让Apache在CentOS 8上加密证书的Apache

时间:2019-11-20 08:54:17  来源:igfitidea点击:

如何在CentOS 8上使用Lets Encrypt证书来保护Apache? Lets Encrypt是由Apache Web服务器支持的网站的免费,自动和开放证书颁发机构。本教程说明如何使用Lets Encrypt为Apache Web服务器安装免费的SSL证书。

Lets Encrypt是针对Web服务器和其他用途的免费,自动化和开放的证书。

在CentOS 8上如何使用Lets Encrypt证书保护Apache安全

获取SSL证书的过程如下:

  • 在CentOS 8中为Apache HTTP服务器安装SSL / TLS模块:sudo yum install mod_ssl
  • 获取acme.sh软件,运行git clone https:// github.com / Neilpang / acme.sh.git
  • 使用以下命令创建一个新的/.well-known/acme-challenge/目录:mkdir -p / var / www / html / .well-known / acme-challenge /
  • 在您的域中获取SSL证书:acme.sh --issue -w / DocumentRootPath / -d your-domain
  • 在CentOS Linux 8上为Apache配置TLS / SSL:vi / etc / httpd / conf.d / ssl.conf
  • 设置cron作业以自动续订SSL / TLS证书
  • 使用防火墙打开端口443(HTTPS):sudo firewall-cmd --add-service = https

我们的示例设置如下

让我们看看如何安装acme.sh客户端并在CentOS 8上使用它来从Lets Encrypt获得SSL证书。在您开始在CentOS 8上应用所有补丁之前:

sudo yum update

步骤1为Apache安装mod_ssl

键入以下yum命令:

$ sudo yum install mod_ssl

步骤2安装acme.sh,加密客户端

您需要在CentOS 8上安装wget,curl,bc,socat和git client,以便运行acme.sh。

$ sudo yum install wget curl bc git socat

克隆仓库

执行以下命令:

$ cd /tmp/
$ git clone https://github.com/Neilpang/acme.sh.git

接下来,将acme.sh客户端安装到系统上,运行:

$ cd acme.sh/
$ sudo -i
# cd acme.sh/
# ./acme.sh --install

现在我们需要在CentOS 8服务器上安装软件。您必须关闭当前终端或ssh会话,然后再次重新打开以使别名生效。或键入以下source命令:

$ sudo source ~/.bashrc

验证acme.sh是否正常运行,运行:

# acme.sh --version

输出示例:

https://github.com/Neilpang/acme.sh
v2.8.3

步骤3建立acme-challenge目录

键入以下mkdir命令。确保根据需要将${D}设置为实际的Apache站点DocumentRoot路径:

# D=/var/www/html/
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R apache:apache ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

另外,创建一个目录来存储SSL证书:

# mkdir -p /etc/httpd/ssl/theitroad.local/

步骤4建立dhparams.pem档案

运行openssl命令:

# cd /etc/httpd/ssl/theitroad.local/
# openssl dhparam -out dhparams.pem -dsaparam 4096

如果Apache服务未启动,则启动

Apache正在运行吗?如果没有启动Apache服务,请使用systemctl命令如下:

$ sudo systemctl status httpd.service
$ sudo systemctl enable httpd.service
$ sudo systemctl start httpd.service
$ sudo systemctl status httpd.service

确保防火墙的TCP端口80也打开

运行以下firewall-cmd命令以打开CentOS 8上的TCP端口80:

$ sudo firewall-cmd --permanent --add-service=http --zone=public
$ sudo firewall-cmd --reload
$ sudo firewall-cmd --list-services --zone=public

步骤5申请域名的SSL / TLS凭证

为您的域颁发证书。语法为:

# acme.sh --issue -w /path/to/www/htmlRoot/ -d your-domain-example-com -k 2048
# acme.sh --issue -w /path/to/www/htmlRoot/ -d www.theitroad.local -k 4096
# acme.sh --issue -w /var/www/html/ -d centos8.theitroad.local -k 4096

步骤6将Apache配置为使用SSL / TLS

使用文本编辑器(例如vi命令)编辑名为/etc/httpd/conf.d/ssl.conf的文件:

