本文共 12378 字,大约阅读时间需要 41 分钟。
Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free , thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.
让我们加密是一个证书颁发机构(CA),它提供了一种获取和安装免费的简便方法,从而可以在Web服务器上启用加密的HTTPS。 它通过提供一个软件客户端Certbot来简化该过程,该客户端尝试使大多数(如果不是全部)所需步骤自动化。 当前,在Apache和Nginx上,获取和安装证书的整个过程都是完全自动化的。
In this tutorial, you will use Certbot to obtain a free SSL certificate for Apache on Ubuntu 18.04 and set up your certificate to renew automatically.
在本教程中,您将使用Certbot在Ubuntu 18.04上为Apache获取免费的SSL证书,并将您的证书设置为自动更新。
This tutorial will use a separate Apache virtual host file instead of the default configuration file. creating new Apache virtual host files for each domain because it helps to avoid common mistakes and maintains the default files as a fallback configuration.
本教程将使用单独的Apache虚拟主机文件而不是默认配置文件。 为每个域创建新的Apache虚拟主机文件,因为它有助于避免常见错误并将默认文件保留为后备配置。
To follow this tutorial, you will need:
要遵循本教程,您将需要:
One Ubuntu 18.04 server set up by following this tutorial, including a sudo non-root user and a firewall.
通过遵循设置一台Ubuntu 18.04服务器,包括sudo非root用户和防火墙。
A fully registered domain name. This tutorial will use your_domain as an example throughout. You can purchase a domain name on , get one for free on , or use the domain registrar of your choice.
完全注册的域名。 本教程将始终以your_domain为例。 你可以购买一个域名 ,免费获得一个在 ,或使用你选择的域名注册商。
Both of the following DNS records set up for your server. You can follow for details on how to add them.
为服务器设置了以下两个DNS记录。 您可以按照获取有关如何添加它们的详细信息。
An A record with your_domain
pointing to your server’s public IP address.
A记录,其中your_domain
指向服务器的公共IP地址。
An A record with www.your_domain
pointing to your server’s public IP address.
与www. your_domain
的A记录www. your_domain
www. your_domain
指向服务器的公共IP地址。
Apache installed by following . Be sure that you have a for your domain. This tutorial will use /etc/apache2/sites-available/your_domain.conf
as an example.
通过遵循 。 确保您的域具有 。 本教程将以/etc/apache2/sites-available/ your_domain .conf
为例。
The first step to using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server.
使用“让我们加密”获取SSL证书的第一步是在您的服务器上安装Certbot软件。
Certbot is in very active development, so the Certbot packages provided by Ubuntu tend to be outdated. However, the Certbot developers maintain a Ubuntu software repository with up-to-date versions, so we’ll use that repository instead.
Certbot的开发非常活跃,因此Ubuntu提供的Certbot软件包往往已过时。 但是,Certbot开发人员维护着具有最新版本的Ubuntu软件存储库,因此我们将改用该存储库。
First, add the repository:
首先,添加存储库:
You’ll need to press ENTER
to accept.
您需要按ENTER
接受。
Install Certbot’s Apache package with apt
:
使用apt
安装Certbot的Apache软件包:
Certbot is now ready to use, but in order for it to configure SSL for Apache, we need to verify some of Apache’s configuration.
Certbot现在可以使用了,但是为了使其能够为Apache配置SSL,我们需要验证一些Apache的配置。
Certbot needs to be able to find the correct virtual host in your Apache configuration for it to automatically configure SSL. Specifically, it does this by looking for a ServerName
directive that matches the domain you request a certificate for.
Certbot需要能够在Apache配置中找到正确的虚拟主机,以使其自动配置SSL。 具体来说,它是通过查找与您请求证书的域相匹配的ServerName
指令来实现的。
If you followed the , you should have a VirtualHost block for your domain at /etc/apache2/sites-available/your_domain.com.conf
with the ServerName
directive already set appropriately.
如果遵循的应该在/etc/apache2/sites-available/ your_domain.com .conf
为您的域设置VirtualHost块,并且已经正确设置了ServerName
指令。
To check, open the virtual host file for your domain using nano
or your favorite text editor:
要检查,请使用nano
或您喜欢的文本编辑器为您的域打开虚拟主机文件:
sudo nano /etc/apache2/sites-available/your_domain.conf
须藤纳米/ etc / apache2 / sites-available / your_domain .conf
Find the existing ServerName
line. It should look like this:
找到现有的ServerName
行。 它看起来应该像这样:
...ServerName your_domain;...
If it does, exit your editor and move on to the next step.
如果是这样,请退出编辑器,然后继续下一步。
If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits:
如果不是,请对其进行更新以匹配。 然后保存文件,退出编辑器,并验证配置编辑的语法:
If you get an error, reopen the virtual host file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Apache to load the new configuration:
如果出现错误,请重新打开虚拟主机文件并检查是否有错字或字符丢失。 配置文件的语法正确后,请重新加载Apache以加载新配置:
Certbot can now find the correct VirtualHost block and update it.
Certbot现在可以找到正确的VirtualHost块并进行更新。
Next, let’s update the firewall to allow HTTPS traffic.
接下来,让我们更新防火墙以允许HTTPS通信。
If you have the ufw
firewall enabled, as recommended by the prerequisite guides, you’ll need to adjust the settings to allow for HTTPS traffic. Luckily, Apache registers a few profiles with ufw
upon installation.
