标签归档:Let’s Encrypt

Let’s Encrypt – Free Certificates on Oracle Linux

SSL相关配置
前置条件已解析域名至服务器

#查看/etc/httpd/modules下是否有mod_ssl.so模块,若无则安装
sudo yum install mod_ssl

#查看在 /etc/httpd/conf.modules.d 目录下的 00-ssl.conf 配置文件找到
LoadModule ssl_module modules/mod_ssl.so

#用于加载 SSL 模块的配置语句,若已注释,请去掉首行的注释符号。

#在/etc/httpd/conf.modules.d中新建一个 00-rewrite.conf。在新建文件中添加以下内容
LoadModule rewrite_module modules/mod_rewrite.so

#在 httpd.conf 配置文件中添加如下内容:
Directory "/var/www/html"
##自动http重定向至https
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
/Directory

安装Let’s Encrypt并设置certbot自动更新
#可参考cetbot.eff.org

#安装official EPEL release
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

#安装snap
sudo dnf install -y snapd
sudo systemctl enable --now snapd.socket
sudo systemctl start snapd
sudo ln -s /var/lib/snapd/snap /snap

#安装并更新core
sudo snap install core
sudo snap refresh core

#安装certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

#生成新证书
#For Apache:
/usr/bin/certbot certonly --webroot -w /var/www/html --email example@example.com -d example.com -d www.example.com

#配置apache,若只有一个网站也可以直接配置/etc/httpd/httpd.conf和/etc/httpd/conf.d/ssl.conf
ServerName example.com
Serveralias www.example.com
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/example.com-error_log
CustomLog /var/log/httpd/example.com-access_log combined

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
SSLCACertificateFile /etc/letsencrypt/live/example.com/chain.pem

#设置自动更新证书
sudo certbot renew --dry-run