差異處
這裏顯示兩個版本的差異處。
兩邊的前次修訂版 前次修改 下次修改 | 前次修改 | ||
tech:ssl_letsencrypt [2021/06/23 22:27] – jonathan | tech:ssl_letsencrypt [2022/07/20 14:40] (目前版本) – [apache 相關設定] jonathan | ||
---|---|---|---|
行 4: | 行 4: | ||
===== 申請 Let's Encrypt 與設定 Web Server 程序 ===== | ===== 申請 Let's Encrypt 與設定 Web Server 程序 ===== | ||
- | {{tabinclude> | + | {{tabinclude> |
- | * 下載 Let's Encrypt certbot 工具 | ||
- | * Ubunut 20.04< | ||
- | apt install certbot | ||
- | </ | ||
- | * CentOS 8< | ||
- | dnf install certbot | ||
- | </ | ||
- | * CentOS 7<code sh> | ||
- | yum install certbot | ||
- | </ | ||
- | |||
- | * 執行 certbot 工具 | ||
- | * 使用 Apache 環境執行語法 | ||
- | * CentOS 7<code sh> | ||
- | yum install python-certbot-apache | ||
- | certbot --apache | ||
- | </ | ||
- | * 使用 Nginx 環境執行語法 | ||
- | * CentOS 8< | ||
- | dnf install python3-certbot-nginx | ||
- | </ | ||
- | * CentOS 7<code sh> | ||
- | yum install python-certbot-nginx | ||
- | certbot --nginx | ||
- | </ | ||
* 這過程會檢查與安裝 python packages 並讀取 web server 的設定, 查看目前的網站網址, | * 這過程會檢查與安裝 python packages 並讀取 web server 的設定, 查看目前的網站網址, | ||
* 原則上只要最後詢問 Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. 是否要讓瀏覽 http 網址自動轉至 https 的問題後, | * 原則上只要最後詢問 Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. 是否要讓瀏覽 http 網址自動轉至 https 的問題後, | ||
行 65: | 行 40: | ||
#</ | #</ | ||
</ | </ | ||
- | * certbot-auto 會自動產生 / | + | * certbot-auto 會自動產生 / |
+ | : | ||
+ | : | ||
+ | # Explictly disable SSL compression (should default to off anyway...) | ||
+ | # Note enabling SSL compression makes Apache vulnerable to CRIME attack. | ||
+ | SSLCompression off | ||
+ | |||
+ | # Default certificate file to use (provided by TurnKey) | ||
+ | # | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | |||
+ | </ | ||
+ | </ | ||
< | < | ||
* 如果之後增加 VirtualHost 透過 <code sh> | * 如果之後增加 VirtualHost 透過 <code sh> | ||
行 230: | 行 218: | ||
* 因為部份網站是內部網站, | * 因為部份網站是內部網站, | ||
{{tabinclude> | {{tabinclude> | ||
- | |||
- | ==== CentOS 8 ==== | ||
- | * 安裝 DNS CloudFlare Plugin< | ||
- | dnf install python3-certbot-dns-cloudflare | ||
- | </ | ||
- | * 建立 / | ||
- | mkdir -p / | ||
- | vi / | ||
- | </ | ||
- | # Cloudflare API credentials used by Certbot | ||
- | dns_cloudflare_email = [email protected] | ||
- | dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567 | ||
- | </ | ||
- | * 設定保護權限 <cli> | ||
- | chmod 600 / | ||
- | </ | ||
- | * 進行申請新憑證 Exp. example.com <code sh> | ||
- | / | ||
- | --dns-cloudflare \ | ||
- | --dns-cloudflare-credentials / | ||
- | --dns-cloudflare-propagation-seconds 10 \ | ||
- | -d example.com | ||
- | </ | ||
- | * 進行定期更新憑證 Exp. example.com <cli> | ||
- | / | ||
