新网创想网站建设,新征程启航
为企业提供网站建设、域名注册、服务器等服务
Let\'s Encrypt是什么?
Let\'s Encrypt要求站点要有虚拟主机,所以第一步就是把站点直接连接,变为虚拟主机方式。
建立一个文件夹放置虚拟主机配置文件
mkdir /opt/lampp/etc/myVhost
在/opt/lampp/etc/httpd.conf文件末尾添加
httpd.conf:
IncludeOptional etc/myVhost/*.conf
建立虚拟主机配置文件
vi /opt/lampp/etc/myVhost/example.com.conf
example.com.conf:
ServerName example.com
ServerAlias www.example.com
DocumentRoot /opt/lampp/htdocs
ErrorLog /opt/lampp/logs/example.com/error.log
mkdir /opt/lampp/logs/example.com#建立日志目录
虚拟主机配置完,重启lampp
cd /opt/lampp
./lampp restart #也可只单独重启Apache
2.下载let\'s encrypt程序
yum install epel-release #安装环境
yum install git #安装环境
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt#下载到let\'s encrypt到/opt/letsencrypt
3.下载证书
cd /opt/letsencrypt
./certbot-auto certonly --webroot-w/opt/lampp/htdocs -d www.example.com
#由于lampp是单独配置的环境,所以只下载证书。
证书下载成功会出现下面类似的提示:
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to user@example.com.
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert
will expire on 2016-04-21. To obtain a new version of the
certificate in the future, simply run Let\'s Encrypt again.
- Your account credentials have been saved in your Let\'s Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let\'s
Encrypt so making regular backups of this folder is ideal.
- If you like Let\'s Encrypt, please consider supporting our work by:
Donating to ISRG / Let\'s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
4.配置Apache,其实也就是添加证书位置。
vi /opt/lampp/etc/myVhost/example.com.conf
example.com.conf:
ServerName example.com
ServerAlias www.example.com
DocumentRoot /opt/lampp/htdocs
ErrorLog /opt/lampp/logs/example.com/error.log
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
5.设置http跳转至https
到第4步,没有意外的话,应该能在浏览器看到小锁了。不想用http,设置一个跳转就行了。
6.let\'s encrypt证书只有90天的期限,所以定期更新证书很有必要,不过还没有实践过,把网上一些资料先copy下来。
crontab -e
30 2 ** 1 /opt/letsencrypt/letsencrypt-auto renew >>/opt/lampp/logs/example.com/le-renew.log#定时每周一 2:30更新证书
7.更新Let’s Encrypt程序,同样没有实践过,先保存。
cd /opt/letsencrypt
git pull