介绍 (Introduction)
Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.
让我们加密是一个证书颁发机构(CA),它提供了一种获取和安装免费TLS / SSL证书的简便方法,从而可以在Web服务器上启用加密的HTTPS。 它通过提供一个软件客户端Certbot来简化该过程,该客户端尝试使大多数(如果不是全部)所需步骤自动化。 当前,在Apache和Nginx上,获取和安装证书的整个过程都是完全自动化的。
In this tutorial, you will use Certbot to obtain a free SSL certificate for Apache on Ubuntu 18.04 and set up your certificate to renew automatically.
在本教程中,您将使用Certbot在Ubuntu 18.04上为Apache获取免费的SSL证书,并将您的证书设置为自动更新。
This tutorial will use a separate Apache virtual host file instead of the default configuration file. We recommend creating new Apache virtual host files for each domain because it helps to avoid common mistakes and maintains the default files as a fallback configuration.
本教程将使用单独的Apache虚拟主机文件而不是默认配置文件。 我们建议为每个域创建新的Apache虚拟主机文件,因为它有助于避免常见错误并将默认文件保留为后备配置。
先决条件 (Prerequisites)
To follow this tutorial, you will need:
要遵循本教程,您将需要:
One Ubuntu 18.04 server set up by following this initial server setup for Ubuntu 18.04 tutorial, including a sudo non-root user and a firewall.
通过遵循针对Ubuntu 18.04的初始服务器设置来设置一台Ubuntu 18.04服务器,包括sudo非root用户和防火墙。
A fully registered domain name. This tutorial will use your_domain as an example throughout. You can purchase a domain name on Namecheap, get one for free on Freenom, or use the domain registrar of your choice.
完全注册的域名。 本教程将始终以your_domain为例。 你可以购买一个域名Namecheap ,免费获得一个在Freenom ,或使用你选择的域名注册商。
Both of the following DNS records set up for your server. You can follow this introduction to DigitalOcean DNS for details on how to add them.
为服务器设置了以下两个DNS记录。 您可以按照DigitalOcean DNS简介进行操作,以获取有关如何添加它们的详细信息。
An A record with
your_domain
pointing to your server’s public IP address.A记录,其中
your_domain
指向服务器的公共IP地址。An A record with
www.your_domain
pointing to your server’s public IP address.与
www. your_domain
的A记录www. your_domain
www. your_domain
指向服务器的公共IP地址。
Apache installed by following How To Install Apache on Ubuntu 18.04. Be sure that you have a virtual host file for your domain. This tutorial will use
/etc/apache2/sites-available/your_domain.conf
as an example.通过遵循如何在Ubuntu 18.04上安装Apache来安装Apache 。 确保您的域具有虚拟主机文件 。 本教程将以
/etc/apache2/sites-available/ your_domain .conf
为例。
第1步-安装Certbot (Step 1 — Installing Certbot)
The first step to using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server.
使用“让我们加密”获取SSL证书的第一步是在您的服务器上安装Certbot软件。
Certbot is in very active development, so the Certbot packages provided by Ubuntu tend to be outdated. However, the Certbot developers maintain a Ubuntu software repository with up-to-date versions, so we’ll use that repository instead.
Certbot的开发非常活跃,因此Ubuntu提供的Certbot软件包往往已过时。 但是,Certbot开发人员维护着具有最新版本的Ubuntu软件存储库,因此我们将改用该存储库。
First, add the repository:
首先,添加存储库:
- sudo add-apt-repository ppa:certbot/certbot sudo add-apt-repository ppa:certbot / certbot
You’ll need to press ENTER
to accept.
您需要按ENTER
接受。
Install Certbot’s Apache package with apt
:
使用apt
安装Certbot的Apache软件包:
- sudo apt install python-certbot-apache sudo apt安装python-certbot-apache
Certbot is now ready to use, but in order for it to configure SSL for Apache, we need to verify some of Apache’s configuration.
