在CentOS6,CentOS7安裝 Let'sEncrypt 免費SSL安全證書

相對來說，個人網站建立SSL是昂貴的，而且往往過程繁瑣。一個標准的2048位證書費用至少150美元/年，網站除了要支付一筆昂貴的費用、重新配置Web服務器，並需要解決大量的配置錯誤。這讓廣大中小網站望而生畏。

然而，Let's Encrypt免費證書的開放，極大推進了國內 HTTPS 的進程。Let's Encrypt 真正的意義在於，它推動了 HTTPS 在小型網站和個人網站中的應用，加速全面 HTTPS 時代的到來。Let's Encrypt 的最大貢獻是它的 ACME 協議，第一份全自動服務器身份驗證協議，以及配套的基礎設施和客戶端。這是為了解決一直以來 HTTPS TLS X.509 PKI 信任模型，即證書權威（Certificate Authority, CA）模型缺陷的一個起步。

Let'sEncrypt的工作原理

看圖：

ACME 解決了私鑰持有者驗證自己身份這一過程的自動化問題。

在CentOS6，CentOS7上安裝Let's Encrypt

非營利組織電子前沿基金會的CertBot是一個很好的工具,我們使用它來安裝Let's Encrypt

一、升級系統

1. # yum -y update

二、安裝EPEL庫，為CertBot提供最新的Python包。

1. # yum -y install epel-release

三、下載CertBot

1、CentOS7:

1. # yum -y install python-certbot-apache

2、CentOS6:

1. # wget https://dl.eff.org/certbot-auto
2. # chmod 755 certbot-auto

四、Apache下配置Let's Encrypt

執行下條命令

1. # ./certbot-auto --apache

根據提示操作

1. /root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
2. DeprecationWarning
3. Saving debug log to /var/log/letsencrypt/letsencrypt.log
4. Enter email address (used for urgent renewal and security notices) (Enter 'c' to
5. cancel):輸入管理員郵箱
6.  
7. -------------------------------------------------------------------------------
8. Please read the Terms of Service at
9. https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
10. in order to register with the ACME server at
11. https://acme-v01.api.letsencrypt.org/directory
12. -------------------------------------------------------------------------------
13. (A)gree/(C)ancel: A
14.  
15. -------------------------------------------------------------------------------
16. Would you be willing to share your email address with the Electronic Frontier
17. Foundation, a founding partner of the Let's Encrypt project and the non-profit
18. organization that develops Certbot? We'd like to send you email about EFF and
19. our work to encrypt the web, protect its users and defend digital rights.
20. -------------------------------------------------------------------------------
21. (Y)es/(N)o: Y
22.  
23. Which names would you like to activate HTTPS for?
24. -------------------------------------------------------------------------------
25. 1: www.xi-chuang.com
26. -------------------------------------------------------------------------------
27. Select the appropriate numbers separated by commas and/or spaces, or leave input
28. blank to select all options shown (Enter 'c' to cancel):1
29. Obtaining a new certificate

成功后，在/etc/letsencrypt/live/www.xi-chuang.com/下生成4個證書：

1. cert.pem ->
2. chain.pem ->
3. fullchain.pem ->
4. privkey.pem ->

五、打開防火牆iptables的443端口

1. -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
2. #service iptables restart

六、編輯ssl.conf

vi /etc/httpd/conf.d/ssl.conf

1. # General setup for the virtual host, inherited from global configuration
2. DocumentRoot "/var/www/html/xi-chuang.com"
3. ServerName www.xi-chuang.com:443
4. .
5. .
6. .
7. SSLCertificateFile /etc/letsencrypt/live/www.xi-chuang.com/fullchain.pem
8. .
9. .
10. .
11. SSLCertificateKeyFile /etc/letsencrypt/live/www.xi-chuang.com/privkey.pem
12. .
13. .
14. .

service httpd restart

七、這個時候網站HTTPS已經能夠訪問了，試一下

最后，通過.htaccess進行301轉向

1. RewriteEngine On
2. RewriteCond %{SERVER_PORT} 80
3. RewriteRule ^(.*)$ https://www.xi-chuang.com/$1 [R=301,L]
4. RewriteCond %{HTTP_HOST} !^www.xi-chuang.com$ [NC]
5. RewriteRule ^(.*)$ https://www.xi-chuang.com/$1 [L,R=301]

八、大功告成

注意：Let'sEncrypt的證書有效期為90天，因此，建議使用cron作業在證書到期前一周將證書renew