本文记录了我在把网站从HTTP升级到 HTTPS ,申请和安装SSL证书路上踩过的几个坑。
安装环境:
操作系统:centos 6 X64
SSL证书来源:Let's Encrypt
安装用脚本:acme.sh
服务器:apache2
我的安装用的脚本,最好分步执行,以免出现问题后仍然尝试安装过期的证书
#!/bin/sh #获得脚本并执行 curl https://get.acme.sh | sh #申请证书,证书每60天自动申请一次,记住用自己的域名替换掉www.dreamoftime0.com acme.sh --issue -d www.dreamoftime0.com --apache #安装证书 acme.sh --installcert -d www.dreamoftime0.com --cert-file /etc/httpd/ssl/dreamoftime0.com.pem --key-file /etc/httpd/ssl/dreamoftime0.com.key --fullchain-file /etc/httpd/ssl/dreamoftime0.com.cer --reloadcmd "service httpd force-reload" #一定记住,这里的文件是要放东西的输出文件,不是输入文件 #enjoy the https
最后记得修改apache的SSL配置。
需要修改的参数:
ServerName 设置为 www.example.com:443
SSLCertificateFile 设置为 证书文件的位置,即证书安装命令中--cert-file的值
SSLCertificateKeyFile 设置为 证书密钥文件的位置,即证书安装命令中--key-file的值
SSLCertificateChainFile 设置为 完整的证书链的位置,即证书安装命令中--fullchain-file的值
以下为参考的SSL配置文件
# /etc/httpd/conf.d/ssl.conf # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html> # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # LoadModule ssl_module modules/mod_ssl.so # # When we also provide SSL we have to listen to the # the HTTPS port in addition. # Listen 443 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: Firs