差異處
這裏顯示兩個版本的差異處。
兩邊的前次修訂版 前次修改 下次修改 | 前次修改 | ||
tech:ssl_letsencrypt [2020/12/06 12:45] – [CentOS 8] jonathan | tech:ssl_letsencrypt [2022/07/20 14:40] (目前版本) – [apache 相關設定] jonathan | ||
---|---|---|---|
行 4: | 行 4: | ||
===== 申請 Let's Encrypt 與設定 Web Server 程序 ===== | ===== 申請 Let's Encrypt 與設定 Web Server 程序 ===== | ||
- | * 下載 Let's Encrypt certbot 工具 | + | {{tabinclude>tech: |
- | * CentOS 8< | + | |
- | dnf install certbot | + | |
- | </ | + | |
- | * CentOS 7<code sh> | + | |
- | yum install certbot | + | |
- | </code> | + | |
- | * 執行 certbot 工具 | ||
- | * 使用 Apache 環境執行語法 | ||
- | * CentOS 7<code sh> | ||
- | yum install python-certbot-apache | ||
- | certbot --apache | ||
- | </ | ||
- | * 使用 Nginx 環境執行語法 | ||
- | * CentOS 8< | ||
- | dnf install python3-certbot-nginx | ||
- | </ | ||
- | * CentOS 7<code sh> | ||
- | yum install python-certbot-nginx | ||
- | certbot --nginx | ||
- | </ | ||
* 這過程會檢查與安裝 python packages 並讀取 web server 的設定, 查看目前的網站網址, | * 這過程會檢查與安裝 python packages 並讀取 web server 的設定, 查看目前的網站網址, | ||
* 原則上只要最後詢問 Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. 是否要讓瀏覽 http 網址自動轉至 https 的問題後, | * 原則上只要最後詢問 Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. 是否要讓瀏覽 http 網址自動轉至 https 的問題後, | ||
行 60: | 行 40: | ||
#</ | #</ | ||
</ | </ | ||
- | * certbot-auto 會自動產生 / | + | * certbot-auto 會自動產生 / |
+ | : | ||
+ | : | ||
+ | # Explictly disable SSL compression (should default to off anyway...) | ||
+ | # Note enabling SSL compression makes Apache vulnerable to CRIME attack. | ||
+ | SSLCompression off | ||
+ | |||
+ | # Default certificate file to use (provided by TurnKey) | ||
+ | # | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | |||
+ | </ | ||
+ | </ | ||
< | < | ||
* 如果之後增加 VirtualHost 透過 <code sh> | * 如果之後增加 VirtualHost 透過 <code sh> | ||
行 224: | 行 217: | ||
===== 透過 CloudFlare DNS 自動更新無 Web 對外網站 SSL 憑證 ===== | ===== 透過 CloudFlare DNS 自動更新無 Web 對外網站 SSL 憑證 ===== | ||
* 因為部份網站是內部網站, | * 因為部份網站是內部網站, | ||
- | + | {{tabinclude> | |
- | ==== CentOS 8 ==== | + | |
- | * 安裝 DNS CloudFlare Plugin< | + | |
- | dnf install python3-certbot-dns-cloudflare | + | |
- | </ | + | |
- | * 建立 / | + | |
- | mkdir -p / | + | |
- | vi / | + | |
- | </ | + | |
- | # Cloudflare API credentials used by Certbot | + | |
- | dns_cloudflare_email = [email protected] | + | |
- | dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567 | + | |
- | </ | + | |
- | * 設定保護權限 < | + | |
- | chmod 600 / | + | |
- | </ | + | |
- | * 進行申請新憑證 Exp. example.com <code sh> | + | |
- | / | + | |
- | --dns-cloudflare \ | + | |
- | --dns-cloudflare-credentials / | + | |
- | --dns-cloudflare-propagation-seconds 10 \ | + | |
- | -d example.com | + | |
- | </ | + | |
- | * 進行定期更新憑證 Exp. example.com < | + | |
- | / | + | |
- | --dns-cloudflare \ | + | |
- | --dns-cloudflare-credentials / | + | |
- | --dns-cloudflare-propagation-seconds 10 | + | |
