freebsd 9.1.1

介绍 (Introduction)

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps.

让我们加密是一个证书颁发机构(CA)，它提供了一种获取和安装免费TLS / SSL证书的简便方法，从而可以在Web服务器上启用加密的HTTPS。 它通过提供一个软件客户端Certbot来简化该过程，该客户端尝试使大多数(如果不是全部)所需步骤自动化。

In this tutorial, you will use Certbot to set up a TLS/SSL certificate from Let’s Encrypt on a FreeBSD 12.0 server running Apache as a web server. Additionally, you will automate the certificate renewal process using a cron job.

在本教程中，您将使用Certbot在运行Apache作为Web服务器的FreeBSD 12.0服务器上通过Let's Encrypt设置TLS / SSL证书。 此外，您将使用cron作业自动执行证书续订过程。

先决条件 (Prerequisites)

Before you begin this guide you’ll need the following:

在开始本指南之前，您需要满足以下条件：

• A FreeBSD 12.0 server that you can set up as you wish using this guide on How To Get Started with FreeBSD.

  您可以使用本指南中的FreeBSD入门指南随意设置FreeBSD 12.0服务器。

• Apache installed by completing Step 1 of this FAMP stack tutorial.

  通过完成本FAMP堆栈教程的第1步来安装Apache。

• An enabled firewall by using the firewall configuration step in this tutorial instructions.

  通过使用本教程中的防火墙配置步骤来启用防火墙。

• Two DNS A Records that point your domain to the public IP address of your server. Our setup will use your-domain and www.your-domain as the domain names, both of which will require a valid DNS record. You can follow this introduction to DigitalOcean DNS for details on how to add the DNS records with the DigitalOcean platform. DNS A records are required because of how Let’s Encrypt validates that you own the domain for which it is issuing a certificate. For example, if you want to obtain a certificate for your-domain, that domain must resolve to your server for the validation process to work.

  两个DNS A记录 ，它们将您的域指向服务器的公共IP地址。 我们的设置将使用your-domain和www. your-domain www. your-domain作为域名，这两个域名都需要有效的DNS记录。 您可以按照DigitalOcean DNS简介进行操作，以获取有关如何通过DigitalOcean平台添加DNS记录的详细信息。 DNS A记录是必需的，这是因为“让我们加密”如何验证您拥有要为其颁发证书的域。 例如，如果您要为your-domain获取证书，则该域必须解析到您的服务器以使验证过程正常进行。

Once these prerequisites are fulfilled you can start installing Certbot, the tool that will allow you to install Let’s Encrypt certificates.

一旦满足这些先决条件，您就可以开始安装Certbot，该工具将允许您安装Let's Encrypt证书。

第1步-安装用于加密的Certbot工具 (Step 1 — Installing the Certbot Tool for Let’s Encrypt)

A Let’s Encrypt certificate ensures that users’ browsers can verify that the web server is secured by a trusted Certificate Authority. Communications with the web server are protected by encryption using HTTPS.

“让我们加密”证书可确保用户的浏览器可以验证Web服务器是否受受信任的证书颁发机构的保护。 与Web服务器的通信受HTTPS加密保护。

In this step you’ll install the Certbot tool for your web server to make a request to the Let’s Encrypt servers in order to issue a valid certificate and keys for your domain.

在此步骤中，您将为Web服务器安装Certbot工具，以向Let's Encrypt服务器发出请求，以便为您的域颁发有效的证书和密钥。

Run the following command to install the Certbot package and its Apache HTTP plugin:

运行以下命令以安装Certbot软件包及其Apache HTTP插件：

Now that you’ve installed the package, you can move on to enable TLS connections in the web server.

现在，您已经安装了软件包，可以继续在Web服务器中启用TLS连接。

步骤2 —在Apache HTTP中启用SSL / TLS连接 (Step 2 — Enabling SSL/TLS connections in Apache HTTP)

By default any install of Apache HTTP will be serving content on port 80 (HTTP). The Listen 80 entry in the main httpd.conf configuration file confirms this. In order to allow HTTPS connections, you’ll need the default port to be 443. To add port 443 and to establish SSL/TLS connections you’ll enable the mod_ssl module in Apache HTTP.

默认情况下，任何安装的Apache HTTP都会在端口80 (HTTP)上提供内容。 httpd.conf主配置文件中的Listen 80条目确认了这一点。 为了允许HTTPS连接，您需要默认端口为443 。 要添加端口443并建立SSL / TLS连接，您将在Apache HTTP中启用mod_ssl模块。

To find this module in the httpd.conf file, you’ll use grep with the -n flag to number the lines from the file in the specified path. Here you’ll find mod_ssl.so by running the following command:

要在httpd.conf文件中找到此模块，将使用带-n标志的grep对文件在指定路径中的行进行编号。 在这里，您可以通过运行以下命令找到mod_ssl.so ：

As output you’ll receive the number for the line you need:

作为输出，您将收到所需行的编号：

148 #LoadModule ssl_module libexec/apache24/mod_ssl.so

To enable the module, you’ll remove the hashtag symbol at the beginning of the line.

要启用该模块，您将删除该行开头的井号标签。

Using the line number from the previous command open the file with the following:

使用上一条命令中的行号，使用以下命令打开文件：

This will take you directly to the correct line for editing.

