freebsd 9.1.1
介绍 (Introduction)
Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps.
让我们加密是一个证书颁发机构(CA),它提供了一种获取和安装免费TLS / SSL证书的简便方法,从而可以在Web服务器上启用加密的HTTPS。 它通过提供一个软件客户端Certbot来简化该过程,该客户端尝试使大多数(如果不是全部)所需步骤自动化。
In this tutorial, you will use Certbot to set up a TLS/SSL certificate from Let’s Encrypt on a FreeBSD 12.0 server running Apache as a web server. Additionally, you will automate the certificate renewal process using a cron job.
在本教程中,您将使用Certbot在运行Apache作为Web服务器的FreeBSD 12.0服务器上通过Let's Encrypt设置TLS / SSL证书。 此外,您将使用cron作业自动执行证书续订过程。
先决条件 (Prerequisites)
Before you begin this guide you’ll need the following:
在开始本指南之前,您需要满足以下条件:
A FreeBSD 12.0 server that you can set up as you wish using this guide on How To Get Started with FreeBSD.
您可以使用本指南中的FreeBSD入门指南随意设置FreeBSD 12.0服务器。
Apache installed by completing Step 1 of this FAMP stack tutorial.
通过完成本FAMP堆栈教程的第1步来安装Apache。
An enabled firewall by using the firewall configuration step in this tutorial instructions.
通过使用本教程中的防火墙配置步骤来启用防火墙。
Two DNS A Records that point your domain to the public IP address of your server. Our setup will use
your-domain
andwww.your-domain
as the domain names, both of which will require a valid DNS record. You can follow this introduction to DigitalOcean DNS for details on how to add the DNS records with the DigitalOcean platform. DNS A records are required because of how Let’s Encrypt validates that you own the domain for which it is issuing a certificate. For example, if you want to obtain a certificate foryour-domain
, that domain must resolve to your server for the validation process to work.两个DNS A记录 ,它们将您的域指向服务器的公共IP地址。 我们的设置将使用
your-domain
和www. your-domain
www. your-domain
作为域名,这两个域名都需要有效的DNS记录。 您可以按照DigitalOcean DNS简介进行操作,以获取有关如何通过DigitalOcean平台添加DNS记录的详细信息。 DNS A记录是必需的,这是因为“让我们加密”如何验证您拥有要为其颁发证书的域。 例如,如果您要为your-domain
获取证书,则该域必须解析到您的服务器以使验证过程正常进行。
Once these prerequisites are fulfilled you can start installing Certbot, the tool that will allow you to install Let’s Encrypt certificates.
一旦满足这些先决条件,您就可以开始安装Certbot,该工具将允许您安装Let's Encrypt证书。
第1步-安装用于加密的Certbot工具 (Step 1 — Installing the Certbot Tool for Let’s Encrypt)
A Let’s Encrypt certificate ensures that users’ browsers can verify that the web server is secured by a trusted Certificate Authority. Communications with the web server are protected by encryption using HTTPS.
“让我们加密”证书可确保用户的浏览器可以验证Web服务器是否受受信任的证书颁发机构的保护。 与Web服务器的通信受HTTPS加密保护。
In this step you’ll install the Certbot tool for your web server to make a request to the Let’s Encrypt servers in order to issue a valid certificate and keys for your domain.
在此步骤中,您将为Web服务器安装Certbot工具,以向Let's Encrypt服务器发出请求,以便为您的域颁发有效的证书和密钥。
Run the following command to install the Certbot package and its Apache HTTP plugin:
运行以下命令以安装Certbot软件包及其Apache HTTP插件:
- sudo pkg install -y py37-certbot py37-certbot-apache 须藤pkg install -y py37-certbot py37-certbot-apache
Now that you’ve installed the package, you can move on to enable TLS connections in the web server.
现在,您已经安装了软件包,可以继续在Web服务器中启用TLS连接。
步骤2 —在Apache HTTP中启用SSL / TLS连接 (Step 2 — Enabling SSL/TLS connections in Apache HTTP)
By default any install of Apache HTTP will be serving content on port 80
(HTTP). The Listen 80
entry in the main httpd.conf
configuration file confirms this. In order to allow HTTPS connections, you’ll need the default port to be 443
. To add port 443
and to establish SSL/TLS connections you’ll enable the mod_ssl
module in Apache HTTP.
