debian apache
介绍 (Introduction)
Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.
让我们加密是一个证书颁发机构(CA),它提供了一种获取和安装免费TLS / SSL证书的简便方法,从而可以在Web服务器上启用加密的HTTPS。 它通过提供一个软件客户端Certbot来简化该过程,该客户端尝试使大多数(如果不是全部)所需步骤自动化。 当前,在Apache和Nginx上,获取和安装证书的整个过程都是完全自动化的。
In this tutorial, you will use Certbot to obtain a free SSL certificate for Apache on Debian 10 and set up your certificate to renew automatically.
在本教程中,您将使用Certbot在Debian 10上为Apache获取免费的SSL证书,并将证书设置为自动更新。
This tutorial will use a separate Apache virtual host file instead of the default configuration file. We recommend creating new Apache virtual host files for each domain because it helps to avoid common mistakes and maintains the default files as a fallback configuration.
本教程将使用单独的Apache虚拟主机文件而不是默认配置文件。 我们建议为每个域创建新的Apache虚拟主机文件,因为它有助于避免常见错误并将默认文件保留为后备配置。
先决条件 (Prerequisites)
To follow this tutorial, you will need:
要遵循本教程,您将需要:
One Debian 10 server set up by following this initial server setup for Debian 10 tutorial, including a non-root user with
sudoprivileges and a firewall.通过遵循Debian 10教程的初始服务器设置来设置一台Debian 10服务器,包括具有
sudo特权和防火墙的非root用户。A fully registered domain name. This tutorial will use your_domain as an example throughout. You can purchase a domain name on Namecheap, get one for free on Freenom, or use the domain registrar of your choice.
完全注册的域名。 本教程将始终以your_domain为例。 你可以购买一个域名Namecheap ,免费获得一个在Freenom ,或使用你选择的域名注册商。
Both of the following DNS records set up for your server. To set these up, you can follow these instructions for adding domains and then these instructions for creating DNS records.
为服务器设置了以下两个DNS记录。 要进行设置,您可以按照以下说明添加域 ,然后按照说明创建DNS记录 。
An A record with
your_domainpointing to your server’s public IP address.A记录,其中
your_domain指向服务器的公共IP地址。An A record with
www.your_domainpointing to your server’s public IP address.与
www. your_domain的A记录www. your_domainwww. your_domain指向服务器的公共IP地址。
Apache installed by following How To Install Apache on Debian 10. Be sure that you have a virtual host file set up for your domain. This tutorial will use
/etc/apache2/sites-available/your_domain.confas an example.通过遵循如何在Debian 10上安装Apache来安装Apache 。 确保为您的域设置了虚拟主机文件 。 本教程将以
/etc/apache2/sites-available/ your_domain .conf为例。
第1步-安装Certbot (Step 1 — Installing Certbot)
The first step to using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server.
使用“让我们加密”获取SSL证书的第一步是在您的服务器上安装Certbot软件。
As of this writing, Certbot is not available from the Debian software repositories by default. In order to download the software using apt, you will need to add the backports repository to your sources.list file where apt looks for package sources. Backports are packages from Debian’s testing and unstable distributions that are recompiled so they will run without new libraries on stable Debian distributions.
在撰写本文时,默认情况下Deert软件存储库中不提供Certbot。 为了使用apt下载软件,您需要将backports存储库添加到您的sources.list文件中,其中apt查找软件包源。 反向移植是来自Debian测试和不稳定发行版的软件包,这些软件包经过重新编译,因此它们可以在稳定的Debian发行版上运行而无需新库。
To add the backports repository, open (or create) the sources.list file in your /etc/apt/ directory:
要添加反向端口存储库,请打开(或创建) /etc/apt/目录中的sources.list文件:
- sudo nano /etc/apt/sources.list 须藤nano /etc/apt/sources.list
At the bottom of the file, add the following line:
在文件底部,添加以下行:
. . .
deb http://mirrors.digitalocean.com/debian buster-backports main
deb-src http://mirrors.digitalocean.com/debian buster-backports main
deb http://ftp.debian.org/debian buster-backports mainThis includes the main packages, which are Debian Free Software Guidelines (DFSG)-compliant, as well as the non-free and contrib components, which are either not DFSG-compliant themselves or include dependencies in this category.
