apache配置Let's Encrypt ssl证书

¶0. 域名配置

解析域名到服务器的ip地址上，比如我这里添加了两条解析记录。

1、解析记录为：记录类型为A ，主机记录为为@ ，记录值为144.34.145.10 。

2、解析记录为：记录类型为A ，主机记录为为www ，记录值为144.34.145.10 。

¶1. 安装apache、openssl和mod_ssl

1	$ yum install httpd openssl mod_ssl -y

¶2. 启动apache服务

1 2	$ systemctl start httpd # 启动服务 $ systemctl enable httpd # 设置开机启动

¶3. 检查apache是否启动

1 2	$ systemctl start httpd # 看到Active: active (running),表示启动成功 $ systemctl is-active httpd #输出active表示启动成功

¶4. 查看apache服务器网页(文档)根目录

1	grep -ri DocumentRoot /etc/httpd

查看到如下没有打#的项就是网页(文档)根目录了，即/var/www/html

/etc/httpd/conf.d/ssl.conf:#DocumentRoot “/var/www/html”
/etc/httpd/conf/httpd.conf:# DocumentRoot: The directory out of which you will serve your
/etc/httpd/conf/httpd.conf:DocumentRoot “/var/www/html”
/etc/httpd/conf/httpd.conf: # access content that does not live under the DocumentRoot.

¶5. 网页资源测试文件

在Web服务器网站根目录创建一个index.html 静态文件做测试

1	echo demo > /var/www/html/index.html

¶6. 防火墙设置

把 HTTP 和 HTTPS 添加永久的服务规则到 public区域中(如果有开启防火墙，并未放行http和https服务相关的流量或者端口)

#把 HTTP添加永久的服务规则到 public区域中
$ firewall-cmd --permanent --zone=public --add-service=http
$  firewall-cmd --reload

#把HTTPS添加永久的服务规则到 public区域中
$ firewall-cmd --permanent --zone=public --add-service=https
$  firewall-cmd --reload

#查看防火墙规则
$ firewall-cmd --list-all

查看到的防火墙规则如下图：

¶7. 访问网页资源文件测试

现在可以通过 http://qcmoke.top/index.html 和 https://qcmoke.top/index.html 访问刚才创建个index.html静态资源了。但是 https://qcmoke.top/index.html 访问时Chrome浏览器会报送不安全的信息，因为https使用的是mod_ssl自动配置的自签名证书。

如下：

¶8. 安装EPEL软件源

在centos yum安装管理器中，由于certbot软件包包含在EPEL软件源中，所以需要安装epel-release软件源。

1	$ yum install -y epel-release

¶9. 安装apache版certbot插件

1	$ yum install -y certbot-apache #如果无法安装，请卸载并从哪重装epel-release，然后再此执行certbot-apache的安装

¶10. 配置证书

（1）通过certbot配置证书

#对apache配置证书，如果想要证书对对多个域名或子域名有效，可以增加参数，如下（建议第一个是主域名）
[root@host ~]# certbot --apache -d qcmoke.top -d www.qcmoke.top
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): qcmoke@gmail.com    #提供Email用于丢失密钥恢复和相关通知
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A         #同意Let's Encrypt的服务条款

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y		#是否愿意接受Let's Encrypt的活动服务邮件
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for qcmoke.top
http-01 challenge for www.qcmoke.top
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.  #certbot无法找到apache的虚拟主机，生成证书失败。所以以下我们将要配置这个虚拟主机。

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
[root@host ~]#

（2）根据以上certbot提示配置vhost.conf

[root@host ~]# cd /etc/httpd/conf.d/     #进入/etc/httpd/conf.d/目录
[root@host conf.d]# ls
autoindex.conf  README  ssl.conf  userdir.conf  welcome.conf

[root@host conf.d]# vim vhost.conf    #编辑vhost.conf apache虚拟机配置文件
#加入如下内容，请自行对域名做修改
<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName qcmoke.top
    ServerAlias www.qcmoke.top
    <Directory "/var/www/html">
         Options FollowSymLinks
         AllowOverride All
         Require all granted
    </Directory>
</VirtualHost>

#检查apache配置文件是否配置正确
[root@host conf.d]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using host.localdomain. Set the 'ServerName' directive globally to suppress this message
Syntax OK   #表示配置成功

（3）重新配置证书

#重新配置证书
[root@host conf.d]# certbot --apache -d qcmoke.top -d www.qcmoke.top
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.qcmoke.top
http-01 challenge for qcmoke.top
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/vhost-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/vhost-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/vhost-le-ssl.conf


Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#择同时启用http和https访问，或者强制所有请求重定向到https。
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/vhost.conf to ssl vhost in /etc/httpd/conf.d/vhost-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://qcmoke.top and
https://www.qcmoke.top  #表示生成qcmoke.top和www.qcmoke.top的ssl证书成功

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=qcmoke.top
https://www.ssllabs.com/ssltest/analyze.html?d=www.qcmoke.top
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/qcmoke.top/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/qcmoke.top/privkey.pem
   Your cert will expire on 2018-12-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

