Papa Kuhikuhi ʻatikala
Pehea e noi ai no Let's Encrypt?
E hoʻopaʻa iā mākou i ke kumu kumu palapala hōʻoia SSL a me ke aʻo ʻana
He aha ka SSL?Chen WeiliangMa ka ʻatikala mua "He aha ka ʻokoʻa ma waena o http me https? ʻO ka wehewehe kikoʻī o ke kaʻina hana hoʻopunipuni SSL"Ua oleloia ma.
kū kaʻawaleKālepa uilaPono ka pūnaewele e kūʻai i kahi palapala SSL i hoʻopili ʻia a hoʻohana i ka pūnaewele e like me WeChatHoʻolaha moʻokāki lehulehuopāpāho houE ka poʻe, inā makemake ʻoe e hoʻokomo i kahi palapala SSL, hiki iā ʻoe ke hoʻokomo i kahi palapala SSL i hoʻopili ʻia no ka manuahi.SEOHe kōkua a hiki ke hoʻomaikaʻi i ke kūlana o nā huaʻōlelo pūnaewele ma nā ʻenekini huli.
Ua kākau ʻo Let's Encrypt iā ia iho i kahi hoʻonohonoho o nā kaʻina hana (https://certbot.eff.org/), hoʻohanaLinuxe nā hoaaloha, hiki iā ʻoe ke hahai i kēia aʻo ʻoiai e pili ana i ke kaʻina hana.
Hoʻoiho mua i ka mea hana certbot-auto, a laila holo i nā hilinaʻi hoʻonohonoho o ka mea hana.
wget https://dl.eff.org/certbot-auto --no-check-certificate chmod +x ./certbot-auto ./certbot-auto -n
E hana i ka palapala SSL
A laila, meChen WeiliangE lawe i ka inoa o ka blog ma ke ʻano he laʻana, e ʻoluʻolu e hoʻololi e like me kāu pono ponoʻī.
E hoʻololi i ke kauoha ma:
- Pūnaewele
- ala kikowaena
- inoa inoa pūnaewele
ʻO ka papa kuhikuhi kahua hoʻokahi, e hana i kahi palapala hōʻoia:
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com
Papa kuhikuhi hoʻokahi domain-domain, hoʻopuka i kahi palapala hōʻoia: (ʻo ia hoʻi, nā inoa kikowaena lehulehu, hoʻokahi papa kuhikuhi, hoʻohana i ka palapala hōʻoia like)
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com
E mālama ʻia ka palapala SSL i hana ʻia ma:/etc/letsencrypt/live/www.chenweiliang.com/
Ma lalo o nā mea i loko.
Nā inoa kikowaena lehulehu a me nā papa kuhikuhi he nui, e hana i kahi palapala hōʻoia: (ʻo ia hoʻi, nā inoa kikowaena lehulehu, nā papa kuhikuhi he nui, e hoʻohana i ka palapala hoʻokahi)
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com -w /home/eloha/public_html/site/etufo.org -d www.etufo.org -d img.etufo.org
Ma hope o ka hoʻokomo pono ʻia ʻana o ka palapala Let's Encrypt, e hōʻike ʻia kēia memo wikiwiki ma SSH:
NĀ KAUKAHI IMPORTANT:
– Aloha oe!ain ua mālama ʻia ma:
/etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem
Ua mālama ʻia kāu faila kī ma:
/etc/letsencrypt/live/www.chenweiliang.com/privkey.pem
E hoʻopau ʻia kāu palapala hōʻoia ma 2018-02-26. No ka loaʻa ʻana o kahi mea hou a i ʻole tweaked
mana o kēia palapala i ka wā e hiki mai ana, e holo wale i ka certbot-auto
No ka ho'ololi 'ole 'ana i kāu mau palapala hō'oia, e holo
"certbot-auto renew"
- Inā makemake ʻoe iā Certbot, e ʻoluʻolu e kākoʻo i kā mākou hana e:
Hāʻawi i ka ISRG / Let's Encrypt: https://letsencrypt.org/donate
Hāʻawi iā EFF: https://eff.org/donate-le
Hoʻololi hou i ka palapala SSL
He mea maʻalahi hoʻi ka hoʻololi ʻana i ka palapala hōʻoia, hoʻohanacrontabHoʻohou hou.ʻAʻole i hoʻokomo ʻia kekahi Debian crontab, hiki iā ʻoe ke hoʻouka mua iā ia me ka lima.
apt-get install cron
Aia nā kauoha i lalo i ka nginx a me ka apache / a pela aku / crontab ʻO ke kauoha i hoʻokomo ʻia i loko o ka faila, ʻo ia ka mea e hana hou ʻia i kēlā me kēia 10 lā, a ua lawa ka manawa kūpono o 90 mau lā.