如果按照先决条件指南的建议启用了ufw
防火墙,则需要调整设置以允许HTTPS通信。 幸运的是,Apache在安装时向ufw
注册了一些配置文件。
You can see the current setting by typing:
您可以通过键入以下内容查看当前设置:
It will probably look like this, meaning that only HTTP traffic is allowed to the web server:
它可能看起来像这样,这意味着仅HTTP流量被允许到Web服务器:
Output Status: activeTo Action From-- ------ ----OpenSSH ALLOW Anywhere Apache ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Apache (v6) ALLOW Anywhere (v6)
To additionally let in HTTPS traffic, allow the Apache Full profile and delete the redundant Apache profile allowance:
要另外允许HTTPS通信,请允许Apache Full配置文件并删除冗余的Apache配置文件配额:
Your status should now look like this:
您的状态现在应如下所示:
Output Status: activeTo Action From-- ------ ----OpenSSH ALLOW Anywhere Apache Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Apache Full (v6) ALLOW Anywhere (v6)
Next, let’s run Certbot and fetch our certificates.
接下来,让我们运行Certbot并获取我们的证书。
Certbot provides a variety of ways to obtain SSL certificates through plugins. The Apache plugin will take care of reconfiguring Apache and reloading the config whenever necessary. To use this plugin, type the following:
Certbot提供了多种通过插件获取SSL证书的方法。 Apache插件将负责重新配置Apache并在必要时重新加载配置。 要使用此插件,请键入以下内容:
sudo certbot --apache -d your_domain -d www.your_domain
须藤certbot --apache -d 请将改为 -d WWW .your_domain
This runs certbot
with the --apache
plugin, using -d
to specify the names you’d like the certificate to be valid for.
这将使用--apache
插件运行certbot
,并使用-d
指定您希望证书有效的名称。
If this is your first time running certbot
, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot
will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.
如果这是您首次运行certbot
,则系统将提示您输入电子邮件地址并同意服务条款。 完成此操作后, certbot
将与Let's Encrypt服务器通信,然后进行质询以验证您是否控制了要为其申请证书的域。
If that’s successful, certbot
will ask how you’d like to configure your HTTPS settings:
如果成功, certbot
将询问您如何配置HTTPS设置:
Output Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.-------------------------------------------------------------------------------1: No redirect - Make no further changes to the webserver configuration.2: Redirect - Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you're confident your site works on HTTPS. You can undo thischange by editing your web server's configuration.-------------------------------------------------------------------------------Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select your choice then hit ENTER
. The configuration will be updated, and Apache will reload to pick up the new settings. certbot
will wrap up with a message telling you the process was successful and where your certificates are stored:
选择您的选择,然后按ENTER
。 配置将被更新,Apache将重新加载以获取新设置。 certbot
将以一条消息结束,告诉您该过程已成功完成,并且证书的存储位置:
Output IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your_domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your_domain/privkey.pem Your cert will expire on 2018-07-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Your certificates are downloaded, installed, and loaded. Try reloading your website using https://
and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the , it will get an A grade.
您的证书已下载,安装和加载。 尝试使用https://
重新加载您的网站,并注意浏览器的安全指示器。 它应指示站点已正确保护,通常带有绿色的锁定图标。 如果使用 ,它将获得A级。
Let’s finish by testing the renewal process.
让我们通过测试续订过程来结束。
The certbot
package we installed takes care of renewals by including a renew script to /etc/cron.d
, which is managed by a systemctl
service called certbot.timer
. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.
我们安装的certbot
软件包通过向/etc/cron.d
包含更新脚本来处理续订,该脚本由一个称为certbot.timer
的systemctl
服务管理。 该脚本每天运行两次,并将在到期后三十天内自动续订任何证书。
To check the status of this service and make sure it’s active and running, you can use:
要检查此服务的状态并确保其处于活动状态并正在运行,可以使用:
You’ll get output similar to this:
您将获得类似于以下的输出:
Output ● certbot.timer - Run certbot twice daily Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled) Active: active (waiting) since Tue 2020-04-28 17:57:48 UTC; 17h ago Trigger: Wed 2020-04-29 23:50:31 UTC; 12h left Triggers: ● certbot.serviceApr 28 17:57:48 fine-turtle systemd[1]: Started Run certbot twice daily.
To test the renewal process, you can do a dry run with certbot
:
要测试续订过程,可以使用certbot
运行:
If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Apache to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.
如果您没有看到任何错误,则说明一切就绪。 必要时,Certbot将续订您的证书并重新加载Apache以获取更改。 如果自动续订过程失败,Let's Encrypt将向您指定的电子邮件发送一条消息,在证书即将过期时警告您。
In this tutorial, you installed the Let’s Encrypt client certbot
, downloaded SSL certificates for your domain, configured Apache to use these certificates, and set up automatic certificate renewal. If you have further questions about using Certbot, is a good place to start.
在本教程中,您安装了Let's Encrypt客户端certbot
,为您的域下载了SSL证书,将Apache配置为使用这些证书,并设置了自动更新证书。 如果您对使用Certbot有其他疑问,那么是一个很好的起点。
翻译自:
转载地址:http://nvegb.baihongyu.com/