Centos7上的Apache服务器部署Let't Encrypt免费的SSL证书


写在前面

传输层安全性协议(英语:Transport Layer Security,缩写:TLS)及其前身安全套接层(英语:Secure Sockets Layer,缩写:SSL)是一种安全协议,目的是为互联网通信提供安全及数据完整性保障。网景公司(Netscape)在1994年推出首版网页浏览器网景导航者时,推出HTTPS协议,以SSL进行加密,这是SSL的起源。IETF将SSL进行标准化,1999年公布TLS 1.0标准文件(RFC 2246)。随后又公布TLS 1.1(RFC 4346,2006年)、TLS 1.2(RFC 5246,2008年)和TLS 1.3(RFC 8446,2018年)。在浏览器电子邮件即时通信VoIP网络传真等应用程序中,广泛使用这个协议。许多网站,如GoogleFacebookWikipedia等也以这个协议来创建安全连线,发送资料。目前已成为互联网上保密通信的工业标准。

SSL包含记录层(Record Layer)和传输层,记录层协议确定传输层数据的封装格式。传输层安全协议使用X.509认证,之后利用非对称加密演算来对通信方做身份认证,之后交换对称密钥作为会谈密钥(Session key)。这个会谈密钥是用来将通信两方交换的资料做加密,保证两个应用间通信的保密性和可靠性,使客户与服务器应用之间的通信不被攻击者窃听。” –摘至 维基传输层安全性协议

安装certbot与配置防火墙

#安装软件和配置防火墙时,都需要root权限
#开启epel源
yum install epel-release

#安装必要的软件
yum install mod_ssl certbot-apache

#防火墙设置规则,给80(http)和443(https)端口放行
firewall-cmd --add-service=http
firewall-cmd --add-service=https

#查看apache服务器的状态
systemctl status httpd

#如果apache没有启动,通过下面的指令启动
systemctl start httpd

Certbot是一个部署Let’s Encrypt证书的客户端, 而Let’s Encrypt可为安全网站提供免费的传输层安全性协议证书。Certbot能够自动的在Web服务器上部署从Let’s Encrypt获取的证书,非常简单易用。

安装SSL证书

生成ssl证书指令

#www.example.com你自己的三级域名
#example@gmail.com 你的邮箱地址
certbot certonly --webroot -w /var/www/html -d www.example.com --agree-tos --email example@gmail.com

email地址是用来接收密钥的恢复和通知

安装成功后会提示

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert
   will expire on 2016-04-21. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you lose your account credentials, you can recover through
   e-mails sent to user@example.com.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

生成出来的证书文件存放于 /etc/letsencrypt/live 目录.

配置Apache SSL

修改ssl.conf文件

vi /etc/httpd/conf.d/ssl.conf

找到SSLProtocolSSLCipherSuite这两个参数将它们删除或者注释掉

. . .
# SSLProtocol all -SSLv2
. . .
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

接下来把下面的代码加在VirtualHost区域外面,需要注意的是注释掉 SSLSessionTickets

    . . .

. . .

# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
# SSLSessionTickets Off

保存退出后检查一下语法是否正确

apachectl configtest

如果得到Syntax OK的提示说说明配置正确,这时候需要重启一下apache

systemctl restart httpd

检查证书状态

浏览器中打开链接

# www.example.com你的三级域名
https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com&latest


  目录