（4）查看生成的证书路径

[root@host conf.d]# find /etc/letsencrypt/live/
/etc/letsencrypt/live/
/etc/letsencrypt/live/qcmoke.top
/etc/letsencrypt/live/qcmoke.top/privkey.pem
/etc/letsencrypt/live/qcmoke.top/chain.pem
/etc/letsencrypt/live/qcmoke.top/README
/etc/letsencrypt/live/qcmoke.top/cert.pem
/etc/letsencrypt/live/qcmoke.top/fullchain.pem
[root@host conf.d]#

¶11. 目的达成

可以在浏览器输入以下地址，确认是否成功：https://www.ssllabs.com/ssltest/analyze.html?d=qcmoke.top

以上完成后，浏览器打开https://qcmoke.top ，你会发现安全锁已经出现了，不会出现浏览器的报警了。

¶12. 学习分析

为啥apache自动找到这些证书完成配置呢？尝试了解：

1	$ ls /etc/httpd/conf.d/

我们会看到大概如下的一些文件,发现多出了一个vhost-le-ssl.conf配置文件

autoindex.conf README ssl.conf userdir.conf vhost.conf vhost-le-ssl.conf welcome.conf

分别打开 vhost.conf和vhost-le-ssl.conf配置文件

打开vhost.conf

1	$ vim /etc/httpd/conf.d/vhost.conf

神奇的多出了一些内容，这些内容是url被重写了，即从http(80端口)重定向到了https(443端口)。

<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName qcmoke.top
    ServerAlias www.qcmoke.top
    <Directory "/var/www/html">
         Options FollowSymLinks
         AllowOverride All
         Require all granted
    </Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =qcmoke.top [OR]
RewriteCond %{SERVER_NAME} =www.qcmoke.top
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

如果你想要将qcmoke.top跳转到www.qcmoke.top,那么你只需要修改<VirtualHost>中相关变量的值为以下即可。

1
2
3

RewriteEngine on       # url重定向开启
RewriteCond %{SERVER_PORT} !^443$    # 指定跳转至443端口
RewriteRule ^/?(.*)$ https://www.%{SERVER_NAME}/$1 [L,R]    # 跳转至https://www.域名.com的url

打开vhost-le-ssl.conf文件

1	$ vim /etc/httpd/conf.d/vhost-le-ssl.conf

我们发现ssl的详细的配置信息原来在这里。这个certbot生成的文件自动帮我们配置了证书的路径。

<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot "/var/www/html"
    ServerName qcmoke.top
    ServerAlias www.qcmoke.top
    <Directory "/var/www/html">
         Options FollowSymLinks
         AllowOverride All
         Require all granted
    </Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/qcmoke.top/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/qcmoke.top/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/qcmoke.top/chain.pem
</VirtualHost>
</IfModule>

ok！我的理解是这样的：certbot通过开启了的apache服务进程，找到虚拟机配置文件vhost.conf（刚才certbot要求我们配置的那个文件），然后帮助我们完成一切的ssl配置过程。其实我们在生成证书的过程中已经选择了地址请求重写了，并告诉我们会通过/etc/httpd/conf.d/vhost.conf文件生成“配置重写”的/etc/httpd/conf.d/vhost-le-ssl.conf文件了。之前我们做这个选择的过程如下：

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/vhost.conf to ssl vhost in /etc/httpd/conf.d/vhost-le-ssl.conf

¶13. 证书自动续期

目前Let’s Encrypt的免费证书有效期为90天,不过我们可以使用certbot程序的renew命令来为证书续期

1	$ certbot renew

由于我们刚刚安装了证书,它会提示：

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/qcmoke.top.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/qcmoke.top/fullchain.pem expires on 2018-12-27 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

知道续期的命令后我们可以利用cron创建一个定时任务,每天执行一次

1	$ crontab -e

加入以下内容,注意在同一行

1	30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

保存并退出,系统会在每天的AM2:30自动执行证书的续期命令certbot renew,执行情况会记录在/var/log/le-renew.log这个日志文件中,证书更新后apache会自动重启。

证书即使没有过期也可以放心运行该指令，对于未过期的证书，在未检测到过期前，certbot只做更新检查,不更新修改证书。但续期命令检测到续期时间小于30天时，会重新请求生成新证书。对于为啥是到期前30天，我们可以查看以下配置文件。

1	$ sudo vim /etc/letsencrypt/renewal/qcmoke.top.conf #其中qcmoke.top改成你的域名

我们可以看到第一行表示会在证书到期前30天开始重新续期。此外如果你在创建帐户时向Let’s Encrypt提供电子邮件地址，Let’s Encrypt会在你的证书即将续订时自动向你发送到期通知。Let’s Encrypt会在你的证书到期前20天发送第一个通知，并在其到期前10天和1天发送更多通知。当你收到过期电子邮件时，如果你的证书已经续签，Let’s Encrypt将不会发送到期通知提醒。

备注：cron的其他命令：

sudo crontab -e #编辑crontab列表
sudo crontab -l #查看crontab列表
sudo crontab -u root -l #查看crontab列表
sudo crontab -r #删除crontab列表
cat /var/log/cron #查看crontab日志
systemctl status crond.service #查看crontab服务状态
systemctl restart crond.service #重启crontab