介绍 (Introduction)
Let’s Encrypt is a Certificate Authority (CA) that facilitates obtaining and installing free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by working with clients, such as Certbot, to automate the necessary steps.
让我们加密是一个证书颁发机构(CA),它有助于获取和安装免费的TLS / SSL证书 ,从而在Web服务器上启用加密的HTTPS。 通过与客户端(例如Certbot )合作来自动化必要步骤,从而简化了流程。
In this tutorial, you will use Certbot to set up a TLS/SSL certificate with the Apache web server on CentOS 8. Additionally, you will automate the certificate renewal process using a cron job, which you can learn more about by reading How To Use Cron To Automate Tasks on CentOS 8.
在本教程中,您将使用Certbot在CentOS 8上与Apache Web服务器一起设置TLS / SSL证书。此外,您还将使用cron作业自动化证书更新过程,您可以通过阅读如何使用来了解更多信息。 Cron在CentOS 8上自动执行任务 。
先决条件 (Prerequisites)
In order to complete this guide, you will need:
为了完成本指南,您将需要:
One CentOS 8 server with a non-root sudo-enabled user and a basic
firewalldfirewall set up by following the CentOS 8 initial server setup guide.一个CentOS的服务器8与非根启用须藤用户和碱性
firewalld防火墙通过以下设置CentOS的8初始服务器设置导向 。Apache installed on the server with a virtual host configured for your domain. You can learn how to set this up by following our tutorial How To Install the Apache Web Server on CentOS 8. Be sure that you have a virtual host set up for your domain. This tutorial will use
/etc/httpd/sites-available/example.com.confas an example.Apache已安装在服务器上,并为您的域配置了虚拟主机。 您可以通过遵循我们的教程如何在CentOS 8上安装Apache Web服务器来学习如何进行设置。 确保为您的域设置了虚拟主机 。 本教程将以
/etc/httpd/sites-available/ example.com .conf为例。You should own or control the registered domain name that you wish to use the certificate with. If you do not already have a registered domain name, you may purchase one on Namecheap, get one for free on Freenom, or use the domain registrar of your choice.
您应该拥有或控制希望与证书一起使用的注册域名。 如果你还没有注册的域名,你可以购买一个在Namecheap ,免费获得一个在Freenom ,或使用你选择的域名注册商。
A DNS
ARecord that points your domain to the public IP address of your server. If you host your domain through DigitalOcean, you can refer to the DigitalOcean DNS documentation for details on how to add these records with the DigitalOcean platform. DNSArecords are required because of how Let’s Encrypt validates that you own the domain it is issuing a certificate for. For example, if you want to obtain a certificate forexample.com, that domain must resolve to your server for the validation process to work. Our setup will useexample.comandwww.example.comas the domain names, both of which will require a valid DNS record.一个DNS
A记录 ,它将您的域指向服务器的公共IP地址。 如果通过DigitalOcean托管域,则可以参考DigitalOcean DNS文档以获取有关如何通过DigitalOcean平台添加这些记录的详细信息。 DNSA记录是必需的,因为“让我们加密”如何验证您对要为其颁发证书的域的所有权。 例如,如果要获取example.com的证书,则该域必须解析到您的服务器,验证过程才能正常进行。 我们的设置将使用example.com和www.example.com作为域名,这两个域名都需要有效的DNS记录。
When you have all of these prerequisites completed, move on to install the Certbot client software.
完成所有这些先决条件后,继续安装Certbot客户端软件。
第1步-安装Certbot让我们加密客户端 (Step 1 — Installing the Certbot Let’s Encrypt Client)
To use Let’s Encrypt to obtain an SSL certificate, you first need to install Certbot and mod_ssl, an Apache module that provides support for SSLv3 encryption.
要使用Let's Encrypt获得SSL证书,首先需要安装Certbot和mod_ssl ,这是一个支持SSLv3加密的Apache模块。
The certbot package is not available through the package manager by default. You will need to enable the EPEL repository to install Certbot.
默认情况下, certbot软件包无法通过软件包管理器使用。 您将需要启用EPEL存储库以安装Certbot。
To add the CentOS 8 EPEL repository, run the following command:
要添加CentOS 8 EPEL存储库,请运行以下命令:
- sudo dnf install epel-release sudo dnf安装epel-release
Now that you have access to the repository, install all of the required packages:
现在您可以访问存储库,安装所有必需的软件包:
- sudo dnf install certbot python3-certbot-apache mod_ssl 须藤dnf安装certbot python3-certbot-apache mod_ssl
With these services installed, you’re now ready to run Certbot and fetch your certificates.
