Let’s Encrypt是国外一个公共的免费SSL项目,由 Linux 基金会托管,它的来头不小,由Mozilla、思科、Akamai、IdenTrust和EFF等组织发起,目的就是向网站自动签发和管理免费证书,以便加速互联网由HTTP过渡到HTTPS,目前Facebook等大公司开始加入赞助行列

Let’s Encrypt免费SSL证书安装简单,官方提供脚本,配置方便,本篇文章就带大家了解一下如何获取Let’s Encrypt的SSL证书,以及在Apache中的配置方法:

Let’s Encrypt官网:

  • 1、官方网站:https://letsencrypt.org/
  • 2、项目主页:https://github.com/letsencrypt/letsencrypt

在获取SSL之前,我们需要准备一下我们的linux环境,安装git

yum install git

如果你的环境没有安装wget请先安装wget:

yum install wget

从GitHUB下载到你的主机根目录

git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt进入letsencrypt目录,运行脚本

./letsencrypt-auto certonly –standalone –email [email protected] -d dacat.cc -d www.dacat.cc

脚本会自动安装一些依赖组件,比如Python、ca-certificates

系统弹出,直接回车即可,脚本会验证你的域名到服务器的指向

证书生成成功后提示

IMPORTANT NOTES:
– If you lose your account credentials, you can recover through
e-mails sent to [email protected].
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.xxx.xx/fullchain.pem. Your cert will
expire on 2016-11-27. To obtain a new version of the certificate in
the future, simply run Let’s Encrypt again.
– Your account credentials have been saved in your Let’s Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let’s
Encrypt so making regular backups of this folder is ideal.
– If like Let’s Encrypt, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

/etc/letsencrypt/live是SSL的生成目录,查看一下是否有4个指向文件

接下来配置一下Apache2.2就可以访问自己的https了

修改Apache的配置文件,不同的环境,Apache的配置文件目录可能会不一样,我的在/etc/httpd/conf/httpd.conf

添加,如果存在不用修改

NameVirtualHost *:80
NameVirtualHost *:443

添加修改VirtualHost

设置自己的网站目录、绑定的公网域名,在443端口中添加

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/dacat.cc/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dacat.cc/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/dacat.cc/chain.pem

最后Service httpd restart,看看自己的网站是否可以使用SSL访问了~

*证书续期

./letsencrypt-auto certonly –standalone –email [email protected] -d dacat.cc -d www.dacat.cc

PS.附:自动续期(有效性待验证)

安装 Certbot

cd /root/letsencrypt/

chmod a+x certbot-auto

新建一个脚本:renew.sh

#!/bin/sh

/root/letsencrypt/certbot-auto renew –quiet –no-self-upgrade

设置crontab定时任务 自動更新:crontab -e

10 2 * * 0 /root/letsencrypt/renew.sh

设置服务器每周日早上2点10分进行检查更新