Sengoli sa Lingoloa
U ka etsa kopo ea Lets Encrypt joang?
Ha re Kenyelle Molao-motheo oa Setifikeiti sa SSL & Thupelo ea ho Kena
SSL ke eng?Chen WeiliangSehloohong se fetileng "Phapano ke efe lipakeng tsa http vs https? Tlhaloso e felletseng ea ts'ebetso ea encryption ea SSL"E boletsoe ho.
ntle leKhoebo ea inthaneteWebosaete e tlameha ho reka setifikeiti sa SSL se tsoetseng pele se patiloeng 'me se sebelise sebaka sa Marang-rang joalo ka WeChatKholiso ea ak'haonte ea sechabaeamedia o mochaBatho, haeba u batla ho kenya setifikeiti sa SSL, u ka kenya setifikeiti sa SSL se patiloeng mahala.SEOE thusa, e ka ntlafatsa boemo ba mantsoe a sehlooho a sebaka sa marang-rang lienjineng tsa ho batla.
Let's Encrypt ka boeona e ngotse sehlopha sa lits'ebetso (https://certbot.eff.org/), sebelisaLinuxmetsoalle, u ka latela thupelo ena ha u ntse u bua ka mokhoa ona.
Khoasolla sesebelisoa sa certbot-auto pele, ebe u tsamaisa lipehelo tsa ho kenya sesebelisoa.
wget https://dl.eff.org/certbot-auto --no-check-certificate chmod +x ./certbot-auto ./certbot-auto -n
Hlahisa setifikeiti sa SSL
E latelang, kaChen WeiliangNka lebitso la sebaka sa blog e le mohlala, ka kopo e fetole ho latela litlhoko tsa hau. SSH e tsamaisa litaelo tse latelang.
Etsa bonnete ba hore u fetola taelo ho:
- Lebokose la poso
- tsela ea seva
- lebitso la sebaka sa marang-rang
Single domain single directory, hlahisa setifikeiti:
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com
Bukana e le 'ngoe ea li-domain tse ngata, hlahisa setifikeiti: (ke hore, mabitso a mangata a marang-rang, buka e le' ngoe, sebelisa setifikeiti se le seng)
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com
Setifikeiti sa SSL se hlahisitsoeng se tla bolokoa ho:/etc/letsencrypt/live/www.chenweiliang.com/ Tlas'a litaba.
Mabitso a mangata a marang-rang le li-directory tse ngata, hlahisa setifikeiti: (ke hore, mabitso a mangata a marang-rang, li-directory tse ngata, sebelisa setifikeiti se le seng)
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com -w /home/eloha/public_html/site/etufo.org -d www.etufo.org -d img.etufo.org
Kamora hore setifikeiti sa Let Encrypt se kenngoe ka katleho, molaetsa o latelang o tla hlaha ho SSH:
LIHOLO TSA Bohlokoa:
– Kea u lebohela Setifikeiti sa hao le chain li bolokiloe ho:
/etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem
Faele ea hau ea senotlolo e bolokiloe ho:
/etc/letsencrypt/live/www.chenweiliang.com/privkey.pem
Setifikeiti sa hau se tla felloa ke nako ka 2018-02-26. Ho fumana e ncha kapa e fetotsoeng
mofuta oa setifikeiti sena nakong e tlang, tsamaisa feela certbot-auto
Ho nchafatsa litifikeiti tsa hau kaofela, matha
"certbot-auto renew"
- Haeba u rata Certbot, ka kopo nahana ka ho ts'ehetsa mosebetsi oa rona ka:
Ho fana ho ISRG / Ha re Encrypt: https://letsencrypt.org/donate
Ho fana ka EFF: https://eff.org/donate-le
Nchafatso ea Setifikeiti sa SSL
Ho nchafatsa setifikeiti ho boetse ho bonolo haholo, ho sebelisoacrontabNchafatsa ka ho iketsa.Debian e 'ngoe ha e na crontab e kentsoeng, u ka e kenya ka letsoho pele.
apt-get install cron
Litaelo tse latelang li ho nginx le apache ka ho latellana / etc / crontab Taelo e kentsoeng faeleng e bolela hore e nchafatsoa matsatsi a mang le a mang a 10, 'me nako ea matsatsi a 90 e lekane.
