Pehea e noi ai no Let's Encrypt? Let's Encrypt SSL Free Certificate Principle & Installation Tutorial

Pehea e noi ai no Let's Encrypt?

E hoʻopaʻa iā mākou i ke kumu kumu palapala hōʻoia SSL a me ke aʻo ʻana

He aha ka SSL?Chen WeiliangMa ka ʻatikala mua "He aha ka ʻokoʻa ma waena o http me https? ʻO ka wehewehe kikoʻī o ke kaʻina hana hoʻopunipuni SSL"Ua oleloia ma.

kū kaʻawaleKālepa uilaPono ka pūnaewele e kūʻai i kahi palapala SSL i hoʻopili ʻia a hoʻohana i ka pūnaewele e like me WeChatHoʻolaha moʻokāki lehulehuopāpāho houE ka poʻe, inā makemake ʻoe e hoʻokomo i kahi palapala SSL, hiki iā ʻoe ke hoʻokomo i kahi palapala SSL i hoʻopili ʻia no ka manuahi.SEOHe kōkua a hiki ke hoʻomaikaʻi i ke kūlana o nā huaʻōlelo pūnaewele ma nā ʻenekini huli.

Ua kākau ʻo Let's Encrypt iā ia iho i kahi hoʻonohonoho o nā kaʻina hana (https://certbot.eff.org/), hoʻohanaLinuxe nā hoaaloha, hiki iā ʻoe ke hahai i kēia aʻo ʻoiai e pili ana i ke kaʻina hana.

Hoʻoiho mua i ka mea hana certbot-auto, a laila holo i nā hilinaʻi hoʻonohonoho o ka mea hana.

wget https://dl.eff.org/certbot-auto --no-check-certificate
chmod +x ./certbot-auto
./certbot-auto -n

E hana i ka palapala SSL

A laila, meChen WeiliangE lawe i ka inoa o ka blog ma ke ʻano he laʻana, e ʻoluʻolu e hoʻololi e like me kāu pono ponoʻī.

E hoʻololi i ke kauoha ma:

1. Pūnaewele
2. ala kikowaena
3. inoa inoa pūnaewele

ʻO ka papa kuhikuhi kahua hoʻokahi, e hana i kahi palapala hōʻoia:

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com

Papa kuhikuhi hoʻokahi domain-domain, hoʻopuka i kahi palapala hōʻoia: (ʻo ia hoʻi, nā inoa kikowaena lehulehu, hoʻokahi papa kuhikuhi, hoʻohana i ka palapala hōʻoia like)

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com

E mālama ʻia ka palapala SSL i hana ʻia ma:/etc/letsencrypt/live/www.chenweiliang.com/ Ma lalo o nā mea i loko.

Nā inoa kikowaena lehulehu a me nā papa kuhikuhi he nui, e hana i kahi palapala hōʻoia: (ʻo ia hoʻi, nā inoa kikowaena lehulehu, nā papa kuhikuhi he nui, e hoʻohana i ka palapala hoʻokahi)

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com -w /home/eloha/public_html/site/etufo.org -d www.etufo.org -d img.etufo.org

Ma hope o ka hoʻokomo pono ʻia ʻana o ka palapala Let's Encrypt, e hōʻike ʻia kēia memo wikiwiki ma SSH:

NĀ KAUKAHI IMPORTANT:
– Aloha oe!ain ua mālama ʻia ma:
/etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem
Ua mālama ʻia kāu faila kī ma:
/etc/letsencrypt/live/www.chenweiliang.com/privkey.pem
E hoʻopau ʻia kāu palapala hōʻoia ma 2018-02-26. No ka loaʻa ʻana o kahi mea hou a i ʻole tweaked
mana o kēia palapala i ka wā e hiki mai ana, e holo wale i ka certbot-auto
No ka ho'ololi 'ole 'ana i kāu mau palapala hō'oia, e holo
"certbot-auto renew"
- Inā makemake ʻoe iā Certbot, e ʻoluʻolu e kākoʻo i kā mākou hana e:
Hāʻawi i ka ISRG / Let's Encrypt: https://letsencrypt.org/donate
Hāʻawi iā EFF: https://eff.org/donate-le

