如何在CentOS 7上通过加密来保护Apache

介绍 (Introduction)

Let’s Encrypt is a Certificate Authority (CA) that provides free certificates for Transport Layer Security (TLS) encryption, thereby enabling encrypted HTTPS on web servers. It simplifies the process of creation, validation, signing, installation, and renewal of certificates by providing a software client that automates most of the steps—Certbot.

让我们加密是一个证书颁发机构(CA)，它为传输层安全性(TLS)加密提供免费的证书，从而在Web服务器上启用加密的HTTPS。 通过提供可自动执行大多数步骤的软件客户端Certbot ，它简化了证书的创建，验证，签名，安装和更新的过程 。

In this tutorial, you will use Certbot to set up a TLS/SSL certificate from Let’s Encrypt on a CentOS 7 server running Apache as a web server. Additionally, you will automate the certificate renewal process using a cron job, which you can learn more about by reading How To Use Cron To Automate Tasks On a VPS.

在本教程中，您将使用Certbot在运行Apache作为Web服务器的CentOS 7服务器上通过Let's Encrypt设置TLS / SSL证书。 此外，您将使用cron作业来自动执行证书续订过程，您可以通过阅读如何在VPS上使用Cron来自动执行任务来了解更多信息。

先决条件 (Prerequisites)

In order to complete this guide, you will need:

为了完成本指南，您将需要：

• One CentOS 7 server set up by following the CentOS 7 initial server setup guide with a non-root user who has sudo privileges.

  通过使用具有sudo特权的非root用户遵循CentOS 7初始服务器设置指南来设置一台CentOS 7服务器。

• A basic firewall configured by following the Additional Recommended Steps for New CentOS 7 Servers guide.

  基本防火墙通过遵循“ 新CentOS 7服务器的其他推荐步骤”指南进行配置。

• Apache installed on the CentOS 7 server with a virtual host configured. You can learn how to set this up by following our tutorial How To Install the Apache Web Server on CentOS 7. Be sure that you have a virtual host file for your domain. This tutorial will use /etc/httpd/sites-available/example.com.conf as an example.

  在配置了虚拟主机的CentOS 7服务器上安装了Apache。 您可以通过遵循我们的教程如何在CentOS 7上安装Apache Web服务器来学习如何进行设置。 确保您的域具有虚拟主机文件 。 本教程将以/etc/httpd/sites-available/ example.com .conf为例。

• You should own or control the registered domain name that you wish to use the certificate with. If you do not already have a registered domain name, you may purchase one on Namecheap, get one for free on Freenom, or use the domain registrar of your choice.

  您应该拥有或控制希望与证书一起使用的注册域名。 如果你还没有注册的域名，你可以购买一个在Namecheap ，免费获得一个在Freenom ，或使用你选择的域名注册商。

• A DNS A Record that points your domain to the public IP address of your server. You can follow this introduction to DigitalOcean DNS for details on how to add them with the DigitalOcean platform. DNS A records are required because of how Let’s Encrypt validates that you own the domain it is issuing a certificate for. For example, if you want to obtain a certificate for example.com, that domain must resolve to your server for the validation process to work. Our setup will use example.com and www.example.com as the domain names, both of which will require a valid DNS record.

  一个DNS A记录 ，它将您的域指向服务器的公共IP地址。 您可以按照DigitalOcean DNS简介进行操作，以获取有关如何通过DigitalOcean平台添加它们的详细信息。 DNS A记录是必需的，因为“让我们加密”如何验证您对要为其颁发证书的域的所有权。 例如，如果要获取example.com的证书，则该域必须解析到您的服务器，验证过程才能正常进行。 我们的设置将使用example.com和www.example.com作为域名，这两个域名都需要有效的DNS记录。

When you have all of these prerequisites completed, move on to install the Let’s Encrypt client software.

