備忘錄_20160105(定位) 修改 回首頁
程式 2019-01-11 14:06:23 1547186783 100
http 變成 https (免費 ssl 憑證申請,安裝)
http 變成 https (免費 ssl 憑證申請,安裝)

  1. 前情提要:網站本身已申請網域名稱,使用免費代管的DNS服務,但免費服務不支援 CAA 記錄設定,難以申請免費 SSL 憑證。
  2. 申請概念:網域不動,DNS伺服器從遠傳改成別的免費的DNS服務(可設定CAA記錄的),自己網站有架設FTP Server,這樣就可以設定。
  3. ------
  4. 在 freedns.afraid.org 註冊一組帳號 (需要有 EMAIL 信箱)
  5. 新增一個網域 Add Domain (liujiaje.com)
  6. 進入 Manage 功能,刪除所有記錄,然後加入底下幾種記錄
  7. [01] A liujiaje.com 106.104.6.123
  8. [02] A www.liujiaje.com 106.104.6.123
  9. [03] A mtl.liujiaje.com 106.104.6.123
  10. [04] CAA liujiaje.com 1 issue "letsencrypt.org"
  11. ------
  12. 接下來到 rs.seed.net.tw 去修改成 「自行DNS代管模式」,機器設定底下四台
  13. [01] ns1.afraid.org 50.23.197.94
  14. [02] ns2.afraid.org 208.43.71.243
  15. [03] ns3.afraid.org 69.197.18.162
  16. [04] ns4.afraid.org 70.39.97.253
  17. ------
  18. 再來,是去 www.sslforfree.com 申請免費的 SSL 憑證
  19. 輸入自家的網域名稱,例如 liujiaje.com
  20. 選擇 Automatic FTP Verification (自己要設定一組新的帳密給此網站使用)
  21. 驗證成功之後,可以下載憑證相關檔案 (ca_bundle.crt, certificate.crt, private.key),請下載到某個資料夾(不可暴露在網際網路上)
  22. ------
  23. 請開啟 [apache 2.4] httpd.conf 進行編修
  24. LoadModule ssl_module modules/mod_ssl.so 前面的 # 請拿掉
  25. Include conf/extra/httpd-ahssl.conf 前面的 # 請拿掉,後面接下面兩行設定
  26. 加入 SSLRandomSeed startup builtin
  27. 加入 SSLRandomSeed connect builtin
  28. ------
  29. 請開啟 [apache 2.4] httpd-ahssl.conf 進行編修
  30. 在 <VirtualHost _default_:443> 裡面,設定下面幾行
  31. SSLEngine on
  32. ServerName liujiaje.com:443
  33. SSLCertificateFile "path/to/certificate.crt"
  34. SSLCertificateKeyFile "path/to/private.key"
  35. DocumentRoot "${SRVROOT}/htdocs"
  36. <Directory "${SRVROOT}/htdocs">
  37. Options Includes FollowSymLinks
  38. AllowOverride AuthConfig Limit FileInfo
  39. Require all granted
  40. </Directory>
  41. ------
  42. 重新啟動 apache 2.4 並測試即可
2020-052-26 更新
此時的 DNS 已經略有改變
ns1.afraid.org 50.23.197.94
ns2.afraid.org 69.65.50.223
ns3.afraid.org 184.170.243.127
ns4.afraid.org 70.39.97.253

※ 要記得先設定 CAA record 給 letsencrypt.org 喔 ※

參考 https://certbot.eff.org/lets-encrypt/debianbuster-apache

sudo apt-get install certbot python-certbot-apache    (Install Certbot)
sudo certbot --apache    (get a certificate and have Certbot edit your Apache configuration automatically to serve it)
sudo certbot renew --dry-run    (Test automatic renewal)
sudo certbot renew (要過期前,用這個指令更新憑證)

/etc/letsencrypt 資料夾要備份



底下是回傳的結果

Congratulations! You have successfully enabled https://liujiaje.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=liujiaje.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/liujiaje.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/liujiaje.com/privkey.pem
   Your cert will expire on 2020-05-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
若要全部的連線都變成 https,請修改設定。
/etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>

  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  # 加上底下三行,所有連線會自動導向 https
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =liujiaje.com
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>