- | </ | + | |
- | * 設定每天自動檢查更新 | + | |
- | - 建立 / | + | |
- | vi / | + | |
- | / | + | |
- | --dns-cloudflare \ | + | |
- | --dns-cloudflare-credentials / | + | |
- | --dns-cloudflare-propagation-seconds 10 | + | |
- | </ | + | |
- | chmod a+x / | + | |
- | </ | + | |
- | - 設定 / | + | |
- | vi / | + | |
- | : | + | |
- | # let's encrypt | + | |
- | 35 2 * * * root / | + | |
- | </ | + | |
- | systemctl restart crond | + | |
- | </ | + | |
- | + | ||
- | ==== CentOS 7 ==== | + | |
- | * 安裝 DNS CloudFlare Plugin< | + | |
- | yum install python2-certbot-dns-cloudflare | + | |
- | </ | + | |
- | * 建立 / | + | |
- | # Cloudflare API credentials used by Certbot | + | |
- | dns_cloudflare_email = [email protected] | + | |
- | dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567 | + | |
- | </ | + | |
- | * 設定保護權限 <code sh> | + | |
- | chmod 600 / | + | |
- | </ | + | |
- | * 進行申請新憑證 Exp. example.com <code sh> | + | |
- | / | + | |
- | --dns-cloudflare \ | + | |
- | --dns-cloudflare-credentials / | + | |
- | --dns-cloudflare-propagation-seconds 10 \ | + | |
- | -d example.com | + | |
- | </ | + | |
- | * 進行定期更新憑證 Exp. example.com <code sh> | + | |
- | / | + | |
- | --dns-cloudflare \ | + | |
- | --dns-cloudflare-credentials / | + | |
- | --dns-cloudflare-propagation-seconds 10 | + | |
- | </ | + | |
- | * 設定每天自動檢查更新 | + | |
- | - 建立 / | + | |
- | vi / | + | |
- | / | + | |
- | --dns-cloudflare \ | + | |
- | --dns-cloudflare-credentials / | + | |
- | --dns-cloudflare-propagation-seconds 10 | + | |
- | </ | + | |
- | chmod a+x / | + | |
- | </ | + | |
- | - 設定 / | + | |
- | vi / | + | |
- | : | + | |
- | # let's encrypt | + | |
- | 35 2 * * * root / | + | |
- | </ | + | |
- | systemctl restart crond | + | |
- | </ | + | |
- | + | ||
- | ==== CentOS 6 ==== | + | |
- | - 建立 / | + | |
- | cd / | + | |
- | wget https:// | + | |
- | chmod a+x authenticator.sh | + | |
- | </ | + | |
- | - 建立 / | + | |
- | cd / | + | |
- | wget https:// | + | |
- | chmod a+x cleanup.sh</ | + | |
- | - 取得 CloudFlare 的 Zone ID 與 Global API Key 更改 authenticator.sh 與 cleanup.sh 內容< | + | |
- | : | + | |
- | API_KEY=" | + | |
- | EMAIL=" | + | |
- | ZONE_ID=" | + | |
- | : | + | |
- | </ | + | |
- | - 執行取得 SSL 憑證命令 Exp. erp.ichiayi.com <code sh> | + | |
- | / | + | |
- | </ | + | |
- | * 設定憑證到期自動更新 | + | |
- | - 建立 / | + | |
- | vi / | + | |
- | / | + | |
- | </ | + | |
- | - 設定執行權限< | + | |
- | chmod a+x / | + | |
- | </ | + | |
- | - 設定每天 4:30 執行自動檢查一次< | + | |
- | vi / | + | |
- | </ | + | |
- | : | + | |
- | # erp.ichiayi.com SSL cert auto renew | + | |
- | 30 4 * * * root / | + | |
- | </ | + | |
- | service crond restart | + | |
- | </ | + | |
===== 參考網址 ===== | ===== 參考網址 ===== | ||
* https:// | * https:// | ||
* https:// | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
* https:// | * https:// | ||
* https:// | * https:// |