Maitiro ekunyorera kuti Let's Encrypt? Ngatinyorei SSL Yemahara Sitifiketi Musimboti & Kuisa Tutorial

Nzira yekushandisa sei Let's Encrypt?

Ngativei Chete SSL Chitupa Nheyo & Kuisa Tutorial

Chii chinonzi SSL?Chen WeiliangMunyaya yapfuura "Ndeupi musiyano pakati pe http vs https? Tsananguro yakadzama yeSSL encryption process"Inotaurwa mu.

kunze kwaizvozvoE-commerceIyo webhusaiti inofanirwa kutenga yakavharidzirwa SSL chitupa uye kushandisa webhusaiti seWeChatPublic account promotionofmidhiya mitsvaVanhu, kana iwe uchida kuisa SSL chitupa, unogona chaizvo kuisa encrypted SSL chitupa mahara.SEOInobatsira, inogona kuvandudza chiyero chemazwi ewebhusaiti mumajini ekutsvaga.

Let's Encrypt pachayo yakanyora seti yemaitiro (https://certbot.eff.org/), kushandisaLinuxshamwari, unogona kutevera chidzidzo ichi uchireva maitiro.

Dhawunirodha certbot-auto chishandiso kutanga, wobva wamhanyisa kuisirwa kwechishandiso.

wget https://dl.eff.org/certbot-auto --no-check-certificate
chmod +x ./certbot-auto
./certbot-auto -n

Gadzira SSL chitupa

Tevere, neChen WeiliangTora zita rezita reblog semuenzaniso, ndapota rigadzirise zvinoenderana nezvaunoda SSH inoshandisa mirairo inotevera.

Iva nechokwadi chekugadzirisa murairo mu:

1. Emailbox
2. server nzira
3. website domain name

Single domain single directory, gadzira chitupa:

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com

Multi-domain single dhairekitori, gadzira chitupa: (kureva, akawanda mazita edura, rimwe dhairekitori, shandisa chitupa chimwe chete)

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com

Iyo yakagadzirwa SSL chitupa ichachengetwa mu:/etc/letsencrypt/live/www.chenweiliang.com/ Pasi pezviri mukati.

Mazita akawanda edomasi uye akawanda madhairekitori, gadzira chitupa: (ndiko kuti, akawanda mazita edomasi, akawanda madhairekitori, shandisa chitupa chimwe chete)

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com -w /home/eloha/public_html/site/etufo.org -d www.etufo.org -d img.etufo.org

Mushure mekunge Let's Encrypt certificate yaiswa zvinobudirira, inotevera meseji yekukurumidza ichaonekwa muSSH:

MAGAZINI ANOKOSHA:
– Makorokoto!Chitupa chako nechain akachengetwa pa:
/etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem
Kiyi yefaira yako yachengetwa pa:
/etc/letsencrypt/live/www.chenweiliang.com/privkey.pem
Chitupa chako chinopera muna 2018-02-26. Kuti uwane chitsva kana kugadzirwa
vhezheni yechitupa ichi mune ramangwana, ingomhanya certbot-auto
zvakare.Kusaita-interactively kuvandudza *zvese* zvitupa zvako, mhanya
"certbot-auto vandudza"
- Kana iwe uchida Certbot, ndapota funga nezvekutsigira basa redu na:
Kupa kune ISRG / Ngatinyorei: https://letsencrypt.org/donate
Kupa kuEFF: https://eff.org/donate-le

SSL Certificate Kuvandudza

Kuvandudzwa kweSitifiketi zvakare kuri nyore kwazvo, kushandisacrontabKuvandudza otomatiki.Imwe Debian haina crontab yakaiswa, unogona kuiisa nemaoko kutanga.

apt-get install cron

Iyo inotevera mirairo iri mu nginx uye apache zvakateerana / etc / crontab Murairo wakapinda mufaira unoreva kuti unovandudzwa mazuva ose e10, uye nguva ye90-yemazuva inokwana.

Nginx crontab faira, ndapota wedzera:

0 3 */10 * * /root/certbot-auto renew --renew-hook "/etc/init.d/nginx reload"

Apache crontab faira, ndapota wedzera:

0 3 */10 * * /root/certbot-auto renew --renew-hook "service httpd restart"

SSL chitupa Apache kumisikidzwa

Zvino, isu tinofanirwa kuita shanduko kune iyo Apache kumisikidzwa.

Mazano:

• kana ukashandisaCWP Control Panel, mune Wedzera zita rezita tarisa Gadzira otomatiki chitupa cheSSL, chinozogadzirisa chitupa cheSSL cheApache.
• Kana iwe ukaita akawanda eanotevera matanho, kukanganisa kunogona kuitika mushure mekutangazve Apache.
• Kana paine chikanganiso, dzima gadziriso yawakawedzera nemaoko.

