懒癌晚期的中年大叔
0%

使用 Certbot 工具申请 Let's Encrypt 证书

发表于 更新于 分类于

使用 Certbot 工具申请 Let's Encrypt 证书

使用 Certbot 工具申请 Let’s Encrypt 免费证书。

操作系统版本:CentOS 6.7_64

Apache 版本:2.2.15

Certbot 安装

1
2
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Certbot使用

更换下载 IP

访问站长工具,查询域名:pypi.python.org,找到最短响应的ip地址,写入hosts文件,例如:

1
151.101.24.223  pypi.python.org

更换 pip 源为豆瓣的 pip

1
2
3
4
5
6
mkdir /root/.pip
cat > /root/.pip/pip.conf << EOF
[global]
trusted-host =  pypi.douban.com
index-url = http://pypi.douban.com/simple
EOF

使用命令行申请证书

1
./certbot-auto --apache -d iamtim.wang -d www.iamtim.wang certonly

申请成功后,证书存放在 /etc/letsencrypt/live 下的对应域名目录中:

1
2
3
4
5
6
7
8
ls -l
total 0
lrwxrwxrwx 1 root root 35 Dec  5 13:31 cert.pem -> ../../archive/iamtim.wang/cert1.pem
lrwxrwxrwx 1 root root 36 Dec  5 13:31 chain.pem -> ../../archive/iamtim.wang/chain1.pem
lrwxrwxrwx 1 root root 40 Dec  5 13:31 fullchain.pem -> ../../archive/iamtim.wang/fullchain1.pem
lrwxrwxrwx 1 root root 38 Dec  5 13:31 privkey.pem -> ../../archive/iamtim.wang/privkey1.pem
pwd
/etc/letsencrypt/live/iamtim.wang

证书续期命令添加到计划任务

1
0 1 * * * /root/certbot-auto renew --quiet

Apache 配置

配置 Apache 的 ssl.conf 文件

可以参考 Mozilla SSL Configuration Generator 给出的配置。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<VirtualHost *:443>
  ...
  SSLEngine on
  ServerAlias iamtim.wang
  ServerAlias www.iamtim.wang
  SSLCertificateChainFile /etc/letsencrypt/live/iamtim.wang/chain.pem
  SSLCertificateFile /etc/letsencrypt/live/iamtim.wang/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/iamtim.wang/privkey.pem
  # HSTS (mod_headers is required) (15768000 seconds = 6 months)
  Header always set Strict-Transport-Security "max-age=15768000"
  SSLProtocol             all -SSLv2 -SSLv3
  SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  SSLHonorCipherOrder     on
  ...
</VirtualHost>

重启 Apache 后,访问如下页面测试证书安全性

1
https://www.ssllabs.com/ssltest/analyze.html?d=iamtim.wang