使用LetsEncrypt证书
Apache服务器配置使用https(ssl)。需求:vps管理权限。
创建虚拟主机
给各个域名创建虚拟主机,80端口。保证http可正常访问。
安装证书自动设置工具certbot
需要配置backports
仓库,参考Debian Backports ›› Instructions
sudo apt-get install python-certbot-apache -t stretch-backports
给各个域名颁发证书
sudo certbot certonly --webroot \
-w /var/www/html/www/ -d domain.com -d www.domain.com \
-w /var/www/html/api/ -d api.domain.com
参数-w
后面接web根目录,-d
后接域名。
成功时显示的信息
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for www.domain.com
http-01 challenge for api.domain.com
Using the webroot path /var/www/html/webdata/test for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2018-03-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
公钥/etc/letsencrypt/live/domain.com/fullchain.pem
私钥/etc/letsencrypt/live/domain.com/privkey.pem
创建ssl虚拟主机并将http转发到https
需要开启alias
模块
<VirtualHost *:80>
ServerName domain.com
RedirectMatch 301 ^(.*)$ https://domain.com$1
</VirtualHost>
<VirtualHost *:443>
ServerName domain.com
RedirectMatch 301 ^(.*)$ http://www.domain.com$1
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
</VirtualHost>
<VirtualHost *:80>
ServerName www.domain.com
RedirectMatch 301 ^(.*)$ https://www.domain.com$1
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html/www
ServerName www.domain.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
</VirtualHost>
其他ACME客户端
Certbot是Let's Enrypt官方推荐的ACME客户端,按照上述方式使用,采用http验证域名的所有权。但是,我发现了更强大更好用的社区维护的ACME客户端acme.sh。它利用api,支持dns自动验证。acme.sh文档很详细了acme.sh 说明。
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 微软正式发布.NET 10 Preview 1:开启下一代开发框架新篇章
· 没有源码,如何修改代码逻辑?
· PowerShell开发游戏 · 打蜜蜂
· 在鹅厂做java开发是什么体验
· WPF到Web的无缝过渡:英雄联盟客户端的OpenSilver迁移实战