默认情况下,任何安装的Apache HTTP都会在端口80
(HTTP)上提供内容。 httpd.conf
主配置文件中的Listen 80
条目确认了这一点。 为了允许HTTPS连接,您需要默认端口为443
。 要添加端口443
并建立SSL / TLS连接,您将在Apache HTTP中启用mod_ssl
模块。
To find this module in the httpd.conf
file, you’ll use grep
with the -n
flag to number the lines from the file in the specified path. Here you’ll find mod_ssl.so
by running the following command:
要在httpd.conf
文件中找到此模块,将使用带-n
标志的grep
对文件在指定路径中的行进行编号。 在这里,您可以通过运行以下命令找到mod_ssl.so
:
- grep -n 'mod_ssl.so' /usr/local/etc/apache24/httpd.conf grep -n'mod_ssl.so'/usr/local/etc/apache24/httpd.conf
As output you’ll receive the number for the line you need:
作为输出,您将收到所需行的编号:
148 #LoadModule ssl_module libexec/apache24/mod_ssl.so
To enable the module, you’ll remove the hashtag symbol at the beginning of the line.
要启用该模块,您将删除该行开头的井号标签。
Using the line number from the previous command open the file with the following:
使用上一条命令中的行号,使用以下命令打开文件:
sudo vi +148 /usr/local/etc/apache24/httpd.conf
须藤vi + 148 /usr/local/etc/apache24/httpd.conf
This will take you directly to the correct line for editing.
这将直接将您带到正确的行进行编辑。
Edit the line to look like the following by pressing x
:
通过按x
编辑该行,使其如下所示:
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
#LoadModule http2_module libexec/apache24/mod_http2.so
#LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
Once you’ve removed the #
, press :wq
and then ENTER
to close the file.
删除#
,按:wq
,然后按ENTER
以关闭文件。
You’ve enabled the SSL/TLS capabilities in Apache HTTP. In the next step you’ll configure the virtual hosts in Apache HTTP.
您已在Apache HTTP中启用SSL / TLS功能。 在下一步中,您将在Apache HTTP中配置虚拟主机。
步骤3 —启用和配置虚拟主机 (Step 3 — Enabling and Configuring Virtual Hosts)
A virtual host is a method by which several websites can concurrently and independently live in the same server using the same Apache HTTP installation. Certbot requires this setup to place specific rules within the configuration file (virtual host) for the Let’s Encrypt certificates to work.
虚拟主机是一种方法,通过该方法,多个网站可以使用相同的Apache HTTP安装同时并独立地驻留在同一服务器中。 Certbot要求此设置将特定规则放置在配置文件(虚拟主机)中,以使“加密”证书起作用。
To begin, you’ll enable virtual hosts in Apache HTTP. Run the following command to locate the directive in the file:
首先,您将在Apache HTTP中启用虚拟主机。 运行以下命令以在文件中找到指令:
- grep -n 'vhosts' /usr/local/etc/apache24/httpd.conf grep -n'虚拟主机'/usr/local/etc/apache24/httpd.conf
You’ll see the line number in your output:
您将在输出中看到行号:
Output
508 #Include etc/apache24/extra/httpd-vhosts.conf
Now use the following command to edit the file and remove #
from the beginning of that line:
现在,使用以下命令编辑文件,并从该行的开头删除#
:
sudo vi +508 /usr/local/etc/apache24/httpd.conf
须藤vi + 508 /usr/local/etc/apache24/httpd.conf
As before, hit x
to delete #
from the beginning of the line to look like the following:
和以前一样,点击x
从行首删除#
,如下所示:
...
# User home directories
#Include etc/apache24/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include etc/apache24/extra/httpd-info.conf
# Virtual hosts
Include etc/apache24/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include etc/apache24/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include etc/apache24/extra/httpd-dav.conf
...
Then press :wq
and ENTER
to save and quit the file.
然后按:wq
和ENTER
保存并退出文件。
Now that you’ve enabled virtual hosts in Apache HTTP you’ll modify the default virtual host configuration file to replace the example domains with your domain name.
