Otu esi arụnye Lets Encrypt SSL Certificate iji chekwaa Apache na RHEL/CentOS 7/6
N'ịgbatị nkuzi ikpeazụ Ka anyị Encrypt banyere SSL/TLS asambodo efu, n'isiokwu a, anyị ga-egosi otu esi enweta ma wụnye asambodo SSL/TLS n'efu nke Let's Encrypt Certificate Authority nyere maka sava weebụ Apache na CentOS/RHEL 7/6 na Fedora. nkesa kwa.
Ọ bụrụ na ị na-achọ ịwụnye Ka anyị Encrypt maka Apache na Debian na Ubuntu, soro ntuziaka a n'okpuru:
- Ngalaba aha edebanyere aha nwere ndekọ
A
bara uru iji rụtụ aka azụ na adreesị IP ọha nke sava gị. - Ihe nkesa Apache arụnyere na modul SSL agbanyere yana Mebere Bochum ma ọ bụrụ na ị na-anabata ọtụtụ ngalaba ma ọ bụ subdomains.
Kwụpụ 1: Wụnye sava weebụ Apache
1. Ọ bụrụ na etinyebeghị ya, enwere ike itinye httpd daemon site n'inye iwu dị n'okpuru:
# yum install httpd
2. Ka anyị ezoro ezo software iji rụọ ọrụ na Apache, jide n'aka na etinyere SSL/TLS modul site n'inye iwu dị n'okpuru:
# yum -y install mod_ssl
3. N'ikpeazụ, malite ihe nkesa Apache na iwu na-esonụ:
# systemctl start httpd.service [On RHEL/CentOS 7] # service httpd start [On RHEL/CentOS 6]
Kwụpụ 2: Wụnye Ka anyị Encrypt SSL Asambodo
4. Ụzọ kachasị mfe iji wụnye Let's Encrypt client bụ site na cloning github repository na faịlụ gị. Iji tinye git na sistemụ gị, ị ga-emerịrị ebe nchekwa Epel site na iji iwu a.
# yum install epel-release
5. Ozugbo Epel repos agbakwunyere na sistemụ gị, gaa n'ihu ma wụnye git ahịa site na ịme iwu dị n'okpuru:
# yum install git
6. Ugbu a, ozugbo ị wụnyere ihe niile achọrọ ka ị na-emeso Let's Encrypt, gaa na /usr/local/
directory wee malite ịdọrọ Let's Encrypt client form his official github repository with the following . iwu:
# cd /usr/local/ # git clone https://github.com/letsencrypt/letsencrypt
Kwụpụ 3: Nweta Asambodo SSL efu maka Apache
7. Usoro nke inweta akwụkwọ ikike ka anyị Encrypt n'efu maka Apache na-akpaghị aka maka CentOS/RHEL ekele maka ngwa mgbakwunye apache.
Ka anyị gbaa ọsọ Let's Encrypt script Command iji nweta Asambodo SSL. Gaa na Ka anyị Encrypt ndekọ nwụnye site na /usr/local/letsencrypt
wee mee iwu letsencrypt-auto
site na ịnye --apache
nhọrọ na --apache
-d ọkọlọtọ maka subdomain ọ bụla ị ga-achọ asambodo.
# cd /usr/local/letsencrypt # ./letsencrypt-auto --apache -d your_domain.tld
8. Nyefee adreesị ozi-e nke Let's Encrypt ga-eji nwetaghachi igodo gị furu efu ma ọ bụ maka ọkwa ngwa ngwa wee pịa Tinye ka ịga n'ihu.
9. Kwekọrịta na usoro nke ikike site na ịpị igodo Tinye.
10. Na CentOS/RHEL, site na ndabara, ihe nkesa Apache anaghị eji echiche nkewapụ akwụkwọ ndekọ aha maka ndị na-akwado ndị ọbịa sitere na ndị ọbịa (adịghị arụ ọrụ) dị ka nkesa Debian na-eme.
Ọzọkwa, mebere Bochum nwere nkwarụ site na ndabara. Nkwupụta Apache nke na-akọwapụta aha nkesa (ServerAha) adịghị na faịlụ nhazi SSL.
Iji mee ka ntuziaka a rụọ ọrụ, Ka anyị Encrypt ga-akpali gị ịhọrọ onye nnabata mebere. N'ihi na ọ hụghị Vhost ọ bụla, họrọ faịlụ ssl.conf
ka Let's Encrypt client megharịa ya ozugbo wee pịa Tinye ka ịga n'ihu.
11. Ọzọ, họrọ usoro dị mfe maka arịrịọ HTTP wee pịa Tinye ka ịga n'ihu.
12. N'ikpeazụ, ọ bụrụ na ihe niile na-aga nke ọma, a ga-egosipụta ozi ekele na ihuenyo. Pịa Tinye ka ịhapụ ozugbo.
Ọ bụ ya! Ị nyela asambodo SSL/TLS nke ọma maka ngalaba gị. Ugbu a, ị nwere ike ịmalite ịmegharị weebụsaịtị gị site na iji protocol HTTPS.
Kwụpụ 4: Nwalee Free Let's Encryption on Domain
13. Iji nwalee straightness nke gị na ngalaba SSL/TLS aka aka-eleta n'okpuru njikọ na-anwale gị akwụkwọ na gị na ngalaba.
https://www.ssllabs.com/ssltest/analyze.html
14. Ọ bụrụ na ị na-enweta usoro nke akụkọ banyere gị ngalaba vulnerability na eduzi ule, mgbe ahụ, i kwesịrị idozi ndị nche oghere ngwa ngwa.