Certbot现在可以使用了,但是为了使其能够为Apache配置SSL,我们需要验证一些Apache的配置。
步骤2 —设置SSL证书 (Step 2 — Set Up the SSL Certificate)
Certbot needs to be able to find the correct virtual host in your Apache configuration for it to automatically configure SSL. Specifically, it does this by looking for a ServerName
directive that matches the domain you request a certificate for.
Certbot需要能够在Apache配置中找到正确的虚拟主机,以使其自动配置SSL。 具体来说,它是通过查找与您请求证书的域相匹配的ServerName
指令来实现的。
If you followed the virtual host set up step in the Apache installation tutorial, you should have a VirtualHost block for your domain at /etc/apache2/sites-available/your_domain.com.conf
with the ServerName
directive already set appropriately.
如果遵循Apache安装教程中的虚拟主机设置步骤,则应该在/etc/apache2/sites-available/ your_domain.com .conf
为您的域设置VirtualHost块,并且已经正确设置了ServerName
指令。
To check, open the virtual host file for your domain using nano
or your favorite text editor:
要检查,请使用nano
或您喜欢的文本编辑器为您的域打开虚拟主机文件:
sudo nano /etc/apache2/sites-available/your_domain.conf
须藤纳米/ etc / apache2 / sites-available / your_domain .conf
Find the existing ServerName
line. It should look like this:
找到现有的ServerName
行。 它看起来应该像这样:
...
ServerName your_domain;
...
If it does, exit your editor and move on to the next step.
如果是这样,请退出编辑器,然后继续下一步。
If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits:
如果不是,请对其进行更新以匹配。 然后保存文件,退出编辑器,并验证配置编辑的语法:
- sudo apache2ctl configtest 须藤apache2ctl configtest
If you get an error, reopen the virtual host file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Apache to load the new configuration:
如果出现错误,请重新打开虚拟主机文件并检查是否有错字或字符丢失。 配置文件的语法正确后,请重新加载Apache以加载新配置:
- sudo systemctl reload apache2 sudo systemctl重新加载apache2
Certbot can now find the correct VirtualHost block and update it.
Certbot现在可以找到正确的VirtualHost块并进行更新。
Next, let’s update the firewall to allow HTTPS traffic.
接下来,让我们更新防火墙以允许HTTPS通信。
步骤3 —允许HTTPS通过防火墙 (Step 3 — Allowing HTTPS Through the Firewall)
If you have the ufw
firewall enabled, as recommended by the prerequisite guides, you’ll need to adjust the settings to allow for HTTPS traffic. Luckily, Apache registers a few profiles with ufw
upon installation.
如果按照先决条件指南的建议启用了ufw
防火墙,则需要调整设置以允许HTTPS通信。 幸运的是,Apache在安装时向ufw
注册了一些配置文件。
You can see the current setting by typing:
您可以通过键入以下内容查看当前设置:
- sudo ufw status sudo ufw状态
It will probably look like this, meaning that only HTTP traffic is allowed to the web server:
它可能看起来像这样,这意味着仅HTTP流量被允许到Web服务器:
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Apache ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache (v6) ALLOW Anywhere (v6)
To additionally let in HTTPS traffic, allow the Apache Full profile and delete the redundant Apache profile allowance:
要另外允许HTTPS通信,请允许Apache Full配置文件并删除冗余的Apache配置文件配额:
- sudo ufw allow 'Apache Full' sudo ufw允许“ Apache Full”
- sudo ufw delete allow 'Apache' sudo ufw delete allow'Apache'
Your status should now look like this:
您的状态现在应如下所示:
- sudo ufw status sudo ufw状态
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Apache Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
Next, let’s run Certbot and fetch our certificates.
