在Ubuntu 18.04上将Let's Encrypt与Apache一起使用
说明
在本教程中,我们将学习如何在Apache Web服务器上使用"让我们加密"。
CertBot是Let's Encrypt提供的最新工具。与原始方法相比,它是一种自动化的请求和安装证书过程的简单得多的解决方案。
以下说明适用于独立的Ubuntu 18.04安装,例如裸机,虚拟机和Vagrant box。他们还将与Google Compute Instances和AWS EC2 Instances一起使用。
安装Certbot
Certbot旨在安装在运行Web应用程序的主机上。我们必须具有管理权限才能使用此方法。
让我们加密维护一个Ubuntu PPA。以下说明将向我们展示如何将其添加到本地存储库,然后将其用于安装Certbot。
添加让我们加密PPA
sudo apt update sudo apt install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot
现在从PPA安装Certbot软件包
sudo apt install certbot python-certbot-apache
证书安装
为了安装请求并为Apache安装Let's Encrypt证书,Let's Encrypt开发了一个插件。该插件将自动更新Apache配置以安装最新的证书。
sudo certbot --apache
首次运行该命令时,将提示我们输入信息。
Enter email address (used for urgent renewal and security notices)
阅读并接受服务条款
由于这是我们第一次使用该命令,并且尚未为其创建配置,因此系统会提示我们将域名添加到证书中。所有名称都必须注册一个有效的A / AAA记录,该记录指向我们从中运行命令的主机。
No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated):
外面看起来像下面
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): blog.rigpig.ca Obtaining a new certificate Performing the following challenges: http-01 challenge for blog.rigpig.ca Enabled Apache rewrite module Waiting for verification… Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
系统将提示我们选择是否将所有HTTP通信都重定向到HTTPS。在大多数情况下,我们希望流量为HTTPS,这是可以接受的。但是,我们可以决定手动执行此操作。
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.
最后,在使用Certbot成功进行配置和证书请求后,我们将收到以下输出。
Enabled Apache rewrite module Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf Congratulations! You have successfully enabled https://blog.rigpig.ca You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=blog.rigpig.ca IMPORTANT NOTES: Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/blog.rigpig.ca/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/blog.rigpig.ca/privkey.pem Your cert will expire on 2019-08-30. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew all of your certificates, run "certbot renew" If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
自动续订证书
除了可以免费请求证书之外,还可以自动进行证书续订。这是新certbot安装的默认行为,因此不需要我们做进一步的工作。
安装certbot后,将在/etc/cron.d下创建一个cronjob。 cronjob将每30天自动运行一次。下面显示了cronjob的示例。
/etc/cron.d/certbot: crontab entries for the certbot package # Upstream recommends attempting renewal twice a day # Eventually, this will be an opportunity to validate certificates haven't been revoked, etc. Renewal will only occur if expiration is within 30 days. # Important Note! This cronjob will NOT be executed if you are running systemd as your init system. If you are running systemd, the cronjob.timer function takes precedence over this cronjob. For more details, see the systemd.timer manpage, or use systemctl show certbot.timer. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
查看证书
要列出由Certbot管理的所有已安装证书,可以使用certbot certificate命令。该命令将输出有关每个证书的详细信息,例如到期日期和证书文件的路径。
sudo certbot certificates
Found the following certs:
Certificate Name: blog.rigpig.ca
Domains: blog.rigpig.ca
Expiry Date: 2019-08-30 11:41:53+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/blog.rigpig.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/blog.rigpig.ca/privkey.pem
CloudFlare DNS支持
上面有关为证书注册域名的说明不适用于CloudFlare。 Certbot希望将域名直接注册到Apache服务器的IP地址,而CloudFlare作为DNS名称服务器不会出现这种情况。
要启用CloudFlare支持,请安装certbot cloudflare DNS插件。
sudo apt install python3-certbot-dns-cloudflare