安装这些服务后,您现在就可以运行Certbot并获取证书了。
第2步-获得证书 (Step 2 — Obtaining a Certificate)
Now that Certbot is installed, you can use it to request an SSL certificate for your domain.
现在已经安装了Certbot,您可以使用它来为您的域请求SSL证书。
Using the certbot Let’s Encrypt client to generate the SSL Certificate for Apache automates many of the steps in the process. The client will automatically obtain and install a new SSL certificate that is valid for the domains you provide as parameters.
使用certbot让我们的加密客户端为Apache生成SSL证书可自动执行该过程中的许多步骤。 客户端将自动获取并安装一个新的SSL证书,该证书对您作为参数提供的域有效。
To execute the interactive installation and obtain a certificate that covers only a single domain, run the certbot command with:
要执行交互式安装并获取仅涵盖单个域的证书,请使用certbot命令运行certbot命令:
sudo certbot --apache -d example.com
sudo certbot --apache -d example.com
This runs certbot with the --apache plugin and specifies the domain to configure the certificate for with the -d flag.
这将使用--apache插件运行certbot ,并使用-d标志指定要配置证书的域。
If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command, tagging each new domain or subdomain with the -d flag. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate. For this reason, pass the base domain name as first in the list, followed by any additional subdomains or aliases:
如果要安装对多个域或子域有效的单个证书,则可以将它们作为附加参数传递给命令,并使用-d标志标记每个新域或子域。 参数列表中的第一个域名将是Let's Encrypt用于创建证书的基本域。 因此,在列表中首先传递基本域名,然后再传递任何其他子域或别名:
sudo certbot --apache -d example.com -d www.example.com
sudo certbot --apache -d example.com -d www.example.com
The base domain in this example is example.com.
在此示例中,基本域是example.com 。
The certbot utility can also prompt you to choose a domain based on your existing Apache configuration. To use this functionality, call certbot without any domains specified:
certbot实用程序还可以提示您根据现有的Apache配置选择域。 要使用此功能,请certbot未指定任何域的情况下调用certbot :
- sudo certbot --apache sudo certbot --Apache
The program will present you with a step-by-step guide to customize your certificate options. It will ask you to provide an email address for lost key recovery and notices, and then prompt you to agree to the terms of service. If you did not specify your domains on the command line, you will be prompted for that as well. If your Virtual Host files do not specify the domain they serve explicitly using the ServerName directive, you will be asked to choose the virtual host file.
该程序将向您提供逐步指南,以自定义证书选项。 它将要求您提供电子邮件地址以获取丢失的密钥和通知,然后提示您同意服务条款。 如果未在命令行上指定域,则也会提示您输入域名。 如果您的虚拟主机文件未使用ServerName指令显式指定它们显式服务的域,则将要求您选择虚拟主机文件。
When the installation is successfully finished, you will see a message similar to this:
成功完成安装后,您将看到类似以下消息:
Output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-09-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
The generated certificate files will be available within a subdirectory named after your base domain in the /etc/letsencrypt/live directory.
生成的证书文件将位于/etc/letsencrypt/live目录中以您的基本域命名的子目录中。
Now that your certificates are downloaded, installed, and loaded, you can check your SSL certificate status to make sure that everything is working.
现在已经下载,安装和加载了证书,您可以检查SSL证书状态以确保一切正常。
步骤3 —测试证书和SSL配置 (Step 3 — Testing the Certificate and SSL Configuration)
At this point, you can ensure that Certbot created your SSL certificate correctly by using the SSL Server Test from the cloud security company Qualys.
此时,您可以使用云安全公司Qualys的SSL Server Test来确保Certbot正确创建了SSL证书。
Open the following link in your preferred web browser, replacing example.com with your domain:
在您喜欢的网络浏览器中打开以下链接,将example.com替换为您的域:
https://www.ssllabs.com/ssltest/analyze.html?d=example.comYou will land on a page that immediately begins testing the SSL connection to your server:
您将进入一个页面,该页面立即开始测试与服务器的SSL连接:
Once the test starts running, it may take a few minutes to complete. The status of the test will update in your browser.
测试开始运行后,可能需要几分钟才能完成。 测试状态将在您的浏览器中更新。
When the testing finishes, the page will display a letter grade that rates the security and quality of your server’s configuration. At the time of this writing, default settings will give an A rating:
测试完成后,页面将显示字母等级,以评定服务器配置的安全性和质量。 在撰写本文时,默认设置的等级为A :
For more information about how SSL Labs determines these grades, check out the SSL Labs Grading post detailing the updates made to the grading scheme in January, 2018.
