为了强化网络安全,采用基于HTTPS的网站逐步增加。然而,在利益的驱使下,各主要网络浏览器提供商增加了SSL证书安全认证功能,这一功能会将未得到专业机构认可的SSL证书视为警告。但高昂的SSL证书收费让不少中小网站望而却步,而“Let’s encrypt”的出现,如世间的一股清流,给信息的无阻传播注入了活力。
获取“Let’s encrypt”发行的SSL证书的方式有多种,这里我们只介绍在Linux服务器上安装SSL证书的方法。
1 安装“Cerbot”客户端
安装SSL证书需要使用“Cerbot”客户端,如果还没有安装,可参考以下方式进行安装。
[root@usite ~]# yum -y install epel-release ← 安装yum使用的EPEL库
[root@usite ~]# yum -y install snapd ← 安装snapd
[root@usite ~]# systemctl enable --now snapd.socket ← 激活snapd.socket
[root@usite ~]# ln -s /var/lib/snapd/snap /snap ← 设置“/var/lib/snapd/snap”到“/sna”的链接
[root@usite ~]# snap install --classic certbot ← 安装certbot
[root@usite ~]# ln -s /snap/bin/certbot /usr/bin/certbot ← 设置“/snap/bin/certbot”到“/usr/bin/certbot”的链接2 安装mod_ssl
在阿帕奇(Apache)服务器上使用SSL证书时,通常会使用“OpenSSL”的“mod_ssl”模块。如果还没有安装,可参考以下方法进行安装。
[root@usite ~]# yum -y install mod_ssl ← 安装mod_ssl模块3 安装SSL证书
[root@usite ~]# certbot certonly --webroot -w USiteDocumentRoot -m UMail@Address -d DomainName --agree-tos ← 获取SSL证书
示例说明:
USiteDocumentRoot:/var/www/html/usite/
UMail@Address:自已的邮箱地址
DomainName:usite.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for usite.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/usite.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/usite.com/privkey.pem
This certificate expires on 2023-05-15.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -4 设置Apache服务器
获得SSL证书后,需要在Apache服务器上对SSL证书进行设置,其方法参考如下。
[root@usite ~]# vi /etc/httpd/conf.d/ssl.conf ← 修改SSL设置文件
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/letsencrypt/live/usite.com/cert.pem ← 设置公开键
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/letsencrypt/live/usite.com/privkey.pem ← 设置私有键
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile /etc/letsencrypt/live/usite.com/chain.pem ←设置中间证书完成上述设置后,需要重载Apache服务器,其方法参考如下。
[root@usite ~]# systemctl reload httpd ← 重载Apache服务器通过以上的方法可以获取免费的“Let’s encrypt”SSL证书,并完成对证书的设置。本文参考了网站“centossrv.com”里的相关说明 。如果想进行实现对“Let’s encrypt”发行的SSL证书的自动更新,请参照此网页:https://centossrv.com/apache-certbot.shtml