现在,您已经在Apache HTTP中启用了虚拟主机,您将修改默认的虚拟主机配置文件,以用域名替换示例域。
You’ll now add a virtual host block to the httpd-vhosts.conf
file. You’ll edit the file and remove the two existing VirtualHost
blocks, after the comments block at line 23, with the following command:
现在,您将虚拟主机块添加到httpd-vhosts.conf
文件。 在第23行的注释块之后,您将使用以下命令编辑文件并删除两个现有的VirtualHost
块:
- sudo vi +23 /usr/local/etc/apache24/extra/httpd-vhosts.conf 须藤vi +23 /usr/local/etc/apache24/extra/httpd-vhosts.conf
After opening the file remove the two existing VirtualHost
configuration blocks, then add the following block with this specific configuration:
打开文件后,删除两个现有的VirtualHost
配置块,然后使用此特定配置添加以下块:
<VirtualHost *:80>
ServerAdmin your_email@your_domain.com
DocumentRoot "/usr/local/www/apache24/data/your_domain.com"
ServerName your_domain.com
ServerAlias www.your_domain.com
ErrorLog "/var/log/your_domain.com-error_log"
CustomLog "/var/log/your_domain.com-access_log" common
</VirtualHost>
In this block you’re configuring the following:
在此块中,您将配置以下内容:
ServerAdmin
: This is where the email from the person in charge of that particular site is placed.ServerAdmin
:这是放置该特定站点负责人的电子邮件的位置。DocumentRoot
: This directive defines where the files for the specific site will be placed and be read from.DocumentRoot
:此伪指令定义了特定站点的文件的放置位置和读取位置。ServerName
: This is for the domain name of the site.ServerName
:这是网站的域名。ServerAlias
: Similar toServerName
but placingwww.
before the domain name.ServerAlias
:类似于ServerName
但放置www.
域名之前。ErrorLog
: This is where the error log path is declared. All error messages will be written in the file specified in this directive.ErrorLog
:这是声明错误日志路径的位置。 所有错误消息都将写入此指令指定的文件中。CustomLog
: Similar toErrorLog
but this time the file is the one collecting all the access logs.CustomLog
:类似于ErrorLog
但是这次是收集所有访问日志的文件。
Finally you’ll create the directory where the site will be placed. This path has to match the one you’ve declared in the DocumentRoot
directive in the httpd-vhosts.conf
file.
最后,您将创建将放置网站的目录。 此路径必须与您在httpd-vhosts.conf
文件的DocumentRoot
指令中声明的路径匹配。
sudo mkdir /usr/local/www/apache24/data/your_domain.com
须藤mkdir / usr / local / www / apache24 / data / your_domain .com
Now change the permissions of the directory so the Apache HTTP process (running as the www
user) can work with it:
现在更改目录的权限,以便Apache HTTP进程(以www
用户身份运行)可以使用它:
sudo chown -R www:www /usr/local/www/apache24/data/your_domain.com
须藤chown -R www:www / usr / local / www / apache24 / data / your_domain .com
You’ve used chown
to change the ownership with the -R
flag to make the action recursive. The user and group are set by the www:www
.
您已经使用chown
通过-R
标志来更改所有权,以使操作递归。 用户和组由www:www
。
You’ve enabled virtual hosts in Apache HTTP. You’ll now enable the rewrite module.
您已经在Apache HTTP中启用了虚拟主机。 现在,您将启用重写模块。
步骤4 —启用重写模块 (Step 4 — Enabling the Rewrite Module)
Enabling the rewrite module within Apache HTTP is necessary to make URLs change, for example when redirecting from HTTP to HTTPS.
要更改URL,例如在从HTTP重定向到HTTPS时,必须在Apache HTTP中启用重写模块。
Use the following command to find the rewrite module:
使用以下命令查找重写模块:
- grep -n 'rewrite' /usr/local/etc/apache24/httpd.conf grep -n'重写'/usr/local/etc/apache24/httpd.conf
You’ll see output similar to:
您将看到类似于以下内容的输出:
Output
180 #LoadModule rewrite_module libexec/apache24/mod_rewrite.so
To enable the module you will now remove #
from the beginning of the line:
要启用该模块,您现在将从行首删除#
:
sudo vi +180 /usr/local/etc/apache24/httpd.conf
须藤vi + 180 /usr/local/etc/apache24/httpd.conf
Edit your file to look like the following by hitting x
to delete #
from the start of the line:
通过单击x
从行首删除#
,将文件编辑为如下所示:
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
LoadModule php7_module libexec/apache24/libphp7.so
# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
<IfModule unixd_module>
Save and exit this file.