完成所有这些先决条件后，继续安装“让我们加密”客户端软件。

第1步-安装Certbot让我们加密客户端 (Step 1 — Installing the Certbot Let’s Encrypt Client)

To use Let’s Encrypt to obtain an SSL certificate, you first need to install Certbot and mod_ssl, an Apache module that provides support for SSL v3 encryption.

要使用Let's Encrypt获得SSL证书，首先需要安装Certbot和mod_ssl ，这是一个支持SSL v3加密的Apache模块。

The certbot package is not available through the package manager by default. You will need to enable the EPEL repository to install Certbot.

默认情况下， certbot软件包无法通过软件包管理器使用。 您将需要启用EPEL存储库以安装Certbot。

To add the CentOS 7 EPEL repository, run the following command:

要添加CentOS 7 EPEL存储库，请运行以下命令：

• sudo yum install epel-release
  sudo yum安装epel-release

Now that you have access to the repository, install all of the required packages:

现在您可以访问存储库，安装所有必需的软件包：

• sudo yum install certbot python2-certbot-apache mod_ssl
  须藤百胜安装certbot python2-certbot-apache mod_ssl

During the installation process you will be asked about importing a GPG key. This key will verify the authenticity of the package you are installing. To allow the installation to finish, accept the GPG key by typing y and pressing ENTER when prompted to do so.

在安装过程中，系统将询问您有关导入GPG密钥的信息。 该密钥将验证您正在安装的软件包的真实性。 要完成安装，请通过键入y并在出现提示时按ENTER接受GPG键。

With these services installed, you’re now ready to run Certbot and fetch your certificates.

安装这些服务后，您现在就可以运行Certbot并获取证书了。

第2步-获得证书 (Step 2 — Obtaining a Certificate)

Now that Certbot is installed, you can use it to request an SSL certificate for your domain.

现在已经安装了Certbot，您可以使用它来为您的域请求SSL证书。

Using the certbot Let’s Encrypt client to generate the SSL Certificate for Apache automates many of the steps in the process. The client will automatically obtain and install a new SSL certificate that is valid for the domains you provide as parameters.

使用certbot让我们的加密客户端为Apache生成SSL证书可自动执行该过程中的许多步骤。 客户端将自动获取并安装一个新的SSL证书，该证书对您作为参数提供的域有效。

To execute the interactive installation and obtain a certificate that covers only a single domain, run the certbot command with:

要执行交互式安装并获取仅涵盖单个域的证书，请使用certbot命令运行certbot命令：

• sudo certbot --apache -d example.com

  sudo certbot --apache -d example.com

This runs certbot with the --apache plugin and specifies the domain to configure the certificate for with the -d flag.

这将使用--apache插件运行certbot ，并使用-d标志指定要配置证书的域。

If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command, tagging each new domain or subdomain with the -d flag. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate. For this reason, pass the base domain name as first in the list, followed by any additional subdomains or aliases:

如果要安装对多个域或子域有效的单个证书，则可以将它们作为附加参数传递给命令，并使用-d标志标记每个新域或子域。 参数列表中的第一个域名将是Let's Encrypt用于创建证书的基本域。 因此，在列表中首先传递基本域名，然后再传递任何其他子域或别名：

• sudo certbot --apache -d example.com -d www.example.com

  sudo certbot --apache -d example.com -d www.example.com

The base domain in this example is example.com.

在此示例中，基本域是example.com 。

The certbot utility can also prompt you for domain information during the certificate request procedure. To use this functionality, call certbot without any domains:

certbot实用程序还可以在证书申请过程中提示您输入域信息。 要使用此功能，请调用不包含任何域的certbot ：

• sudo certbot --apache
  sudo certbot --Apache

The program will present you with a step-by-step guide to customize your certificate options. It will ask you to provide an email address for lost key recovery and notices, and then prompt you to agree to the terms of service. If you did not specify your domains on the command line, you will be prompted for that as well. If your Virtual Host files do not specify the domain they serve explicitly using the ServerName directive, you will be asked to choose the virtual host file. In most cases, the default ssl.conf file will work.

