apache 添加 https

apache 添加https

nginx 配置https

公司的web服务器使用的是apache，做个记录

下载

cd ~

git clone https://github.com/diafygi/acme-tiny.git 

直接生成吧，了解流程没啥意思

cd acme-tink

openssl genrsa 4096 > account.key
openssl genrsa 4096 > domain.key
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:xxxxxx.com,DNS:www.xxxxxx.com")) > domain.csr
mkdir -p /var/www/challenges/

配置文件添加

Alias /.well-known/acme-challenge/ /var/www/challenges/
   <Directory /var/www/challenges/>
      AllowOverride None
      Require all granted
      Satisfy Any
   </Directory>

继续复制运行

service apache2 restart
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > lets-encrypt-x3-cross-signed.pem
a2enmod headers
service apache2 restart

每月运行

vim renew_cert.sh

脚本内容

#!/bin/sh
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > lets-encrypt-x3-cross-signed.pem
service apache2 reload

crontab -e

0 0 1 * * /home/www/acme-tiny/renew_cert.sh 2>> /var/log/acme_tiny.log

<VirtualHost *:80>
   ServerName www.yoursite.com
   ServerAlias yoursite.com

   Alias /.well-known/acme-challenge/ /var/www/challengess/
   <Directory /var/www/challenges/>
      AllowOverride None
      Require all granted
      Satisfy Any
   </Directory>

   # rest of your config for this server
   # DocumentRoot, ErrorLog, CustomLog...
</VirtualHost>

<VirtualHost *:443>
   ServerName www.yoursite.com
   ServerAlias yoursite.com

   SSLEngine On
   SSLCertificateFile "/home/www/acme-tiny/signed.crt"
   SSLCertificateKeyFile "/home/www/acme-tiny/domain.key"
   # CA certificate from https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
   SSLCertificateChainFile "/home/www/acme-tiny/lets-encrypt-x3-cross-signed.pem"

   # SSL config according to https://bettercrypto.org/static/applied-crypto-hardening.pdf
   SSLProtocol All -SSLv2 -SSLv3
   SSLHonorCipherOrder On
   SSLCompression Off
   Header always add Strict-Transport-Security "max-age=15768000"
   SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
   BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
   BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

   # rest of your SSL/TLS config
   # DocumentRoot, ErrorLog, CustomLog...
</VirtualHost>

本作品采用《CC 协议》，转载必须注明作者和本文链接