Cenos6 申请免费Let’s Encrypt SSL证书 在Apache中配置

Let’s Encrypt是国外一个公共的免费SSL项目，由 Linux 基金会托管，它的来头不小，由Mozilla、思科、Akamai、IdenTrust和EFF等组织发起，目的就是向网站自动签发和管理免费证书，以便加速互联网由HTTP过渡到HTTPS，目前Facebook等大公司开始加入赞助行列

Let’s Encrypt免费SSL证书安装简单，官方提供脚本，配置方便，本篇文章就带大家了解一下如何获取Let’s Encrypt的SSL证书，以及在Apache中的配置方法：

Let’s Encrypt官网：

• 1、官方网站：https://letsencrypt.org/
• 2、项目主页：https://github.com/letsencrypt/letsencrypt

在获取SSL之前，我们需要准备一下我们的linux环境，安装git

yum install git

如果你的环境没有安装wget请先安装wget：

yum install wget

从GitHUB下载到你的主机根目录

git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt进入letsencrypt目录，运行脚本

./letsencrypt-auto certonly –standalone –email [email protected] -d dacat.cc -d www.dacat.cc

脚本会自动安装一些依赖组件，比如Python、ca-certificates

系统弹出，直接回车即可，脚本会验证你的域名到服务器的指向

证书生成成功后提示

IMPORTANT NOTES:
– If you lose your account credentials, you can recover through
e-mails sent to [email protected].
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.xxx.xx/fullchain.pem. Your cert will
expire on 2016-11-27. To obtain a new version of the certificate in
the future, simply run Let’s Encrypt again.
– Your account credentials have been saved in your Let’s Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let’s
Encrypt so making regular backups of this folder is ideal.
– If like Let’s Encrypt, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

/etc/letsencrypt/live是SSL的生成目录，查看一下是否有4个指向文件

接下来配置一下Apache2.2就可以访问自己的https了

修改Apache的配置文件，不同的环境，Apache的配置文件目录可能会不一样，我的在/etc/httpd/conf/httpd.conf

添加，如果存在不用修改

NameVirtualHost *:80
NameVirtualHost *:443

添加修改VirtualHost

设置自己的网站目录、绑定的公网域名，在443端口中添加

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/dacat.cc/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dacat.cc/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/dacat.cc/chain.pem

最后Service httpd restart，看看自己的网站是否可以使用SSL访问了~

*证书续期

./letsencrypt-auto certonly –standalone –email [email protected] -d dacat.cc -d www.dacat.cc

PS.附：自动续期（有效性待验证）

安装 Certbot

cd /root/letsencrypt/

chmod a+x certbot-auto

新建一个脚本：renew.sh

#!/bin/sh

/root/letsencrypt/certbot-auto renew –quiet –no-self-upgrade

设置crontab定时任务 自動更新：crontab -e

10 2 * * 0 /root/letsencrypt/renew.sh

设置服务器每周日早上2点10分进行检查更新