apache 新增 https

jcc123發表於2018-09-14
ApacheHTTP

apache 新增https

nginx 配置https

公司的web伺服器使用的是apache,做個記錄

下載

cd ~
git clone https://github.com/diafygi/acme-tiny.git

直接生成吧,瞭解流程沒啥意思

cd acme-tink
openssl genrsa 4096 > account.key
openssl genrsa 4096 > domain.key
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:xxxxxx.com,DNS:www.xxxxxx.com")) > domain.csr
mkdir -p /var/www/challenges/

配置檔案新增

Alias /.well-known/acme-challenge/ /var/www/challenges/
   <Directory /var/www/challenges/>
      AllowOverride None
      Require all granted
      Satisfy Any
   </Directory>

繼續複製執行

service apache2 restart
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > lets-encrypt-x3-cross-signed.pem
a2enmod headers
service apache2 restart

每月執行

vim renew_cert.sh

指令碼內容

#!/bin/sh
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > lets-encrypt-x3-cross-signed.pem
service apache2 reload

crontab -e

0 0 1 * * /home/www/acme-tiny/renew_cert.sh 2>> /var/log/acme_tiny.log
<VirtualHost *:80>
   ServerName www.yoursite.com
   ServerAlias yoursite.com

   Alias /.well-known/acme-challenge/ /var/www/challengess/
   <Directory /var/www/challenges/>
      AllowOverride None
      Require all granted
      Satisfy Any
   </Directory>

   # rest of your config for this server
   # DocumentRoot, ErrorLog, CustomLog...
</VirtualHost>

<VirtualHost *:443>
   ServerName www.yoursite.com
   ServerAlias yoursite.com

   SSLEngine On
   SSLCertificateFile "/home/www/acme-tiny/signed.crt"
   SSLCertificateKeyFile "/home/www/acme-tiny/domain.key"
   # CA certificate from https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
   SSLCertificateChainFile "/home/www/acme-tiny/lets-encrypt-x3-cross-signed.pem"

   # SSL config according to https://bettercrypto.org/static/applied-crypto-hardening.pdf
   SSLProtocol All -SSLv2 -SSLv3
   SSLHonorCipherOrder On
   SSLCompression Off
   Header always add Strict-Transport-Security "max-age=15768000"
   SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
   BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
   BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

   # rest of your SSL/TLS config
   # DocumentRoot, ErrorLog, CustomLog...
</VirtualHost>
本作品採用《CC 協議》,轉載必須註明作者和本文連結
NOT IS BECAUSE I WANT TO WRITE, BUT I WANT TO INCREASE, SO I GO TO WRITE~~

相關文章