该程序将向您提供逐步指南，以自定义证书选项。 它将要求您提供电子邮件地址以获取丢失的密钥和通知，然后提示您同意服务条款。 如果未在命令行上指定域，则也会提示您输入域名。 如果您的虚拟主机文件未使用ServerName指令显式指定它们显式服务的域，则将要求您选择虚拟主机文件。 大多数情况下，默认的ssl.conf文件将起作用。

You will also be able to choose between enabling both http and https access or forcing all requests to redirect to https. For better security, it is recommended to choose the option 2: Redirect if you do not have any special need to allow unencrypted connections. Select your choice then hit ENTER.

您还可以在启用http和https访问还是强制所有请求重定向到https之间进行选择。 为了获得更好的安全性，如果您不需要允许未加密的连接，则建议选择选项2: Redirect 。 选择您的选择，然后按ENTER 。

   
   

    
    Output
   
   
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):2

When the installation is successfully finished, you will see a message similar to this:

成功完成安装后，您将看到类似以下消息：

   
   

    
    Output
   
   
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-08-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The generated certificate files will be available within a subdirectory named after your base domain in the /etc/letsencrypt/live directory.

生成的证书文件将位于/etc/letsencrypt/live目录中以您的基本域命名的子目录中。

Now that your certificates are downloaded, installed, and loaded, you can check your SSL certificate status to make sure that everything is working.

现在已经下载，安装和加载了证书，您可以检查SSL证书状态以确保一切正常。

步骤3 —检查您的证书状态 (Step 3 — Checking your Certificate Status)

At this point, you can ensure that Certbot created your SSL certificate correctly by using the SSL Server Test from the cloud security company Qualys.

此时，您可以使用云安全公司Qualys的SSL Server Test来确保Certbot正确创建了SSL证书。

Open the following link in your preferred web browser, replacing example.com with your base domain:

在您喜欢的Web浏览器中打开以下链接，将example.com替换为您的基本域：

https://www.ssllabs.com/ssltest/analyze.html?d=example.com

You will land on a page that immediately begins testing the SSL connection to your server:

您将进入一个页面，该页面立即开始测试与服务器的SSL连接：

Once the test starts running, it may take a few minutes to complete. The status of the test will update in your browser.

测试开始运行后，可能需要几分钟才能完成。 测试状态将在您的浏览器中更新。

When the testing finishes, the page will display a letter grade that rates the security and quality of your server’s configuration. At the time of this writing, default settings will give an A rating:

测试完成后，页面将显示字母等级，以评定服务器配置的安全性和质量。 在撰写本文时，默认设置的等级为A ：

For more information about how SSL Labs determines these grades, check out the SSL Labs Grading post detailing the updates made to the grading scheme in January, 2018.

有关SSL Labs如何确定这些成绩的更多信息，请查看SSL Labs评分文章，其中详细介绍了2018年1月对评分方案进行的更新。

Try reloading your website using https:// and notice your browser’s security indicator. It will now indicate that the site is properly secured, usually with a green lock icon.

尝试使用https://重新加载您的网站，并注意浏览器的安全指示器。 现在它将指示该站点已正确保护，通常带有绿色的锁定图标。

With your SSL certificate up and verified, the next step is to set up auto-renewal for your certificate to keep your certificate valid.

设置并验证SSL证书后，下一步就是为证书设置自动续订，以保持证书有效。

步骤4 —设置自动续订 (Step 4 — Setting Up Auto Renewal)

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. Because of this, it is a best practice to automate this process to periodically check and renew the certificate.

让我们加密证书的有效期为90天，但建议您每60天更新一次证书，以留出一定的误差。 因此，最佳做法是自动执行此过程以定期检查和续订证书。

First, let’s examine the command that you will use to renew the certificate. The certbot Let’s Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date. By using the --dry-run option, you can run a simulation of this task to test how renew works:

首先，让我们检查将用于更新证书的命令。 certbot让我们加密”客户端具有一个renew命令，该命令会自动检查当前安装的证书，如果距有效日期还不到30天，则尝试对其进行续订。 通过使用--dry-run选项，您可以模拟此任务以测试renew工作方式：

• sudo certbot renew --dry-run
  sudo certbot更新-干运行

The output should look similar to this:

输出应类似于以下内容：

   
   

    
    Output
   
   
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
...