这包括符合Debian自由软件准则(DFSG)的main软件包,以及不符合DFSG本身或包括此类依赖关系的non-free和contrib组件。
Save and close the file by pressing CTRL+X, Y, then ENTER, then update your package lists:
通过按CTRL+X , Y ,然后按ENTER保存并关闭文件,然后更新您的软件包列表:
- sudo apt update sudo apt更新
Then install Certbot with the following command. Note that the -t option tells apt to search for the package by looking in the backports repository you just added:
然后使用以下命令安装Certbot。 请注意, -t选项指示apt通过查看刚添加的backports存储库来搜索软件包:
- sudo apt install python-certbot-apache -t buster-backports 须藤apt install python-certbot-apache -t buster-backports
Certbot is now ready to use, but in order for it to configure SSL for Apache, we need to verify that Apache has been configured correctly.
Certbot现在可以使用了,但是为了使其能够为Apache配置SSL,我们需要验证是否已正确配置Apache。
步骤2 —设置SSL证书 (Step 2 — Setting Up the SSL Certificate)
Certbot needs to be able to find the correct virtual host in your Apache configuration for it to automatically configure SSL. Specifically, it does this by looking for a ServerName directive that matches the domain you request a certificate for.
Certbot需要能够在Apache配置中找到正确的虚拟主机,以使其自动配置SSL。 具体来说,它是通过查找与您请求证书的域相匹配的ServerName指令来实现的。
If you followed the virtual host setup step in the Apache installation tutorial, you should have a VirtualHost block for your domain at /etc/apache2/sites-available/your_domain.conf with the ServerName directive already set appropriately.
如果遵循Apache安装教程中的虚拟主机设置步骤,则应该在/etc/apache2/sites-available/ your_domain .conf为您的域设置VirtualHost块,并且已经正确设置了ServerName指令。
To check, open the virtual host file for your domain using nano or your favorite text editor:
要检查,请使用nano或您喜欢的文本编辑器为您的域打开虚拟主机文件:
sudo nano /etc/apache2/sites-available/your_domain.conf
须藤纳米/ etc / apache2 / sites-available / your_domain .conf
Find the existing ServerName line. It should look like this, with your own domain name instead of your_domain:
找到现有的ServerName行。 它应该看起来像这样,用您自己的域名而不是your_domain :
...
ServerName your_domain;
...If it doesn’t already, update the ServerName directive to point to your domain name. Then save the file, quit your editor, and verify the syntax of your configuration edits:
如果尚未安装,请更新ServerName指令以指向您的域名。 然后保存文件,退出编辑器,并验证配置编辑的语法:
- sudo apache2ctl configtest 须藤apache2ctl configtest
If there aren’t any syntax errors, you will see this in your output:
如果没有任何语法错误,您将在输出中看到以下内容:
Output
Syntax OK
If you get an error, reopen the virtual host file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Apache to load the new configuration:
如果出现错误,请重新打开虚拟主机文件并检查是否有错字或字符丢失。 配置文件的语法正确后,请重新加载Apache以加载新配置:
- sudo systemctl reload apache2 sudo systemctl重新加载apache2
Certbot can now find the correct VirtualHost block and update it.
Certbot现在可以找到正确的VirtualHost块并进行更新。
Next, let’s update the firewall to allow HTTPS traffic.
接下来,让我们更新防火墙以允许HTTPS通信。
步骤3 —允许HTTPS通过防火墙 (Step 3 — Allowing HTTPS Through the Firewall)
If you have the ufw firewall enabled, as recommended by the prerequisite guides, you’ll need to adjust the settings to allow for HTTPS traffic. Luckily, when installed on Debian, ufw comes packaged with a few profiles that help to simplify the process of changing firewall rules for HTTP and HTTPS traffic.
如果按照先决条件指南的建议启用了ufw防火墙,则需要调整设置以允许HTTPS通信。 幸运的是, ufw安装在Debian上时,随附了一些配置文件,这些配置文件有助于简化更改HTTP和HTTPS流量的防火墙规则的过程。
You can see the current setting by typing:
您可以通过键入以下内容查看当前设置:
- sudo ufw status sudo ufw状态
If you followed the Step 2 of our guide on How to Install Apache on Debian 10, the output of this command will look like this, showing that only HTTP traffic is allowed to the web server:
如果您按照我们的指南如何在Debian 10上安装Apache的步骤2进行操作,则此命令的输出将如下所示,表明仅HTTP流量被允许进入Web服务器:
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
WWW ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
WWW (v6) ALLOW Anywhere (v6)
To additionally let in HTTPS traffic, allow the “WWW Full” profile and delete the redundant “WWW” profile allowance:
要另外允许HTTPS通信,请允许“ WWW Full”配置文件并删除冗余的“ WWW”配置文件配额:
- sudo ufw allow 'WWW Full' sudo ufw允许“ WWW Full”
- sudo ufw delete allow 'WWW' sudo ufw delete允许'WWW'
Your status should now look like this:
您的状态现在应如下所示:
- sudo ufw status sudo ufw状态
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
WWW Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
WWW Full (v6) ALLOW Anywhere (v6)
Next, let’s run Certbot and fetch our certificates.