保存并退出该文件。
You’ve now finished setting up the necessary configurations in Apache.
现在,您已完成在Apache中设置必要的配置。
第5步—获取Let加密证书 (Step 5 — Obtaining a Let’s Encrypt Certificate)
Certbot provides a variety of ways to obtain SSL certificates through various plugins. The apache
plugin will take care of reconfiguring Apache HTTP. To execute the interactive installation and obtain a certificate that covers only a single domain, run the following certbot command:
Certbot提供了多种通过各种插件获取SSL证书的方法。 apache
插件将负责重新配置Apache HTTP。 要执行交互式安装并获取仅涵盖单个域的证书,请运行以下certbot命令:
sudo certbot --apache -d your-domain -d www.your-domain
sudo certbot --apache -d 您的域 -d www。 您的网域
If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command, tagging each new domain or subdomain with the -d
flag. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate. For this reason, pass the base domain name first, followed by any additional subdomains or aliases.
如果要安装对多个域或子域有效的单个证书,则可以将它们作为附加参数传递给命令,并使用-d
标志标记每个新域或子域。 参数列表中的第一个域名将是Let's Encrypt用于创建证书的基本域。 因此,请首先传递基本域名,然后再传递任何其他子域或别名。
If this is your first time running certbot
on this server, the client will prompt you to enter an email address and agree to the Let’s Encrypt terms of service. After doing so, certbot
will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.
如果这是您第一次在此服务器上运行certbot
,客户端将提示您输入电子邮件地址并同意“让我们加密”服务条款。 完成此操作后, certbot
将与Let's Encrypt服务器通信,然后进行质询以验证您是否控制了要为其申请证书的域。
If the challenge is successful, Certbot will ask how you’d like to configure your HTTPS settings:
如果挑战成功,Certbot将询问您如何配置HTTPS设置:
Output
. . .
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
You will also be able to choose between enabling both HTTP
and HTTPS
access or forcing all requests to redirect to HTTPS
. For better security, it is recommended to choose the option 2: Redirect
if you do not have any special need to allow unencrypted connections. Select your choice then hit ENTER
.
您还可以在同时启用HTTP
和HTTPS
访问或强制所有请求重定向到HTTPS
之间进行选择。 为了获得更好的安全性,如果您不需要允许未加密的连接,则建议选择选项2: Redirect
。 选择您的选择,然后按ENTER
。
This will update the configuration and reload Apache HTTP to pick up the new settings. certbot
will wrap up with a message telling you the process was successful and where your certificates are stored:
这将更新配置并重新加载Apache HTTP以获取新设置。 certbot
将以一条消息结束,告诉您该过程已成功完成,并且证书的存储位置:
Output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/usr/local/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/usr/local/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on yyyy-mm-dd. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /usr/local/etc/letsencrypt. You should
make a secure backup of this folder now. This configuration
directory will also contain certificates and private keys obtained
by Certbot so making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Your certificates are now downloaded, installed, and configured. Try reloading your website using https://
and notice your browser’s security indicator. It’ll represent that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.
您的证书现已下载,安装和配置。 尝试使用https://
重新加载您的网站,并注意浏览器的安全指示器。 它表示该站点已正确保护,通常带有绿色的锁定图标。 如果使用SSL Labs服务器测试来测试服务器 ,它将获得A级。
Certbot has made some important configuration changes. When it installs the certificates in your web server it has to place them in specific paths. If you now read the content in the httpd-vhosts.conf
file you’ll observe a few changes made by the Certbot program.
Certbot进行了一些重要的配置更改。 将证书安装在Web服务器中时,必须将其放置在特定路径中。 如果现在阅读httpd-vhosts.conf
文件中的内容,您将观察到Certbot程序所做的一些更改。
For example in the <VirtualHost *:80>
section the redirect rules (if chosen) are placed at the bottom of it.
