Otu esi arụnye Lets Encrypt SSL Certificate iji chekwaa Apache na RHEL/CentOS 7/6


N'ịgbatị nkuzi ikpeazụ Ka anyị Encrypt banyere SSL/TLS asambodo efu, n'isiokwu a, anyị ga-egosi otu esi enweta ma wụnye asambodo SSL/TLS n'efu nke Let's Encrypt Certificate Authority nyere maka sava weebụ Apache na CentOS/RHEL 7/6 na Fedora. nkesa kwa.

Ọ bụrụ na ị na-achọ ịwụnye Ka anyị Encrypt maka Apache na Debian na Ubuntu, soro ntuziaka a n'okpuru:

  1. Ngalaba aha edebanyere aha nwere ndekọ A bara uru iji rụtụ aka azụ na adreesị IP ọha nke sava gị.
  2. Ihe nkesa Apache arụnyere na modul SSL agbanyere yana Mebere Bochum ma ọ bụrụ na ị na-anabata ọtụtụ ngalaba ma ọ bụ subdomains.

Kwụpụ 1: Wụnye sava weebụ Apache

1. Ọ bụrụ na etinyebeghị ya, enwere ike itinye httpd daemon site n'inye iwu dị n'okpuru:

# yum install httpd

2. Ka anyị ezoro ezo software iji rụọ ọrụ na Apache, jide n'aka na etinyere SSL/TLS modul site n'inye iwu dị n'okpuru:

# yum -y install mod_ssl

3. N'ikpeazụ, malite ihe nkesa Apache na iwu na-esonụ:

# systemctl start httpd.service          [On RHEL/CentOS 7]
# service httpd start                    [On RHEL/CentOS 6]

Kwụpụ 2: Wụnye Ka anyị Encrypt SSL Asambodo

4. Ụzọ kachasị mfe iji wụnye Let's Encrypt client bụ site na cloning github repository na faịlụ gị. Iji tinye git na sistemụ gị, ị ga-emerịrị ebe nchekwa Epel site na iji iwu a.

# yum install epel-release

5. Ozugbo Epel repos agbakwunyere na sistemụ gị, gaa n'ihu ma wụnye git ahịa site na ịme iwu dị n'okpuru:

# yum install git

6. Ugbu a, ozugbo ị wụnyere ihe niile achọrọ ka ị na-emeso Let's Encrypt, gaa na /usr/local/ directory wee malite ịdọrọ Let's Encrypt client form his official github repository with the following . iwu:

# cd /usr/local/
# git clone https://github.com/letsencrypt/letsencrypt

Kwụpụ 3: Nweta Asambodo SSL efu maka Apache

7. Usoro nke inweta akwụkwọ ikike ka anyị Encrypt n'efu maka Apache na-akpaghị aka maka CentOS/RHEL ekele maka ngwa mgbakwunye apache.

Ka anyị gbaa ọsọ Let's Encrypt script Command iji nweta Asambodo SSL. Gaa na Ka anyị Encrypt ndekọ nwụnye site na /usr/local/letsencrypt wee mee iwu letsencrypt-auto site na ịnye --apache nhọrọ na --apache-d ọkọlọtọ maka subdomain ọ bụla ị ga-achọ asambodo.

# cd /usr/local/letsencrypt
# ./letsencrypt-auto --apache -d your_domain.tld 

8. Nyefee adreesị ozi-e nke Let's Encrypt ga-eji nwetaghachi igodo gị furu efu ma ọ bụ maka ọkwa ngwa ngwa wee pịa Tinye ka ịga n'ihu.

9. Kwekọrịta na usoro nke ikike site na ịpị igodo Tinye.

10. Na CentOS/RHEL, site na ndabara, ihe nkesa Apache anaghị eji echiche nkewapụ akwụkwọ ndekọ aha maka ndị na-akwado ndị ọbịa sitere na ndị ọbịa (adịghị arụ ọrụ) dị ka nkesa Debian na-eme.

Ọzọkwa, mebere Bochum nwere nkwarụ site na ndabara. Nkwupụta Apache nke na-akọwapụta aha nkesa (ServerAha) adịghị na faịlụ nhazi SSL.

Iji mee ka ntuziaka a rụọ ọrụ, Ka anyị Encrypt ga-akpali gị ịhọrọ onye nnabata mebere. N'ihi na ọ hụghị Vhost ọ bụla, họrọ faịlụ ssl.conf ka Let's Encrypt client megharịa ya ozugbo wee pịa Tinye ka ịga n'ihu.

11. Ọzọ, họrọ usoro dị mfe maka arịrịọ HTTP wee pịa Tinye ka ịga n'ihu.

12. N'ikpeazụ, ọ bụrụ na ihe niile na-aga nke ọma, a ga-egosipụta ozi ekele na ihuenyo. Pịa Tinye ka ịhapụ ozugbo.

Ọ bụ ya! Ị nyela asambodo SSL/TLS nke ọma maka ngalaba gị. Ugbu a, ị nwere ike ịmalite ịmegharị weebụsaịtị gị site na iji protocol HTTPS.

Kwụpụ 4: Nwalee Free Let's Encryption on Domain

13. Iji nwalee straightness nke gị na ngalaba SSL/TLS aka aka-eleta n'okpuru njikọ na-anwale gị akwụkwọ na gị na ngalaba.

https://www.ssllabs.com/ssltest/analyze.html

14. Ọ bụrụ na ị na-enweta usoro nke akụkọ banyere gị ngalaba vulnerability na eduzi ule, mgbe ahụ, i kwesịrị idozi ndị nche oghere ngwa ngwa.