Rongedza iyo httpd.conf faira ▼

/usr/local/apache/conf/httpd.conf

Tsvaga ▼

Listen 443

• (bvisa nhamba yekutaura yapfuura #)

kana kuwedzera chiteshi chekuteerera 443 ▼

Listen 443

SSH tarisa Apache yekuteerera chiteshi ▼

grep ^Listen /usr/local/apache/conf/httpd.conf

Tsvaga ▼

mod_ssl

• (bvisa nhamba yekutaura yapfuura #)

kana kuwedzera ▼

LoadModule ssl_module modules/mod_ssl.so

Tsvaga ▼

httpd-ssl

• (bvisa nhamba yekutaura yapfuura #)

Zvadaro, SSH ita murairo unotevera (noti kuti uchinje nzira kune yako):

at >/usr/local/apache/conf/extra/httpd-ssl.conf<<EOF
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/usr/local/apache/logs/ssl_mutex"
EOF

Tevere, pakupera kweApache kumisikidzwa yewebhusaiti yawakagadziraunder.

Wedzera iyo faira yekumisikidza yechikamu cheSSL (noti kuti ubvise mhinduro, uye shandura nzira kune yako):

<VirtualHost *:443>
DocumentRoot /home/admin/web/chenweiliang.com/public_html //网站目录
ServerName www.chenweiliang.com:443 //域名
ServerAdmin [email protected] //邮箱
ErrorLog "/var/log/www.chenweiliang.com-error_log" //错误日志
CustomLog "/var/log/www.chenweiliang.com-access_log" common //访问日志
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem //之前生成的证书
SSLCertificateKeyFile /etc/letsencrypt/live/www.chenweiliang.com/privkey.pem //之前生成的密钥
<Directory "/home/admin/web/chenweiliang.com/public_html"> //网站目录
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
suPHP_UserGroup eloha eloha //用户组（有些服务器配置需要，有些可能不需要，出错请删除此行）
Order allow,deny
Allow from all
DirectoryIndex index.html index.phps
</Directory>
</VirtualHost>

Pakupedzisira tangazve Apache pairi:

service httpd restart

Apache manikidza HTTP kutungamira kuHTTPS

• Zvikumbiro zvakawanda zvewebhu zvinongogara zvichimhanya neSSL.
• Isu tinofanirwa kuve nechokwadi chekuti pese patinoshandisa SSL, webhusaiti inofanirwa kuwanikwa kuburikidza neSSL.
• Kana chero mushandisi akaedza kuwana webhusaiti neiyo isiri-SSL URL, anofanira kuendeswa kune iyo SSL webhusaiti.
• Nangidzira kuSSL URL uchishandisa Apache mod_rewrite module.
• Zvakadai sekushandisa LAMP kamwechete-tinya yekuisa pasuru, yakavakirwa-mukati otomatiki kuisirwa SSL chitupa uye kumanikidzirwa redirection kuHTTPS, redirection kuHTTPS.In force, haufanire kuwedzera HTTPS redirect.

Wedzera redirect mutemo

• MuApache's kumisikidza faira, gadzirisa iyo webhusaiti webhusaiti uye wedzera anotevera marongero.
• Iwe unogonawo kuwedzera zvigadziridzo zvakafanana kumudzi wegwaro pawebsite yako mune yako .htaccess file.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Kana iwe uchingoda kutsanangura imwe URL yekudzosera kuHTTPS:

RewriteEngine On
RewriteRule ^message$ https://www.etufo.org/message [R=301,L]

• Kana mumwe munhu akaedza kuwana mashoko , peji inosvetukira ku https, uye mushandisi anogona chete kuwana iyo URL neSSL.

Tangazve Apache kuti .htaccess file iite basa:

service httpd restart

Kuchenjerera

• Ndokumbirawo shandura email kero iri pamusoro kuita email kero yako.
• Ndokumbira urangarire kushandura zita rewebhusaiti repamusoro kune yako webhusaiti domain zita.

Redirect rule dambudziko renzvimbo

Pasi pemitemo yepseudo-static, kana uchiisa redirection kusvetuka mitemo, iwe unowanzo sangana http haigone kutungamira kune https Dambudziko.

Pakutanga takakopa redirect code mu .htaccess uye ichaonekwa munyaya dzinotevera ▼

• [L] inoratidza kuti mutemo wezvino ndiwo mutemo wekupedzisira, rega kuongorora mitemo inotevera yekunyorazve.
• Saka kana uchiwana iyo yakadzoserwa chinyorwa peji, [L] inomisa unotevera mutemo, saka mutemo wekudzosera haushande.

Pakushanya iyo http peji remba, isu tinoda kukonzeresa URL redirection, svetuka iyo pseudo-static mutemo wekuita redirection kusvetuka mutemo, kuti ugone kuwanikwa.Site-wide http redirect to https .

Usaise https redirect mitemo mukati [L] Pasi pemitemo, isa [L] pamusoro pemitemo ▼

Yakawedzerwa kuverenga:

• Ndeupi musiyano pakati pe http vs https? Tsananguro yakadzama yeSSL encryption process
• Chii chandinofanira kuita kana ndikawana kukanganisa 500 mushure mekuisa iyo Let's Encrypt SSL chitupa muCWP control panel?
• Svetukira otomatiki kune yechipiri-chikamu chezita rezita pasina iyo www yepamusoro-level zita rezita: iyo mudzi domain zita 301 redirects www.