使用 https 加密連線,讓你的 Apache 網站更安全
以下是 Ubuntu 14.04 Apache 的部屬範例。
安裝部屬工具
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache
產生憑證
手動產生 www.yourdomain.com
憑證
$ sudo certbot --apache certonly --cert-name www.yourdomain.com -d www.yourdomain.com
產生的憑證會在 /etc/letsencrypt/live/$domain
目錄下
Certbot – Where are my certificates?
套用憑證
編輯你的 apache site conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName www.yourdomain.com
ServerAdmin admin@yourdomain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.yourdomain.com/chain.pem
</VirtualHost>
</IfModule>
重新載入 site conf 以生效
$ sudo service apache2 reload
如果沒開 mod_ssl 記得要打開
$ sudo a2enmod ssl
更新憑證(尚待驗證)
Certbot 有提到,憑證到期前會自動更新,這部分應該不需操心。
The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire.
查看憑證的效期
$ sudo certbot certificates
撤銷憑證
撤銷 www.yourdomain.com 的憑證
$ sudo certbot revoke --cert-path /etc/letsencrypt/archive/www.yourdomain.com/cert1.pem
可以透過檢查憑證目前的效期,來確認是否撤銷
$ sudo certbot certificates
已經撤銷的話會顯示如下
-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: www.yourdomain.com
Domains: www.yourdomain.com
Expiry Date: 2017-08-03 06:07:00+00:00 (INVALID: REVOKED)
Certificate Path: /etc/letsencrypt/live/www.yourdomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.yourdomain.com/privkey.pem
-------------------------------------------------------------------------------