備忘錄_20160105(定位)
修改
回首頁
程式 2019-01-11 14:06:23 1547186783 100
http 變成 https (免費 ssl 憑證申請,安裝)
http 變成 https (免費 ssl 憑證申請,安裝)
- 前情提要:網站本身已申請網域名稱,使用免費代管的DNS服務,但免費服務不支援 CAA 記錄設定,難以申請免費 SSL 憑證。
- 申請概念:網域不動,DNS伺服器從遠傳改成別的免費的DNS服務(可設定CAA記錄的),自己網站有架設FTP Server,這樣就可以設定。
- ------
- 在 freedns.afraid.org 註冊一組帳號 (需要有 EMAIL 信箱)
- 新增一個網域 Add Domain (liujiaje.com)
- 進入 Manage 功能,刪除所有記錄,然後加入底下幾種記錄
- [01] A liujiaje.com 106.104.6.123
- [02] A www.liujiaje.com 106.104.6.123
- [03] A mtl.liujiaje.com 106.104.6.123
- [04] CAA liujiaje.com 1 issue "letsencrypt.org"
- ------
- 接下來到 rs.seed.net.tw 去修改成 「自行DNS代管模式」,機器設定底下四台
- [01] ns1.afraid.org 50.23.197.94
- [02] ns2.afraid.org 208.43.71.243
- [03] ns3.afraid.org 69.197.18.162
- [04] ns4.afraid.org 70.39.97.253
- ------
- 再來,是去 www.sslforfree.com 申請免費的 SSL 憑證
- 輸入自家的網域名稱,例如 liujiaje.com
- 選擇 Automatic FTP Verification (自己要設定一組新的帳密給此網站使用)
- 驗證成功之後,可以下載憑證相關檔案 (ca_bundle.crt, certificate.crt, private.key),請下載到某個資料夾(不可暴露在網際網路上)
- ------
- 請開啟 [apache 2.4] httpd.conf 進行編修
- LoadModule ssl_module modules/mod_ssl.so 前面的 # 請拿掉
- Include conf/extra/httpd-ahssl.conf 前面的 # 請拿掉,後面接下面兩行設定
- 加入 SSLRandomSeed startup builtin
- 加入 SSLRandomSeed connect builtin
- ------
- 請開啟 [apache 2.4] httpd-ahssl.conf 進行編修
- 在 <VirtualHost _default_:443> 裡面,設定下面幾行
- SSLEngine on
- ServerName liujiaje.com:443
- SSLCertificateFile "path/to/certificate.crt"
- SSLCertificateKeyFile "path/to/private.key"
- DocumentRoot "${SRVROOT}/htdocs"
- <Directory "${SRVROOT}/htdocs">
- Options Includes FollowSymLinks
- AllowOverride AuthConfig Limit FileInfo
- Require all granted
- </Directory>
- ------
- 重新啟動 apache 2.4 並測試即可
2020-052-26 更新
此時的 DNS 已經略有改變
ns1.afraid.org 50.23.197.94
ns2.afraid.org 69.65.50.223
ns3.afraid.org 184.170.243.127
ns4.afraid.org 70.39.97.253
※ 要記得先設定 CAA record 給 letsencrypt.org 喔 ※
參考 https://certbot.eff.org/lets-encrypt/debianbuster-apache
sudo apt-get install certbot python-certbot-apache (Install Certbot)
sudo certbot --apache (get a certificate and have Certbot edit your Apache configuration automatically to serve it)
sudo certbot renew --dry-run (Test automatic renewal)
sudo certbot renew (要過期前,用這個指令更新憑證)
/etc/letsencrypt 資料夾要備份
底下是回傳的結果
Congratulations! You have successfully enabled https://liujiaje.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=liujiaje.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/liujiaje.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/liujiaje.com/privkey.pem
Your cert will expire on 2020-05-26. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
若要全部的連線都變成 https,請修改設定。
/etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# 加上底下三行,所有連線會自動導向 https
RewriteEngine on
RewriteCond %{SERVER_NAME} =liujiaje.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>