Nginx crontab, ka kopo eketsa:
0 3 */10 * * /root/certbot-auto renew --renew-hook "/etc/init.d/nginx reload"
Apache crontab faele, ka kopo eketsa:
0 3 */10 * * /root/certbot-auto renew --renew-hook "service httpd restart"
Setifikeiti sa SSL Tokiso ea Apache
Joale, re hloka ho etsa liphetoho ho tlhophiso ea Apache.
Malebela:
- haeba u sebelisaSehlopha sa Taolo sa CWP, ho Eketsa domain name hlahloba Ka ho iketsa setifikeiti sa SSL, se tla hlophisa setifikeiti sa SSL bakeng sa Apache ka bohona.
- Haeba u etsa tse ling tsa mehato e latelang, phoso e ka hlaha ka mor'a ho qala Apache hape.
- Haeba ho na le phoso, hlakola litlhophiso tseo u li kentseng ka letsoho.
Fetola faele ea httpd.conf ▼
/usr/local/apache/conf/httpd.conf
Fumana ▼
Listen 443
- (tlosa nomoro ea maikutlo e fetileng #)
kapa eketsa kou ea ho mamela 443 ▼
Listen 443
SSH lekola boema-kepe ba ho mamela ba Apache ▼
grep ^Listen /usr/local/apache/conf/httpd.conf
Fumana ▼
mod_ssl
- (tlosa nomoro ea maikutlo e fetileng #)
kapa eketsa ▼
LoadModule ssl_module modules/mod_ssl.so
Fumana ▼
httpd-ssl
- (tlosa nomoro ea maikutlo e fetileng #)
Ebe, SSH etsa taelo e latelang (hlokomela ho fetola tsela ho ea ho ea hau):
at >/usr/local/apache/conf/extra/httpd-ssl.conf<<EOF Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLHonorCipherOrder on SSLProtocol all -SSLv2 -SSLv3 SSLProxyProtocol all -SSLv2 -SSLv3 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLMutex "file:/usr/local/apache/logs/ssl_mutex" EOF
E latelang, qetellong ea tlhophiso ea Apache bakeng sa sebaka sa marang-rang seo u se entsengtlasa.
Kenya faele ea tlhophiso ea karolo ea SSL (hlokomela ho tlosa maikutlo, le ho fetola tsela ea hau):
<VirtualHost *:443> DocumentRoot /home/admin/web/chenweiliang.com/public_html //网站目录 ServerName www.chenweiliang.com:443 //域名 ServerAdmin [email protected] //邮箱 ErrorLog "/var/log/www.chenweiliang.com-error_log" //错误日志 CustomLog "/var/log/www.chenweiliang.com-access_log" common //访问日志 SSLEngine on SSLCertificateFile /etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem //之前生成的证书 SSLCertificateKeyFile /etc/letsencrypt/live/www.chenweiliang.com/privkey.pem //之前生成的密钥 <Directory "/home/admin/web/chenweiliang.com/public_html"> //网站目录 SetOutputFilter DEFLATE Options FollowSymLinks AllowOverride All suPHP_UserGroup eloha eloha //用户组(有些服务器配置需要,有些可能不需要,出错请删除此行) Order allow,deny Allow from all DirectoryIndex index.html index.phps </Directory> </VirtualHost>
Qetellong qala Apache ho eona:
service httpd restart
Apache e qobella HTTP hore e boele ho HTTPS
- Likopo tse ngata tsa marang-rang li ka sebetsa feela ka SSL.
- Re hloka ho etsa bonnete ba hore nako le nako ha re sebelisa SSL, sebaka sa marang-rang se tlameha ho fumanoa ka SSL.
- Haeba mosebelisi ofe kapa ofe a leka ho kena webosaeteng ka URL eo e seng ea SSL, o tlameha ho fetisetsoa webosaeteng ea SSL.
- Lebisa ho SSL URL o sebelisa mojule oa Apache mod_rewrite.
- Joalo ka ho sebelisa sephutheloana sa ho kenya LAMP ka konopo e le 'ngoe, ho kenya setifikeiti sa SSL ka boiketsetso le ho fetisetsoa ho HTTPS, ho fetisetsoa ho HTTPS.Tšebetsong, ha ho hlokahale hore u kenye mokhoa oa ho tsamaisa HTTPS.