接下来,让我们运行Certbot并获取我们的证书。
步骤4 —获取SSL证书 (Step 4 — Obtaining an SSL Certificate)
Certbot provides a variety of ways to obtain SSL certificates through plugins. The Apache plugin will take care of reconfiguring Apache and reloading the config whenever necessary. To use this plugin, type the following:
Certbot提供了多种通过插件获取SSL证书的方法。 Apache插件将负责重新配置Apache并在必要时重新加载配置。 要使用此插件,请键入以下内容:
sudo certbot --apache -d your_domain -d www.your_domain
sudo certbot --apache -d your_domain -d www.your_domain
This runs certbot with the --apache plugin, using -d to specify the names for which you’d like the certificate to be valid.
这将使用--apache插件运行certbot ,并使用-d指定您希望证书有效的名称。
If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. Additionally, it will ask if you’re willing to share your email address with the Electronic Frontier Foundation, a nonprofit organization that advocates for digital rights and is also the maker of Certbot. Feel free to enter Y to share your email address or N to decline.
如果这是您首次运行certbot ,则系统将提示您输入电子邮件地址并同意服务条款。 此外,它还会询问您是否愿意与电子前沿基金会 ( Electronic Frontier Foundation)分享您的电子邮件地址,该基金会是倡导数字版权的非营利组织,也是Certbot的制造商。 随意输入Y以共享您的电子邮件地址,或输入N以拒绝。
After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.
完成此操作后, certbot将与Let's Encrypt服务器通信,然后进行质询以验证您是否控制了要为其申请证书的域。
If that’s successful, certbot will ask how you’d like to configure your HTTPS settings:
如果成功, certbot将询问您如何配置HTTPS设置:
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select your choice then hit ENTER. The configuration will be updated automatically, and Apache will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:
选择您的选择,然后按ENTER 。 配置将自动更新,并且Apache将重新加载以获取新设置。 certbot将以一条消息结束,告诉您该过程已成功完成,并且证书的存储位置:
Output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your_domain/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your_domain/privkey.pem
Your cert will expire on 2019-10-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.
您的证书已下载,安装和加载。 尝试使用https://重新加载您的网站,并注意浏览器的安全指示器。 它应指示站点已正确保护,通常带有绿色的锁定图标。 如果使用SSL Labs服务器测试来测试服务器 ,它将获得A级。
Let’s finish by testing the renewal process.
让我们通过测试续订过程来结束。
步骤5 —验证Certbot自动续订 (Step 5 — Verifying Certbot Auto-Renewal)
Let’s Encrypt certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.
让我们加密证书仅有效期为90天。 这是为了鼓励用户自动化其证书续订过程。 我们安装的certbot软件包通过在/etc/cron.d添加更新脚本来为我们解决这一问题。 该脚本每天运行两次,并将在到期后三十天内自动续订任何证书。
To test the renewal process, you can do a dry run with certbot:
要测试续订过程,可以使用certbot运行:
- sudo certbot renew --dry-run sudo certbot更新-干运行
If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Apache to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.
如果您没有看到任何错误,则说明一切就绪。 必要时,Certbot将续订您的证书并重新加载Apache以获取更改。 如果自动续订过程失败,Let's Encrypt将向您指定的电子邮件发送一条消息,在证书即将过期时警告您。
结论 (Conclusion)
In this tutorial, you installed the Let’s Encrypt client certbot, downloaded SSL certificates for your domain, configured Apache to use these certificates, and set up automatic certificate renewal. If you have further questions about using Certbot, their documentation is a good place to start.
在本教程中,您安装了Let's Encrypt客户端certbot ,为您的域下载了SSL证书,将Apache配置为使用这些证书,并设置了自动更新证书。 如果您对使用Certbot有其他疑问,那么他们的文档是一个很好的起点。
debian apache
扫一扫
827
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