Hoʻololi hou i ka palapala SSL

He mea maʻalahi hoʻi ka hoʻololi ʻana i ka palapala hōʻoia, hoʻohanacrontabHoʻohou hou.ʻAʻole i hoʻokomo ʻia kekahi Debian crontab, hiki iā ʻoe ke hoʻouka mua iā ia me ka lima.

apt-get install cron

Aia nā kauoha i lalo i ka nginx a me ka apache / a pela aku / crontab ʻO ke kauoha i hoʻokomo ʻia i loko o ka faila, ʻo ia ka mea e hana hou ʻia i kēlā me kēia 10 lā, a ua lawa ka manawa kūpono o 90 mau lā.

Nginx crontab file, e ʻoluʻolu e hoʻohui:

0 3 */10 * * /root/certbot-auto renew --renew-hook "/etc/init.d/nginx reload"

Apache crontab file, e ʻoluʻolu e hoʻohui:

0 3 */10 * * /root/certbot-auto renew --renew-hook "service httpd restart"

Palapala SSL Apache hoʻonohonoho

I kēia manawa, pono mākou e hoʻololi i ka hoʻonohonoho Apache.

Manaʻo Kōkua:

• inā ʻoe e hoʻohanaCWP Control Panel, i ka Add domain name check E hoʻopuka 'akomi i kahi palapala SSL, e hoʻonohonoho 'akomi i ka palapala SSL no Apache.
• Inā ʻoe e hana hou aku i kēia mau ʻanuʻu, hiki mai ka hewa ma hope o ka hoʻomaka hou ʻana iā Apache.
• Inā he hewa, e holoi i ka hoʻonohonoho āu i hoʻohui ai me ka lima.

Hoʻoponopono i ka faila httpd.conf ▼

/usr/local/apache/conf/httpd.conf

E huli iā ▼

Listen 443

• (Wehe i ka helu manaʻo mua #)

a i ʻole hoʻohui i ke awa hoʻolohe 443 ▼

Listen 443

Nānā SSH i ke awa hoʻolohe ʻo Apache ▼

grep ^Listen /usr/local/apache/conf/httpd.conf

E huli iā ▼

mod_ssl

• (Wehe i ka helu manaʻo mua #)

a i ʻole e hoʻohui i ▼

LoadModule ssl_module modules/mod_ssl.so

E huli iā ▼

httpd-ssl

• (Wehe i ka helu manaʻo mua #)

A laila, hoʻokō ʻo SSH i kēia kauoha (e hoʻomaopopo e hoʻololi i ke ala iā ʻoe iho):

at >/usr/local/apache/conf/extra/httpd-ssl.conf<<EOF
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/usr/local/apache/logs/ssl_mutex"
EOF

A laila, i ka hopena o ka hoʻonohonoho Apache no ka pūnaewele āu i hana aimalalo.

Hoʻohui i ka faila hoʻonohonoho o ka ʻāpana SSL (memo e wehe i ka manaʻo, a hoʻololi i ke ala iā ʻoe iho):

<VirtualHost *:443>
DocumentRoot /home/admin/web/chenweiliang.com/public_html //网站目录
ServerName www.chenweiliang.com:443 //域名
ServerAdmin [email protected] //邮箱
ErrorLog "/var/log/www.chenweiliang.com-error_log" //错误日志
CustomLog "/var/log/www.chenweiliang.com-access_log" common //访问日志
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem //之前生成的证书
SSLCertificateKeyFile /etc/letsencrypt/live/www.chenweiliang.com/privkey.pem //之前生成的密钥
<Directory "/home/admin/web/chenweiliang.com/public_html"> //网站目录
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
suPHP_UserGroup eloha eloha //用户组（有些服务器配置需要，有些可能不需要，出错请删除此行）
Order allow,deny
Allow from all
DirectoryIndex index.html index.phps
</Directory>
</VirtualHost>