Nginx crontab file, e ʻoluʻolu e hoʻohui:
0 3 */10 * * /root/certbot-auto renew --renew-hook "/etc/init.d/nginx reload"
Apache crontab file, e ʻoluʻolu e hoʻohui:
0 3 */10 * * /root/certbot-auto renew --renew-hook "service httpd restart"
Palapala SSL Apache hoʻonohonoho
I kēia manawa, pono mākou e hoʻololi i ka hoʻonohonoho Apache.
Manaʻo Kōkua:
- inā ʻoe e hoʻohanaCWP Control Panel, i ka Add domain name check E hoʻopuka 'akomi i kahi palapala SSL, e hoʻonohonoho 'akomi i ka palapala SSL no Apache.
- Inā ʻoe e hana hou aku i kēia mau ʻanuʻu, hiki mai ka hewa ma hope o ka hoʻomaka hou ʻana iā Apache.
- Inā he hewa, e holoi i ka hoʻonohonoho āu i hoʻohui ai me ka lima.
Hoʻoponopono i ka faila httpd.conf ▼
/usr/local/apache/conf/httpd.conf
E huli iā ▼
Listen 443
- (Wehe i ka helu manaʻo mua #)
a i ʻole hoʻohui i ke awa hoʻolohe 443 ▼
Listen 443
Nānā SSH i ke awa hoʻolohe ʻo Apache ▼
grep ^Listen /usr/local/apache/conf/httpd.conf
E huli iā ▼
mod_ssl
- (Wehe i ka helu manaʻo mua #)
a i ʻole e hoʻohui i ▼
LoadModule ssl_module modules/mod_ssl.so
E huli iā ▼
httpd-ssl
- (Wehe i ka helu manaʻo mua #)
A laila, hoʻokō ʻo SSH i kēia kauoha (e hoʻomaopopo e hoʻololi i ke ala iā ʻoe iho):
at >/usr/local/apache/conf/extra/httpd-ssl.conf<<EOF Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLHonorCipherOrder on SSLProtocol all -SSLv2 -SSLv3 SSLProxyProtocol all -SSLv2 -SSLv3 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLMutex "file:/usr/local/apache/logs/ssl_mutex" EOF
A laila, i ka hopena o ka hoʻonohonoho Apache no ka pūnaewele āu i hana aimalalo.
Hoʻohui i ka faila hoʻonohonoho o ka ʻāpana SSL (memo e wehe i ka manaʻo, a hoʻololi i ke ala iā ʻoe iho):
<VirtualHost *:443> DocumentRoot /home/admin/web/chenweiliang.com/public_html //网站目录 ServerName www.chenweiliang.com:443 //域名 ServerAdmin [email protected] //邮箱 ErrorLog "/var/log/www.chenweiliang.com-error_log" //错误日志 CustomLog "/var/log/www.chenweiliang.com-access_log" common //访问日志 SSLEngine on SSLCertificateFile /etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem //之前生成的证书 SSLCertificateKeyFile /etc/letsencrypt/live/www.chenweiliang.com/privkey.pem //之前生成的密钥 <Directory "/home/admin/web/chenweiliang.com/public_html"> //网站目录 SetOutputFilter DEFLATE Options FollowSymLinks AllowOverride All suPHP_UserGroup eloha eloha //用户组(有些服务器配置需要,有些可能不需要,出错请删除此行) Order allow,deny Allow from all DirectoryIndex index.html index.phps </Directory> </VirtualHost>
E hoʻomaka hou i ka Apache ma luna:
service httpd restart
Hoʻihoʻi hou ʻo Apache i ka HTTP i HTTPS
- Nui nā noi pūnaewele hiki ke holo wale me SSL.
- Pono mākou e hōʻoia i kēlā me kēia manawa a mākou e hoʻohana ai i ka SSL, pono ke komo i ka pūnaewele ma o SSL.
- Inā ho'āʻo kekahi mea hoʻohana e komo i ka pūnaewele me kahi URL ʻole SSL, pono e hoʻohuli ʻia ʻo ia i ka pūnaewele SSL.
