh
#!/bin/sh
/root/letsencrypt/certbot-auto renew –quiet –no-self-upgrade
设置crontab定时任务 自動更新:crontab -e
10 2 * * 0 /root/letsencrypt/renew.sh
设置服务器每周日早上2点10分进行检查更新