Ngụkọta ọkwa nke klaasị C na-eme ka ngalaba gị bụrụ nke enweghị nchebe. Iji dozie nsogbu nchekwa ndị a, mepee faịlụ nhazi Apache SSL wee mee mgbanwe ndị a:

# vi /etc/httpd/conf.d/ssl.conf

Chọọ ahịrị na nkwupụta SSLProtocol wee tinye -SSLv3 na njedebe nke ahịrị.

Banye n'ime faịlụ ahụ, chọọ ma kwuo akara na SSLCipherSuite site n'itinye # n'ihu ya wee tinye ọdịnaya ndị a n'okpuru ahịrị a:

SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLOptions +StrictRequire

15. Mgbe ịmechara mgbanwe niile dị n'elu, chekwaa ma mechie faịlụ ahụ, malitegharịa Apache daemon iji tinye mgbanwe.

# systemctl restart httpd.service          [On RHEL/CentOS 7]
# service httpd restart                    [On RHEL/CentOS 6]

16. Ugbu a, nwalee ọkwa nke nzuzo nzuzo gị ọzọ, site na ịga na otu njikọ dị n'elu. Iji mee nnwale ọzọ, pịa njikọ Webụsaịtị Clear Clear cache.

https://www.ssllabs.com/ssltest/analyze.html 

Ugbu a ị kwesịrị ịnweta ọkwa A n'ozuzu ya, nke pụtara na echekwara ngalaba gị nke ukwuu.

Kwụpụ 4: Megharia onwe anyị ka anyị zoo asambodo na Apache

17. Ụdị beta nke Ka anyị ezoro ezo software weputara asambodo nwere ụbọchị ngafe ka ụbọchị 90 gachara. Yabụ, iji megharịa asambodo SSL, ị ga-emerịrị iwu letsencrypt-auto ọzọ tupu ụbọchị ngafe, yana otu nhọrọ na ọkọlọtọ ejiri nweta asambodo mbụ.

A na-egosi ihe atụ na otu esi eji aka emeghachi akwụkwọ ahụ n'okpuru.

# cd /usr/local/letsencrypt
# ./letsencrypt-auto certonly --apache --renew-by-default  -d your_domain.tld

18. Iji megharịa usoro a, mepụta edemede bash na-esonụ nke github erikaheidi nyere, na /usr/local/bin/ ndekọ na ọdịnaya ndị a. (Agbanwere ntakịrị ihe ederede iji gosipụta ndekọ nrụnye letsencrypt anyị).

# vi /usr/local/bin/le-renew-centos

Tinye ọdịnaya ndị a na faịlụ le-renew-centos:

!/bin/bash

domain=$1
le_path='/usr/local/letsencrypt'
le_conf='/etc/letsencrypt'
exp_limit=30;

get_domain_list(){
        certdomain=$1
        config_file="$le_conf/renewal/$certdomain.conf"

        if [ ! -f $config_file ] ; then
                echo "[ERROR] The config file for the certificate $certdomain was not found."
                exit 1;
        fi

        domains=$(grep --only-matching --perl-regex "(?<=domains \= ).*" "${config_file}")
        last_char=$(echo "${domains}" | awk '{print substr($0,length,1)}')

        if [ "${last_char}" = "," ]; then
                domains=$(echo "${domains}" |awk '{print substr($0, 1, length-1)}')
        fi

        echo $domains;
}

if [ -z "$domain" ] ; then
        echo "[ERROR] you must provide the domain name for the certificate renewal."
        exit 1;
fi

cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"

if [ ! -f $cert_file ]; then
        echo "[ERROR] certificate file not found for domain $domain."
        exit 1;
fi

exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)

echo "Checking expiration date for $domain..."

if [ "$days_exp" -gt "$exp_limit" ] ; then
        echo "The certificate is up to date, no need for renewal ($days_exp days left)."
        exit 0;
else
        echo "The certificate for $domain is about to expire soon. Starting renewal request..."
        domain_list=$( get_domain_list $domain )
        "$le_path"/letsencrypt-auto certonly --apache --renew-by-default --domains "${domain_list}"
        echo "Restarting Apache..."
        /usr/bin/systemctl restart httpd
        echo "Renewal process finished for domain $domain"
        exit 0;
fi

19. Nyefee ikike igbu egbu maka edemede, wụnye ngwugwu bc wee mee edemede ahụ iji nwalee ya. Jiri aha ngalaba gị dị ka oke ọnọdụ maka edemede ahụ. Nye iwu ndị a iji mezuo usoro a:

# yum install bc
# chmod +x /usr/local/bin/le-renew-centos
# /usr/local/bin/le-renew-centos your_domain.tld

20. N'ikpeazụ, iji Linux nhazi oge, tinye a ọhụrụ cron ọrụ iji na-agba ọsọ script kwa ọnwa abụọ, na-ekwe nkwa na gị akwụkwọ ga-emelite tupu ngafe ụbọchị.

# crontab -e

Tinye ahịrị na-esonụ na ala nke faịlụ ahụ.

0 1 1 */2 * /usr/local/bin/le-renew-centos your_domain.tld >> /var/log/your_domain.tld-renew.log 2>&1

Ọ bụ ya! Ihe nkesa Apache gị na-agba ọsọ n'elu sistemụ CentOS/RHEL na-enye ọdịnaya SSL ugbu a site na iji akwụkwọ SSL n'efu.