有关SSL Labs如何确定这些成绩的更多信息,请查看SSL Labs评分文章,其中详细介绍了2018年1月对评分方案进行的更新。
Try reloading your website using https:// and notice your browser’s security indicator. It will now indicate that the site is properly secured, usually with a lock icon.
尝试使用https://重新加载您的网站,并注意浏览器的安全指示器。 现在它将指示该站点已正确保护,通常带有一个锁定图标。
With your SSL certificate installed and verified, the next step is to set up auto-renewal for your certificate to keep your certificate valid.
安装并验证SSL证书后,下一步就是为证书设置自动续订,以保持证书有效。
步骤4 —设置自动续订 (Step 4 — Setting Up Auto Renewal)
Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you check for renewal twice a day in case of a revocation or other problem. Because of this, it is a best practice to automate this process.
让我们加密证书的有效期为90天,但是建议您每天两次检查续订,以防发生吊销或其他问题。 因此,最佳实践是使此过程自动化。
First, let’s examine the command that you will use to renew the certificate. The certbot Let’s Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date. By using the --dry-run option, you can run a simulation of this task to test how renew works:
首先,让我们检查将用于更新证书的命令。 certbot让我们加密”客户端具有一个renew命令,该命令会自动检查当前安装的证书,如果距有效日期还不到30天,则尝试对其进行续订。 通过使用--dry-run选项,您可以模拟此任务以测试renew工作方式:
- sudo certbot renew --dry-run sudo certbot更新-干运行
The output should look similar to this:
输出应类似于以下内容:
Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
...
Notice that if you created a bundled certificate with multiple domains, only the base domain name will be shown in the output, but the renewal will be valid for all domains included in this certificate.
请注意,如果您创建了具有多个域的捆绑证书,则输出中将仅显示基本域名,但续订对于此证书中包含的所有域均有效。
A practical way to ensure your certificates will not get outdated is to create a cron job that will periodically execute the automatic renewal command for you.
确保您的证书不会过时的一种实用方法是创建一个cron作业 ,该作业将定期为您执行自动更新命令。
The official Certbot documentation recommends running cron twice per day. This will ensure that, in case Let’s Encrypt initiates a certificate revocation, there will be no more than half a day before Certbot renews your certificate. The documentation suggests using the following command to add an appropriate cron job to the /etc/crontab crontab file:
Certbot官方文档建议每天运行cron两次。 这样可以确保在“让我们加密”启动证书吊销的情况下,Certbot续订证书的时间不会超过半天。 该文档建议使用以下命令将适当的cron作业添加到/etc/crontab crontab文件:
- echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null echo“ 0 0,12 * * * root python3 -c'导入随机;导入时间; time.sleep(random.random()* 3600)'&& certbot更新-q” | sudo tee -a / etc / crontab> / dev / null
This will create a new cron job that will execute at noon and midnight every day (0 0,12 * * *). It will then run the short python3 script, which pauses for a random period of time between zero and sixty minutes. This is recommended in order to reduce the load on Let’s Encrypt’s servers.
这将创建一个新的cron作业,该作业将在每天的中午和午夜( 0 0,12 * * * )执行。 然后,它将运行简短的python3脚本,该脚本会在0到60分钟之间的一段时间内暂停。 建议这样做,以减少Let's Encrypt的服务器上的负载。
After the python script exits, the actual certbot renew command will run.
python脚本退出后,实际的certbot renew命令将运行。
For more information on how to create and schedule cron jobs, you can check our How To Use Cron To Automate Tasks on CentOS 8 guide. More detailed information about renewal can be found in the Certbot documentation.
有关如何创建和计划cron作业的更多信息,您可以查看我们的《 如何在CentOS 8上使用Cron自动执行任务》指南。 有关续订的更多详细信息,请参见Certbot文档 。
结论 (Conclusion)
In this guide you installed the Let’s Encrypt Certbot client, downloaded SSL certificates for your domain, and set up automatic certificate renewal. If you have any questions about using Certbot, you can check the official Certbot documentation. We also recommend that you check the official Let’s Encrypt blog for important updates from time to time.
在本指南中,您安装了Let's Encrypt Certbot客户端,为您的域下载了SSL证书,并设置了自动更新证书。 如果您对使用Certbot有任何疑问,可以查看官方的Certbot文档 。 我们还建议您不时查看官方的Let's Encrypt博客以获取重要更新。
翻译自: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-8
扫一扫
992
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