$ sudo vi /etc/httpd/conf.d/ssl.conf

修改内容如下:

### Start config for port 443 #
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLCryptoDevice builtin
 
### Turn on HTTP2 support #
Protocols h2 http/1.1
 
### Redirect all http urls to https #
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L,QSA]
#################################################
# SSL/TLS config for domain centos8.theitroad.local #
#################################################
<VirtualHost centos8.theitroad.local:443>
 
        ### Log files  #
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn
        SSLEngine on
 
        ### No more SSL3/2 #
        SSLProtocol             all -SSLv3
        SSLHonorCipherOrder on
        SSLCompression          off
        SSLSessionTickets       off
        SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 
        ### Path to certs #
        SSLCertificateFile      /etc/httpd/ssl/theitroad.local/centos8.theitroad.local.cer
        SSLCertificateKeyFile   /etc/httpd/ssl/theitroad.local/centos8.theitroad.local.key
 
        #Forward Secrecy & Diffie Hellman ephemeral parameters
        SSLOpenSSLConfCmd DHParameters "/etc/httpd/ssl/theitroad.local/dhparams.pem"
 
        # HSTS (mod_headers is required) (15768000 seconds = 6 months)
        Header always set Strict-Transport-Security "max-age=15768000"
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory "/var/www/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
         CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
 
### OCSP stapling config
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

保存并关闭文件,然后退出编辑器。

有关更安全的SSL选项的说明

如下更新上面的配置以禁用SSL和TLS版本1 / 1.1。以下是推荐的通用Apache服务器配置:

SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder     off
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

步骤7安装证书

键入以下命令:

# acme.sh --installcert -d centos8.theitroad.local \
--keypath /etc/httpd/ssl/theitroad.local/centos8.theitroad.local.key \
--fullchainpath /etc/httpd/ssl/theitroad.local/centos8.theitroad.local.cer \
--reloadcmd 'systemctl reload httpd'

步骤8在CentOS Linux 8上进行防火墙配置以打开HTTPS tcp端口443

现在,我们的Apache使用mod_ssl启动并运行。在CentOS 8服务器上打开TCP端口443(HTTPS),以便客户端可以连接到它了。

$ sudo firewall-cmd --permanent --add-service=https --zone=public
$ sudo firewall-cmd --reload
$ sudo firewall-cmd --list-services --zone=public

借助ss命令以及grep命令/ egrep命令,验证端口443和80处于打开状态:

$ sudo ss -tulpn
$ sudo ss -tulpn | egrep ':(80|443)'

输出示例:

tcp    LISTEN   0        128                     *:443                 *:*       users:(("httpd",pid=12079,fd=9),("httpd",pid=12078,fd=9),("httpd",pid=12077,fd=9),("httpd",pid=10782,fd=9))
tcp    LISTEN   0        128                     *:80                  *:*       users:(("httpd",pid=12079,fd=4),("httpd",pid=12078,fd=4),("httpd",pid=12077,fd=4),("httpd",pid=10782,fd=4))

步骤9进行测试

创建一个名为index.html的测试页:

sudo vi /var/www/html/index.html

内容以下:

<html>
     <head>
    	<title>CentOS8 Apache test server</title>
     </head>
     <body>
	<h2>Hello, world!</h2>
     </body>	
</html>

保存并关闭文件。

使用浏览器打开我们的网站:

https://centos8.theitroad.local

使用SSLlabs测试站点进行测试:

https://www.ssllabs.com/ssltest/analyze.html?d=centos8.theitroad.local

步骤10 acme.sh相关命令

列出所有SSL / TLS证书,运行:

# acme.sh --list

续订域名server2.theitroad.local的证书

# acme.sh --renew -d centos8.theitroad.local

请注意,Cron作业也会尝试为您续订证书。默认情况下按如下方式安装(您无需采取任何措施)。要查看作业运行:

# crontab -l

输出示例:

38 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

升级acme.sh客户端:

# acme.sh --upgrade

获得帮助:

# acme.sh --help | more