E hoʻomaka hou i ka Apache ma luna:

service httpd restart

Hoʻihoʻi hou ʻo Apache i ka HTTP i HTTPS

• Nui nā noi pūnaewele hiki ke holo wale me SSL.
• Pono mākou e hōʻoia i kēlā me kēia manawa a mākou e hoʻohana ai i ka SSL, pono ke komo i ka pūnaewele ma o SSL.
• Inā ho'āʻo kekahi mea hoʻohana e komo i ka pūnaewele me kahi URL ʻole SSL, pono e hoʻohuli ʻia ʻo ia i ka pūnaewele SSL.
• Hoʻihoʻi hou i ka URL SSL me ka hoʻohana ʻana i ka module Apache mod_rewrite.
• E like me ka hoʻohana ʻana i ka LAMP hoʻokahi kaomi hoʻonohonoho hoʻonohonoho, kūkulu ʻia i ka hoʻokomo ʻana i ka palapala SSL a me ka hoʻihoʻi hou ʻana i HTTPS, ka hoʻihoʻi ʻana i HTTPSI ka ikaika, ʻaʻole pono ʻoe e hoʻohui i kahi HTTPS redirect.

Hoʻohui i ka lula kuhikuhi

• Ma ka waihona hoʻonohonoho ʻo Apache, hoʻoponopono i ka host virtual o ka pūnaewele a hoʻohui i nā hoʻonohonoho aʻe.
• Hiki iā ʻoe ke hoʻohui i nā hoʻonohonoho like i ke kumu palapala ma kāu pūnaewele ma kāu faila .htaccess.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Inā makemake ʻoe e kuhikuhi i kekahi URL e hoʻohuli hou i HTTPS:

RewriteEngine On
RewriteRule ^message$ https://www.etufo.org/message [R=301,L]

• Inā ho'āʻo kekahi e komo memo , e lele ka ʻaoʻao i https, a hiki i ka mea hoʻohana ke komo wale i ka URL me SSL.

E hoʻomaka hou i ka Apache no ka mana o ka faila .htaccess:

service httpd restart

Pākuʻi ʻana

• E ʻoluʻolu e hoʻololi i ka leka uila ma luna i kāu leka uila.
• E ʻoluʻolu e hoʻololi i ka inoa o ka pūnaewele i luna i kāu inoa inoa pūnaewele.

Pilikia wahi lula

Ma lalo o nā lula pseudo-static, i ka wā e kau ai i nā lula lele kuhikuhi, ʻike pinepine ʻoe ʻAʻole hiki ke kuhikuhi hou i ka http i https Ka pilikia.

I ka hoʻomaka ʻana ua kope mākou i ke code redirect i .htaccess a e ʻike ʻia ma kēia mau hihia ▼

• Hōʻike ʻo [L] ʻo ka lula o kēia manawa ka lula hope loa, e kāpae i ka nānā ʻana i nā lula kākau hou.
• No laila ke komo ʻana i ka ʻaoʻao ʻatikala i hoʻohuli ʻia, hoʻopau ʻo [L] i nā lula ma lalo nei, no laila ʻaʻole holo nā lula hoʻohuli.

Ke kipa ʻana i ka ʻaoʻao home http, makemake mākou e hoʻomaka i ka hoʻihoʻi ʻana i ka URL, e hoʻokuʻu i ka lula pseudo-static e hoʻokō i ka lula lele kuhikuhi, i hiki ke hoʻokō ʻia.Hoʻihoʻi hou ʻia ka http puni honua i https .

Mai hoʻokomo i nā lula hoʻohuli https [L] Ma lalo o nā lula, kau [L] ma luna o nā lula ▼

Heluhelu lōʻihi:

• He aha ka ʻokoʻa ma waena o http me https? ʻO ka wehewehe kikoʻī o ke kaʻina hana hoʻopunipuni SSL
• He aha kaʻu e hana ai inā loaʻa iaʻu kahi hewa 500 ma hope o ka hoʻokomo ʻana i ka palapala Let's Encrypt SSL i ka papa mana CWP?
• E lele 'akomi i ka inoa o ka pae ʻelua me ka ʻole o ka inoa o ka pae kiʻekiʻe www.