Ngụkọta ọkwa nke klaasị C na-eme ka ngalaba gị bụrụ nke enweghị nchebe. Iji dozie nsogbu nchekwa ndị a, mepee faịlụ nhazi Apache SSL wee mee mgbanwe ndị a:
# vi /etc/httpd/conf.d/ssl.conf
Chọọ ahịrị na nkwupụta SSLProtocol
wee tinye -SSLv3
na njedebe nke ahịrị.
Banye n'ime faịlụ ahụ, chọọ ma kwuo akara na SSLCipherSuite
site n'itinye #
n'ihu ya wee tinye ọdịnaya ndị a n'okpuru ahịrị a:
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on SSLOptions +StrictRequire
15. Mgbe ịmechara mgbanwe niile dị n'elu, chekwaa ma mechie faịlụ ahụ, malitegharịa Apache daemon iji tinye mgbanwe.
# systemctl restart httpd.service [On RHEL/CentOS 7] # service httpd restart [On RHEL/CentOS 6]
16. Ugbu a, nwalee ọkwa nke nzuzo nzuzo gị ọzọ, site na ịga na otu njikọ dị n'elu. Iji mee nnwale ọzọ, pịa njikọ Webụsaịtị Clear Clear cache.
https://www.ssllabs.com/ssltest/analyze.html
Ugbu a ị kwesịrị ịnweta ọkwa A n'ozuzu ya, nke pụtara na echekwara ngalaba gị nke ukwuu.
Kwụpụ 4: Megharia onwe anyị ka anyị zoo asambodo na Apache
17. Ụdị beta nke Ka anyị ezoro ezo software weputara asambodo nwere ụbọchị ngafe ka ụbọchị 90 gachara. Yabụ, iji megharịa asambodo SSL, ị ga-emerịrị iwu letsencrypt-auto
ọzọ tupu ụbọchị ngafe, yana otu nhọrọ na ọkọlọtọ ejiri nweta asambodo mbụ.
A na-egosi ihe atụ na otu esi eji aka emeghachi akwụkwọ ahụ n'okpuru.
# cd /usr/local/letsencrypt # ./letsencrypt-auto certonly --apache --renew-by-default -d your_domain.tld
18. Iji megharịa usoro a, mepụta edemede bash na-esonụ nke github erikaheidi nyere, na /usr/local/bin/
ndekọ na ọdịnaya ndị a. (Agbanwere ntakịrị ihe ederede iji gosipụta ndekọ nrụnye letsencrypt anyị).
# vi /usr/local/bin/le-renew-centos
Tinye ọdịnaya ndị a na faịlụ le-renew-centos
:
!/bin/bash domain=$1 le_path='/usr/local/letsencrypt' le_conf='/etc/letsencrypt' exp_limit=30; get_domain_list(){ certdomain=$1 config_file="$le_conf/renewal/$certdomain.conf" if [ ! -f $config_file ] ; then echo "[ERROR] The config file for the certificate $certdomain was not found." exit 1; fi domains=$(grep --only-matching --perl-regex "(?<=domains \= ).*" "${config_file}") last_char=$(echo "${domains}" | awk '{print substr($0,length,1)}') if [ "${last_char}" = "," ]; then domains=$(echo "${domains}" |awk '{print substr($0, 1, length-1)}') fi echo $domains; } if [ -z "$domain" ] ; then echo "[ERROR] you must provide the domain name for the certificate renewal." exit 1; fi cert_file="/etc/letsencrypt/live/$domain/fullchain.pem" if [ ! -f $cert_file ]; then echo "[ERROR] certificate file not found for domain $domain." exit 1; fi exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s) datenow=$(date -d "now" +%s) days_exp=$(echo \( $exp - $datenow \) / 86400 |bc) echo "Checking expiration date for $domain..." if [ "$days_exp" -gt "$exp_limit" ] ; then echo "The certificate is up to date, no need for renewal ($days_exp days left)." exit 0; else echo "The certificate for $domain is about to expire soon. Starting renewal request..." domain_list=$( get_domain_list $domain ) "$le_path"/letsencrypt-auto certonly --apache --renew-by-default --domains "${domain_list}" echo "Restarting Apache..." /usr/bin/systemctl restart httpd echo "Renewal process finished for domain $domain" exit 0; fi
19. Nyefee ikike igbu egbu maka edemede, wụnye ngwugwu bc wee mee edemede ahụ iji nwalee ya. Jiri aha ngalaba gị dị ka oke ọnọdụ maka edemede ahụ. Nye iwu ndị a iji mezuo usoro a:
# yum install bc # chmod +x /usr/local/bin/le-renew-centos # /usr/local/bin/le-renew-centos your_domain.tld
20. N'ikpeazụ, iji Linux nhazi oge, tinye a ọhụrụ cron ọrụ iji na-agba ọsọ script kwa ọnwa abụọ, na-ekwe nkwa na gị akwụkwọ ga-emelite tupu ngafe ụbọchị.
# crontab -e
Tinye ahịrị na-esonụ na ala nke faịlụ ahụ.
0 1 1 */2 * /usr/local/bin/le-renew-centos your_domain.tld >> /var/log/your_domain.tld-renew.log 2>&1
Ọ bụ ya! Ihe nkesa Apache gị na-agba ọsọ n'elu sistemụ CentOS/RHEL na-enye ọdịnaya SSL ugbu a site na iji akwụkwọ SSL n'efu.