- | --dns-cloudflare \ | ||
- | --dns-cloudflare-credentials / | ||
- | --dns-cloudflare-propagation-seconds 10 | ||
- | </ | ||
- | * 設定每天自動檢查更新 | ||
- | - 建立 / | ||
- | vi / | ||
- | / | ||
- | --dns-cloudflare \ | ||
- | --dns-cloudflare-credentials / | ||
- | --dns-cloudflare-propagation-seconds 10 | ||
- | </ | ||
- | chmod a+x / | ||
- | </ | ||
- | - 設定 / | ||
- | vi / | ||
- | : | ||
- | # let's encrypt | ||
- | 35 2 * * * root / | ||
- | </ | ||
- | systemctl restart crond | ||
- | </ | ||
- | |||
- | ==== CentOS 7 ==== | ||
- | * 安裝 DNS CloudFlare Plugin< | ||
- | yum install python2-certbot-dns-cloudflare | ||
- | </ | ||
- | * 建立 / | ||
- | # Cloudflare API credentials used by Certbot | ||
- | dns_cloudflare_email = [email protected] | ||
- | dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567 | ||
- | </ | ||
- | * 設定保護權限 <code sh> | ||
- | chmod 600 / | ||
- | </ | ||
- | * 進行申請新憑證 Exp. example.com <code sh> | ||
- | / | ||
- | --dns-cloudflare \ | ||
- | --dns-cloudflare-credentials / | ||
- | --dns-cloudflare-propagation-seconds 10 \ | ||
- | -d example.com | ||
- | </ | ||
- | * 進行定期更新憑證 Exp. example.com <code sh> | ||
- | / | ||
- | --dns-cloudflare \ | ||
- | --dns-cloudflare-credentials / | ||
- | --dns-cloudflare-propagation-seconds 10 | ||
- | </ | ||
- | * 設定每天自動檢查更新 | ||
- | - 建立 / | ||
- | vi / | ||
- | / | ||
- | --dns-cloudflare \ | ||
- | --dns-cloudflare-credentials / | ||
- | --dns-cloudflare-propagation-seconds 10 | ||
- | </ | ||
- | chmod a+x / | ||
- | </ | ||
- | - 設定 / | ||
- | vi / | ||
- | : | ||
- | # let's encrypt | ||
- | 35 2 * * * root / | ||
- | </ | ||
- | systemctl restart crond | ||
- | </ | ||
- | |||
- | ==== CentOS 6 ==== | ||
- | - 建立 / | ||
- | cd / | ||
- | wget https:// | ||
- | chmod a+x authenticator.sh | ||
- | </ | ||
- | - 建立 / | ||
- | cd / | ||
- | wget https:// | ||
- | chmod a+x cleanup.sh</ | ||
- | - 取得 CloudFlare 的 Zone ID 與 Global API Key 更改 authenticator.sh 與 cleanup.sh 內容< | ||
- | : | ||
- | API_KEY=" | ||
- | EMAIL=" | ||
- | ZONE_ID=" | ||
- | : | ||
- | </ | ||
- | - 執行取得 SSL 憑證命令 Exp. erp.ichiayi.com <code sh> | ||
- | / | ||
- | </ | ||
- | * 設定憑證到期自動更新 | ||
- | - 建立 / | ||
- | vi / | ||
- | / | ||
- | </ | ||
- | - 設定執行權限< | ||
- | chmod a+x / | ||
- | </ | ||
- | - 設定每天 4:30 執行自動檢查一次< | ||
- | vi / | ||
- | </ | ||
- | : | ||
- | # erp.ichiayi.com SSL cert auto renew | ||
- | 30 4 * * * root / | ||
- | </ | ||
- | service crond restart | ||
- | </ | ||
===== 參考網址 ===== | ===== 參考網址 ===== | ||
* https:// | * https:// | ||
* https:// | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
* https:// | * https:// | ||
* https:// | * https:// |