Let's Encrypt 現在 Limited Beta test,前幾天申請測試,很快就發下來了。
附註:
- 不知道 Let's Encrypt 的可見此篇:Lets’s Encrypt 將提供免費 SSL(HTTPS) 憑證給整個 Web 使用
- 安裝過程有遇到一點小問題,紀錄安裝過程,以後最晚每三個月都要執行一次。
- 內附程式的 Script 會自動判斷系統、Apache、Nginx 等資訊
Let's Encrypt 的 SSL 憑證安裝
Let's Encrypt 提供免費的 SSL 憑證可以申請,每把憑證的期限比較短,只有三個月,不過安裝過程算容易,就比較無所謂了。
Let's Encrypt 安裝步驟
- git clone https://github.com/letsencrypt/letsencrypt
- cd letsencrypt
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth- ./letsencrypt-auto # 新版安裝只需要執行此行即可 (2015/12/8)
- 註:上述為官方寫的預設安裝步驟,因為需要另外安裝套件,憑證也需要寫入 /etc/letsencrypt,所以需要 sudo 的權限。
註:現在新版位置改成 https://github.com/certbot/certbot
以上有幾點要注意會失敗的部分:
- 問答問到這個問題時:Please enter in your domain name(s) (comma and/or space separated)
- 這邊要輸入 Domain,他只允許 Email 寄來通過的 Domain,前面加任何不同的詞,都會失敗。
- 雖然上面寫一次可以輸入多個 Domain,但是照 Email 回傳的,一次輸入四個,每次都會失敗,一個一個輸入就可以完成。
- 註:新版的會去抓 /etc/apache2/sites-available 下面的 Domain,然後幫你自動設定 (2015/12/8)
- 安裝過程他會啟動自己程式內建的 Web server 作接收驗證動作,所以 80 Port 有被佔用就會失敗。
在執行 ./letsencrypt-auto ... 的指令時,要先把 Apache stop,等安裝完成再啟動即可。- 新版安裝不需要 Stop web server (2015/12/8)
- Domain 與 Domain 前面加 www,只需要執行註冊 Domain 的即可,www 預設就是可以通用的。
當上面完成後,會出現下述訊息:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/longwin.com.tw/fullchain.pem. Your cert will expire on 2016-02-02. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
- 預設會將 Key、憑證 產生在這邊:/etc/letsencrypt/live/longwin.com.tw/
- Key、憑證 的實體路徑:/etc/letsencrypt/archive/$DOMAIN ,再 ln 到 /etc/letsencrypt/live/$DOMAIN
產生的憑證如下述:
- privkey.pem:Private key for the certificate.
This is what Apache needs for SSLCertificateKeyFile, and nginx for sslcertificatekey. - cert.pem:Server certificate only.
This is what Apache needs for SSLCertificateFile. - chain.pem:All certificates that need to be served by the browser excluding server certificate, i.e. root and intermediate certificates only.
This is what Apache needs for SSLCertificateChainFile. - fullchain.pem:All certificates, including server certificate. This is concatenation of chain.pem and cert.pem.
This is what nginx needs for ssl_certificate.
Apache2 設定 Let's Encrypt SSL 的步驟
- vim /etc/apache2/sites-enabled/xxx.conf
<IfModule mod_ssl.c> <VirtualHost *:443> # .... # Let's encrypt SSLCertificateFile /etc/letsencrypt/live/longwin.com.tw/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/longwin.com.tw/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/longwin.com.tw/chain.pem SSLCACertificateFile /etc/letsencrypt/live/longwin.com.tw/fullchain.pem # .... </VirtualHost> </IfModule>
- sudo service apache2 restart
- 上述設定檔詳細內容可以參考下述幾篇:
SSL Key 三個月自動更新的 Crontab 設定
- sudo service apache2 stop
- cd letsencrypt
- ./letsencrypt-auto certonly -t -d longwin.com.tw -m user@gmail.com --renew-by-default --agree-tos --agree-dev-preview
- sudo service apache2 start
Apache2 http 自動導向 https 設定
於 VirtualHost 單行不使用 rewrite 設定法
<VirtualHost *:80> # .... Redirect permanent / https://longwin.com.tw/ </VirtualHost>
於 VirtualHost 單行使用 rewrite 設定法(將所有網址都自動對應過去)
<VirtualHost *:80>
# ....
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
或者
<VirtualHost *:80>
# ....
RewriteEngine On
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
HTTPS 設定完成網站可見:
相關網頁
- Let’s encrypt automation on Debian - 很實用
- Lets encrypt plugin for S3/CloudFront
- Let's Encrypt client and ACME library written in Go
- letsencrypt/acme client implemented as a shell-script
- How To Secure Nginx with Let's Encrypt on Ubuntu 16.04
Save