- Hoʻihoʻi hou i ka URL SSL me ka hoʻohana ʻana i ka module Apache mod_rewrite.
- E like me ka hoʻohana ʻana i ka LAMP hoʻokahi kaomi hoʻonohonoho hoʻonohonoho, kūkulu ʻia i ka hoʻokomo ʻana i ka palapala SSL a me ka hoʻihoʻi hou ʻana i HTTPS, ka hoʻihoʻi ʻana i HTTPSI ka ikaika, ʻaʻole pono ʻoe e hoʻohui i kahi HTTPS redirect.
Hoʻohui i ka lula kuhikuhi
- Ma ka waihona hoʻonohonoho ʻo Apache, hoʻoponopono i ka host virtual o ka pūnaewele a hoʻohui i nā hoʻonohonoho aʻe.
- Hiki iā ʻoe ke hoʻohui i nā hoʻonohonoho like i ke kumu palapala ma kāu pūnaewele ma kāu faila .htaccess.
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Inā makemake ʻoe e kuhikuhi i kekahi URL e hoʻohuli hou i HTTPS:
RewriteEngine On RewriteRule ^message$ https://www.etufo.org/message [R=301,L]
- Inā ho'āʻo kekahi e komo memo , e lele ka ʻaoʻao i https, a hiki i ka mea hoʻohana ke komo wale i ka URL me SSL.
E hoʻomaka hou i ka Apache no ka mana o ka faila .htaccess:
service httpd restart
Pākuʻi ʻana
- E ʻoluʻolu e hoʻololi i ka leka uila ma luna i kāu leka uila.
- E ʻoluʻolu e hoʻololi i ka inoa o ka pūnaewele i luna i kāu inoa inoa pūnaewele.
Pilikia wahi lula
Ma lalo o nā lula pseudo-static, i ka wā e kau ai i nā lula lele kuhikuhi, ʻike pinepine ʻoe ʻAʻole hiki ke kuhikuhi hou i ka http i https Ka pilikia.
I ka hoʻomaka ʻana ua kope mākou i ke code redirect i .htaccess a e ʻike ʻia ma kēia mau hihia ▼
- Hōʻike ʻo [L] ʻo ka lula o kēia manawa ka lula hope loa, e kāpae i ka nānā ʻana i nā lula kākau hou.
- No laila ke komo ʻana i ka ʻaoʻao ʻatikala i hoʻohuli ʻia, hoʻopau ʻo [L] i nā lula ma lalo nei, no laila ʻaʻole holo nā lula hoʻohuli.
Ke kipa ʻana i ka ʻaoʻao home http, makemake mākou e hoʻomaka i ka hoʻihoʻi ʻana i ka URL, e hoʻokuʻu i ka lula pseudo-static e hoʻokō i ka lula lele kuhikuhi, i hiki ke hoʻokō ʻia.Hoʻihoʻi hou ʻia ka http puni honua i https .
Mai hoʻokomo i nā lula hoʻohuli https [L] Ma lalo o nā lula, kau [L] ma luna o nā lula ▼
Heluhelu lōʻihi:
- He aha ka ʻokoʻa ma waena o http me https? ʻO ka wehewehe kikoʻī o ke kaʻina hana hoʻopunipuni SSL
- He aha kaʻu e hana ai inā loaʻa iaʻu kahi hewa 500 ma hope o ka hoʻokomo ʻana i ka palapala Let's Encrypt SSL i ka papa mana CWP?
- E lele 'akomi i ka inoa o ka pae ʻelua me ka ʻole o ka inoa o ka pae kiʻekiʻe www.
Hope Chen Weiliang Blog ( https://www.chenweiliang.com/ ) kaʻana like "Pehea e noi ai no Let's Encrypt? Let's Encrypt SSL Free Certificate Principle & Installation Tutorial", he mea kōkua iā ʻoe.
Welina mai e kaʻana like i ka loulou o kēia ʻatikala:https://www.chenweiliang.com/cwl-512.html
Welina mai i ke kahawai Telegram o ka moʻomanaʻo ʻo Chen Weiliang e kiʻi i nā mea hou loa!
📚 He waiwai nui kēia alakaʻi, 🌟He manawa kakaikahi kēia, mai poina! ⏰⌛💨
Kaʻana like a like inā makemake ʻoe!
ʻO kāu kaʻana like a me kou makemake ʻo kā mākou hoʻoikaika mau!