Kenya molao oa ho tsamaisa hape
- Ho faele ea tlhophiso ea Apache, hlophisa moamoheli oa sebaka sa marang-rang 'me u kenye litlhophiso tse latelang.
- U ka boela ua eketsa litlhophiso tse tšoanang ho motso oa tokomane sebakeng sa hau sa marang-rang ho faele ea hau ea .htaccess.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Haeba u batla feela ho hlakisa URL e itseng eo u tla e fetisetsa ho HTTPS:
RewriteEngine On RewriteRule ^message$ https://www.etufo.org/message [R=301,L]
- Haeba motho a leka ho kena molaetsa , leqephe le tla tlolela ho https, mme mosebelisi a ka fihlella URL feela ka SSL.
Qala hape Apache hore faele ea .htaccess e sebetse:
service httpd restart
Litlhokomelo
- Ka kopo fetola aterese ea lengolo-tsoibila e ka holimo ho aterese ea hau ea lengolo-tsoibila.
- Ka kopo hopola ho fetola lebitso la sebaka sa marang-rang se kaholimo ho lebitso la sebaka sa hau sa marang-rang.
Hlalosa bothata ba sebaka sa molao hape
Tlas'a melao ea pseudo-static, ha u beha melao ea ho tlola redirection, hangata u kopana le eona http ha e khone ho fetisetsa ho https Bothata.
Qalong re kopitsitse khoutu e redirect ho .htaccess mme e tla hlaha maemong a latelang ▼
![Molao oa ho tsamaisa sebaka [L] leqepheng la 2 ka holimo](https://img.chenweiliang.com/2018/03/https-rule-1.png "Mokhoa oa ho etsa kopo ea Let's Encrypt")
- [L] e bontša hore molao oa hona joale ke molao oa ho qetela, khaotsa ho hlahloba melao e latelang ea ho ngola hape.
- Kahoo ha u fumana leqephe la sengoloa se tsamaisitsoeng bocha, [L] e emisa molao o latelang, kahoo molao oa ho tsamaisa hape ha o sebetse.
Ha re etela leqephe la lehae la http, re batla ho etsa hore redirection ea URL, re tlōle molao oa pseudo-static ho phethahatsa molao oa ho tlola redirection, e le hore o ka finyelloa.Sebaka ka bophara http fetisetsa ho https .
Se ke oa kenya melao ea ho tsamaisa li-https [L] Ka tlase ho melao, beha [L] ka holim'a melao ▼
![Pseudo-static SSL redirection rules [L] leqepheng la 3th ka tlase](https://img.chenweiliang.com/2018/03/pseudo-static-ssl-jump.png "Mokhoa oa ho etsa kopo ea Let's Encrypt")
Palo e atolositsoeng:
- Phapano ke efe lipakeng tsa http vs https? Tlhaloso e felletseng ea ts'ebetso ea encryption ea SSL
- Ke lokela ho etsa eng haeba ke fumana phoso 500 kamora ho kenya setifikeiti sa Let's Encrypt SSL phanele ea taolo ea CWP?
- Tlolela ka boiketsetso ho lebitso la boemo ba bobeli ntle le lebitso la sebaka sa boemo bo holimo la www: the root domain name 301 redirects www.
Hope Chen Weiliang Blog ( https://www.chenweiliang.com/ ) o ile a arolelana "U ka etsa kopo joang bakeng sa Lets Encrypt? Let's Encrypt SSL Free Certificate Principle & Installation Tutorial", e leng thuso ho uena.
Rea u amohela ho arolelana sehokelo sa sengoloa sena:https://www.chenweiliang.com/cwl-512.html
Rea u amohela ho mocha oa Telegraph oa blog ea Chen Weiliang ho fumana lintlha tsa morao-rao!
📚 Tataiso ena e na le boleng bo boholo, 🌟Ona ke monyetla o sa tloaelehang, se ke oa o fetoa! ⏰⌛💨
Share le rata haeba u rata!
Ho arolelana le lintho tseo u li ratang ke khothatso ea rona e tsoelang pele!