Notice that if you created a bundled certificate with multiple domains, only the base domain name will be shown in the output, but the renewal will be valid for all domains included in this certificate.

请注意，如果您创建了具有多个域的捆绑证书，则输出中将仅显示基本域名，但续订对于此证书中包含的所有域均有效。

A practical way to ensure your certificates will not get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day.

确保您的证书不会过时的一种实用方法是创建一个cron作业 ，该作业将定期为您执行自动更新命令。 由于续订会首先检查到期日期，并且仅在证书距到期日期少于30天时才执行续订，因此可以安全地创建每周或每天运行的Cron作业。

The official Certbot documentation recommends running cron twice per day. This will ensure that, in case Let’s Encrypt initiates a certificate revocation, there will be no more than half a day before Certbot renews your certificate.

Certbot官方文档建议每天运行cron两次。 这样可以确保在“让我们加密”启动证书吊销的情况下，Certbot续订证书的时间不会超过半天。

Edit the crontab to create a new job that will run the renewal twice per day. To edit the crontab for the root user, run:

编辑crontab以创建一个新作业，该作业将每天运行两次续订。 要为root用户编辑crontab ，请运行：

• sudo crontab -e
  须藤crontab -e

Your text editor will open the default crontab which is an empty text file at this point. This tutorial will use the vi text editor. To learn more about this text editor and its successor vim, check out our Installing and Using the Vim Text Editor on a Cloud Server tutorial.

您的文本编辑器将打开默认的crontab ，这是一个空文本文件。 本教程将使用vi文本编辑器。 要了解有关此文本编辑器及其后续vim的更多信息，请查看我们在Cloud Server教程中的“ 安装和使用Vim文本编辑器” 。

Enter insert mode by pressing i and add in the following line:

通过按i进入插入模式，然后添加以下行：

   
   

    
    crontab
   
   
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

When you’re finished, press ESC to leave insert mode, then :wq and ENTER to save and exit the file. This will create a new cron job that will execute at noon and midnight every day. Adding an element of randomness to your cron jobs will ensure that hourly jobs do not all happen at the same minute, causing a server spike; python -c 'import random; import time; time.sleep(random.random() * 3600)' will select a random minute within the hour for your renewal tasks.

完成后，按ESC退出插入模式，然后按:wq和ENTER保存并退出文件。 这将创建一个新的cron作业，每天在中午和午夜执行。 在您的Cron作业中添加随机性将确保每小时的作业不会在同一分钟全部发生，从而导致服务器高峰。 python -c 'import random; import time; time.sleep(random.random() * 3600)' python -c 'import random; import time; time.sleep(random.random() * 3600)'将在小时内为您的续订任务选择随机分钟。

For more information on how to create and schedule cron jobs, you can check our How to Use Cron to Automate Tasks in a VPS guide. More detailed information about renewal can be found in the Certbot documentation.

有关如何创建和计划cron作业的更多信息，您可以在VPS指南中查看我们的“ 如何使用cron自动执行任务” 。 有关续订的更多详细信息，请参见Certbot文档 。

结论 (Conclusion)

In this guide you installed the Let’s Encrypt Certbot client, downloaded SSL certificates for your domain, and set up automatic certificate renewal. If you have any questions about using Certbot, you can check the official Certbot documentation. We also recommend that you check the official Let’s Encrypt blog for important updates from time to time.

在本指南中，您安装了Let's Encrypt Certbot客户端，为您的域下载了SSL证书，并设置了自动更新证书。 如果您对使用Certbot有任何疑问，可以查看官方的Certbot文档 。 我们还建议您不时查看官方的Let's Encrypt博客以获取重要更新。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7