例如,在<VirtualHost *:80>
部分中,重定向规则(如果已选择)位于其底部。
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.your_domain.com [OR]
RewriteCond %{SERVER_NAME} =your_domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Certbot has also created a file called httpd-vhosts-le-ssl.conf
where the configuration for the certificates on Apache has been placed:
Certbot还创建了一个名为httpd-vhosts-le-ssl.conf
的文件,在该文件中已放置Apache上的证书配置:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin your_email@your_domain.com
DocumentRoot "/usr/local/www/apache24/data/your_domain.com"
ServerName your_domain.com
ServerAlias www.your_domain.com
ErrorLog "/var/log/your_domain.com-error_log"
CustomLog "/var/log/your_domain.com-access_log" common
Include /usr/local/etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /usr/local/etc/letsencrypt/live/your_domain.com/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/your_domain.com/privkey.pem
</VirtualHost>
</IfModule>
Note: If you would like to make changes to the use of cipher suites on sites with Let’s Encrypt certificates, you can do so in the /usr/local/etc/letsencrypt/options-ssl-apache.conf
file.
注意:如果要更改使用Let's Encrypt证书的站点上密码套件的使用,可以在/usr/local/etc/letsencrypt/options-ssl-apache.conf
文件中进行。
Having obtained your Let’s Encrypt certificate, you can now move on to set up automatic renewals.
获得了“加密加密”证书后,您现在就可以继续进行自动续订了。
步骤6 —配置自动证书续订 (Step 6 — Configuring Automatic Certificate Renewal)
Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. Because of this, it is best practice to automate this process to periodically check and renew the certificate.
让我们加密证书的有效期为90天,但建议您每60天更新一次证书,以留出一定的误差。 因此,最佳做法是自动执行此过程以定期检查和续订证书。
First, let’s examine the command that you will use to renew the certificate. The certbot
Let’s Encrypt client has a renew
command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date. By using the --dry-run
option, you can run a simulation of this task to test how renew works:
首先,让我们检查将用于更新证书的命令。 certbot
让我们加密”客户端具有一个renew
命令,该命令会自动检查当前安装的证书,如果距有效日期还不到30天,则尝试对其进行续订。 通过使用--dry-run
选项,您可以模拟此任务以测试续订的工作方式:
- sudo certbot renew --dry-run sudo certbot更新-干运行
A practical way to ensure your certificates will not get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day.
确保您的证书不会过时的一种实用方法是创建一个cron作业 ,该作业将定期为您执行自动更新命令。 由于续订会首先检查到期日期,并且仅在证书距到期日期少于30天时才执行续订,因此可以安全地创建每周或每天运行的Cron作业。
The official Certbot documentation recommends running cron
twice per day. This will ensure that, in case Let’s Encrypt initiates a certificate revocation, there will be no more than half a day before Certbot renews your certificate.
Certbot官方文档建议每天运行cron
两次。 这样可以确保在“让我们加密”启动证书吊销的情况下,Certbot续订证书的时间不会超过半天。
Edit the crontab
to create a new job that will run the renewal twice per day. To edit the crontab
for the root user, run:
编辑crontab
以创建一个新作业,该作业将每天运行两次续订。 要为root用户编辑crontab
,请运行:
- sudo crontab -e 须藤crontab -e
Place the following configuration in the file so that, twice a day, the system will look for renewable certificates and will renew them if they need to:
将以下配置放入文件中,以便系统每天两次查找可再生证书,并在需要时更新它们:
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
# Order of crontab fields
# minute hour mday month wday command
0 0,12 * * * /usr/local/bin/certbot renew
In the first two lines you are declaring the environment variables, hence where the executable paths are found and what shell they’re executing on. You then indicate the time frames you’re interested in and the command to execute.
在前两行中,您声明了环境变量,因此声明了可执行路径的位置以及它们在哪个shell上执行。 然后,您可以指示您感兴趣的时间范围以及要执行的命令。
With this short set of instructions you’ve configured the automatic renewal of certificates.
通过简短的说明,您已经配置了证书的自动续订。
结论 (Conclusion)
In this tutorial, you’ve installed the Let’s Encrypt client certbot
, downloaded SSL certificates for a domain, configured Apache to use these certificates, and set up automatic certificate renewal. For further information see Certbot’s documentation.
在本教程中,您已经安装了Let's Encrypt客户端certbot
,下载了域的SSL证书,将Apache配置为使用这些证书,并设置了自动更新证书。 有关更多信息,请参见Certbot的文档 。
翻译自: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-freebsd-12-0
freebsd 9.1.1