接下来,让我们运行Certbot并获取我们的证书。
步骤4 —获取SSL证书 (Step 4 — Obtaining an SSL Certificate)
Certbot provides a variety of ways to obtain SSL certificates through plugins. The Apache plugin will take care of reconfiguring Apache and reloading the config whenever necessary. To use this plugin, type the following:
Certbot提供了多种通过插件获取SSL证书的方法。 Apache插件将负责重新配置Apache并在必要时重新加载配置。 要使用此插件,请键入以下内容:
sudo certbot --apache -d your_domain -d www.your_domain
须藤certbot --apache -d 请将改为 -d WWW .your_domain
This runs certbot
with the --apache
plugin, using -d
to specify the names you’d like the certificate to be valid for.
这将使用--apache
插件运行certbot
,并使用-d
指定您希望证书有效的名称。
If this is your first time running certbot
, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot
will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.
如果这是您首次运行certbot
,则系统将提示您输入电子邮件地址并同意服务条款。 完成此操作后, certbot
将与Let's Encrypt服务器通信,然后进行质询以验证您是否控制了要为其申请证书的域。
If that’s successful, certbot
will ask how you’d like to configure your HTTPS settings:
如果成功, certbot
将询问您如何配置HTTPS设置:
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select your choice then hit ENTER
. The configuration will be updated, and Apache will reload to pick up the new settings. certbot
will wrap up with a message telling you the process was successful and where your certificates are stored:
选择您的选择,然后按ENTER
。 配置将被更新,Apache将重新加载以获取新设置。 certbot
将以一条消息结束,告诉您该过程已成功完成,并且证书的存储位置:
Output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your_domain/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your_domain/privkey.pem
Your cert will expire on 2018-07-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Your certificates are downloaded, installed, and loaded. Try reloading your website using https://
and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.
您的证书已下载,安装和加载。 尝试使用https://
重新加载您的网站,并注意浏览器的安全指示器。 它应指示站点已正确保护,通常带有绿色的锁定图标。 如果使用SSL Labs服务器测试来测试服务器 ,它将获得A级。
Let’s finish by testing the renewal process.
让我们通过测试续订过程来结束。
步骤5 —验证Certbot自动续订 (Step 5 — Verifying Certbot Auto-Renewal)
The certbot
package we installed takes care of renewals by including a renew script to /etc/cron.d
, which is managed by a systemctl
service called certbot.timer
. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.
我们安装的certbot
软件包通过向/etc/cron.d
包含更新脚本来处理续订,该脚本由一个称为certbot.timer
的systemctl
服务管理。 该脚本每天运行两次,并将在到期后三十天内自动续订任何证书。
To check the status of this service and make sure it’s active and running, you can use:
要检查此服务的状态并确保其处于活动状态并正在运行,可以使用:
- sudo systemctl status certbot.timer sudo systemctl状态certbot.timer
You’ll get output similar to this:
您将获得类似于以下的输出:
Output
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Tue 2020-04-28 17:57:48 UTC; 17h ago
Trigger: Wed 2020-04-29 23:50:31 UTC; 12h left
Triggers: ● certbot.service
Apr 28 17:57:48 fine-turtle systemd[1]: Started Run certbot twice daily.
To test the renewal process, you can do a dry run with certbot
:
要测试续订过程,可以使用certbot
运行:
- sudo certbot renew --dry-run sudo certbot更新-干运行
If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Apache to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.
如果您没有看到任何错误,则说明一切就绪。 必要时,Certbot将续订您的证书并重新加载Apache以获取更改。 如果自动续订过程失败,Let's Encrypt将向您指定的电子邮件发送一条消息,在证书即将过期时警告您。
结论 (Conclusion)
In this tutorial, you installed the Let’s Encrypt client certbot
, downloaded SSL certificates for your domain, configured Apache to use these certificates, and set up automatic certificate renewal. If you have further questions about using Certbot, their documentation is a good place to start.
在本教程中,您安装了Let's Encrypt客户端certbot
,为您的域下载了SSL证书,将Apache配置为使用这些证书,并设置了自动更新证书。 如果您对使用Certbot有其他疑问,那么他们的文档是一个很好的起点。