本文参考来着来自https://www.howtoing.com/install-free-lets-encrypt-ssl-certificate-for-apache-on-debian-and-ubuntu 感谢作者的分享
本事例环境介绍
- ubuntu (Version 16.04.1 LTS)
ubuntu@VM-0-7-ubuntu:~$ sudo lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
- apache
ubuntu@VM-0-7-ubuntu:~$ apache2 -v
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-06-07T19:43:03
- git
ubuntu@VM-0-7-ubuntu:~$ git --version
git version 2.7.4
操作步骤
- Apache 开启 SSL模块
ubuntu@VM-0-7-ubuntu:~$ sudo a2enmod ssl #开启ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart
ubuntu@VM-0-7-ubuntu:~$ sudo a2ensite default-ssl.conf
Enabling site default-ssl.
To activate the new configuration, you need to run:
service apache2 reload
ubuntu@VM-0-7-ubuntu:~$ sudo service apache2 restart #重启apache
这时候可以访问https://yourdomain.com(会提示不安全因为没有证书) - 通过git下载 letsencrypt客户端
ubuntu@VM-0-7-ubuntu:~$ cd /usr/local #指定文件放置路劲
ubuntu@VM-0-7-ubuntu:/usr/local$ sudo git clone https://github.com/letsencrypt/letsencrypt #下载letsencrypt
Cloning into 'letsencrypt'...
remote: Enumerating objects: 45, done.
remote: Counting objects: 100% (45/45), done.
remote: Compressing objects: 100% (42/42), done.
remote: Total 61779 (delta 17), reused 8 (delta 3), pack-reused 61734
Receiving objects: 100% (61779/61779), 20.25 MiB | 7.59 MiB/s, done.
Resolving deltas: 100% (44899/44899), done.
Checking connectivity... done.
- Apache 生成 SSL证书
这里www.freelancerman.cn为自己的域名作为例子这里请填写自己需要ssl的域名,域名这边需要能访问成功的页面 -
ubuntu@VM-0-7-ubuntu:/usr/local$ cd letsencrypt
ubuntu@VM-0-7-ubuntu:/usr/local/letsencrypt$ ls
acme certbot-auto certbot-dns-dnsimple certbot-dns-luadns certbot-dns-sakuracloud docker-compose.yml examples LICENSE.txt pull_request_template.md setup.py
appveyor.yml certbot-compatibility-test certbot-dns-dnsmadeeasy certbot-dns-nsone certbot-nginx Dockerfile ISSUE_TEMPLATE.md linter_plugin.py pytest.ini tests
AUTHORS.md certbot-dns-cloudflare certbot-dns-gehirn certbot-dns-ovh certbot-postfix Dockerfile-dev letsencrypt-auto local-oldest-requirements.txt README.rst tools
certbot certbot-dns-cloudxns certbot-dns-google certbot-dns-rfc2136 CHANGELOG.md Dockerfile-old letsencrypt-auto-source MANIFEST.in readthedocs.org.requirements.txt tox.cover.py
certbot-apache certbot-dns-digitalocean certbot-dns-linode certbot-dns-route53 CONTRIBUTING.md docs letshelp-certbot mypy.ini setup.cfg tox.ini
ubuntu@VM-0-7-ubuntu:/usr/local/letsencrypt$ sudo ./letsencrypt-auto --apache -d www.freelancerman.cn
....
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): ggluopeihai@gmail.com #输入邮箱,证书快到期后邮箱将收到提醒
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A #同意
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y #yes
查看域名 在SSL 访问下 证书状态 访问地址: https://www.ssllabs.com/ssltest/analyze.html?d=www.freelancerman.cn
- 本环境下遇到的Error: 查看官方解释
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
main()
File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
symlink=options.symlink)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
download=download,
File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
% (cmd_desc, proc.returncode))
OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2
需要升级pip版本,但是ubuntu 16.04升级pip不了,这边我们使用wget方式升级 pip ubuntu@VM-0-7-ubuntu:~$ sudo apt-get update
ubuntu@VM-0-7-ubuntu:~$ sudo apt-get upgrade
ubuntu@VM-0-7-ubuntu:~$ wget https://bootstrap.pypa.io/get-pip.py
ubuntu@VM-0-7-ubuntu:~$ sudo python3 get-pip.py
ubuntu@VM-0-7-ubuntu:~$ sudo pip -V
pip 18.1 from /usr/local/lib/python3.5/dist-packages/pip (python 3.5) #升级成功
ubuntu@VM-0-7-ubuntu:~$ sudo apt-get purge python-virtualenv python3-virtualenv virtualenv #删除2.7
ubuntu@VM-0-7-ubuntu:~$ sudo pip install virtualenv
ubuntu@VM-0-7-ubuntu:/usr/local/letsencrypt$ sudo pip -V
pip 18.1 from /usr/local/lib/python3.5/dist-packages/pip (python 3.5)
- 自动续订加密证书
证书的有效期为90天,在此之前须更新证书,这里通过切换到root调用/etc/crontab 每月的1.1号对证书自动更新并日志输出 ubuntu@VM-0-7-ubuntu:/etc$ sudo su
root@VM-0-7-ubuntu:/etc# vim crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
......
0 1 1 */2 * root cd /usr/local/letsencrypt && ./letsencrypt-auto certonly --apache --renew-by-default --apache -d www.freelancerman.cn >> /var/log/domain.tld-renew.log 2>&1 #为设置计划时间更新证书