这将直接将您带到正确的行进行编辑。

Edit the line to look like the following by pressing x:

通过按x编辑该行，使其如下所示：

#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
#LoadModule http2_module libexec/apache24/mod_http2.so
#LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so

Once you’ve removed the #, press :wq and then ENTER to close the file.

删除# ，按:wq ，然后按ENTER以关闭文件。

You’ve enabled the SSL/TLS capabilities in Apache HTTP. In the next step you’ll configure the virtual hosts in Apache HTTP.

您已在Apache HTTP中启用SSL / TLS功能。 在下一步中，您将在Apache HTTP中配置虚拟主机。

步骤3 —启用和配置虚拟主机 (Step 3 — Enabling and Configuring Virtual Hosts)

A virtual host is a method by which several websites can concurrently and independently live in the same server using the same Apache HTTP installation. Certbot requires this setup to place specific rules within the configuration file (virtual host) for the Let’s Encrypt certificates to work.

虚拟主机是一种方法，通过该方法，多个网站可以使用相同的Apache HTTP安装同时并独立地驻留在同一服务器中。 Certbot要求此设置将特定规则放置在配置文件(虚拟主机)中，以使“加密”证书起作用。

To begin, you’ll enable virtual hosts in Apache HTTP. Run the following command to locate the directive in the file:

首先，您将在Apache HTTP中启用虚拟主机。 运行以下命令以在文件中找到指令：

You’ll see the line number in your output:

您将在输出中看到行号：

   

    Output
   
508  #Include etc/apache24/extra/httpd-vhosts.conf

Now use the following command to edit the file and remove # from the beginning of that line:

现在，使用以下命令编辑文件，并从该行的开头删除# ：

As before, hit x to delete # from the beginning of the line to look like the following:

和以前一样，点击x从行首删除# ，如下所示：

...
# User home directories
#Include etc/apache24/extra/httpd-userdir.conf

# Real-time info on requests and configuration
#Include etc/apache24/extra/httpd-info.conf

# Virtual hosts
Include etc/apache24/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include etc/apache24/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
#Include etc/apache24/extra/httpd-dav.conf
...

Then press :wq and ENTER to save and quit the file.

然后按:wq和ENTER保存并退出文件。

Now that you’ve enabled virtual hosts in Apache HTTP you’ll modify the default virtual host configuration file to replace the example domains with your domain name.

现在，您已经在Apache HTTP中启用了虚拟主机，您将修改默认的虚拟主机配置文件，以用域名替换示例域。

You’ll now add a virtual host block to the httpd-vhosts.conf file. You’ll edit the file and remove the two existing VirtualHost blocks, after the comments block at line 23, with the following command:

现在，您将虚拟主机块添加到httpd-vhosts.conf文件。 在第23行的注释块之后，您将使用以下命令编辑文件并删除两个现有的VirtualHost块：

After opening the file remove the two existing VirtualHost configuration blocks, then add the following block with this specific configuration:

打开文件后，删除两个现有的VirtualHost配置块，然后使用此特定配置添加以下块：

<VirtualHost *:80>
    ServerAdmin your_email@your_domain.com
    DocumentRoot "/usr/local/www/apache24/data/your_domain.com"
    ServerName your_domain.com
    ServerAlias www.your_domain.com
    ErrorLog "/var/log/your_domain.com-error_log"
    CustomLog "/var/log/your_domain.com-access_log" common
</VirtualHost>

In this block you’re configuring the following:

在此块中，您将配置以下内容：

• ServerAdmin: This is where the email from the person in charge of that particular site is placed.

  ServerAdmin ：这是放置该特定站点负责人的电子邮件的位置。

• DocumentRoot: This directive defines where the files for the specific site will be placed and be read from.

  DocumentRoot ：此伪指令定义了特定站点的文件的放置位置和读取位置。

• ServerName: This is for the domain name of the site.

  ServerName ：这是网站的域名。

• ServerAlias: Similar to ServerName but placing www. before the domain name.

  ServerAlias ：类似于ServerName但放置www. 域名之前。

• ErrorLog: This is where the error log path is declared. All error messages will be written in the file specified in this directive.

  ErrorLog ：这是声明错误日志路径的位置。 所有错误消息都将写入此指令指定的文件中。

• CustomLog: Similar to ErrorLog but this time the file is the one collecting all the access logs.

  CustomLog ：类似于ErrorLog但是这次是收集所有访问日志的文件。

Finally you’ll create the directory where the site will be placed. This path has to match the one you’ve declared in the DocumentRoot directive in the httpd-vhosts.conf file.

最后，您将创建将放置网站的目录。 此路径必须与您在httpd-vhosts.conf文件的DocumentRoot指令中声明的路径匹配。

Now change the permissions of the directory so the Apache HTTP process (running as the www user) can work with it:

现在更改目录的权限，以便Apache HTTP进程(以www用户身份运行)可以使用它：

You’ve used chown to change the ownership with the -R flag to make the action recursive. The user and group are set by the www:www.

您已经使用chown通过-R标志来更改所有权，以使操作递归。 用户和组由www:www 。

You’ve enabled virtual hosts in Apache HTTP. You’ll now enable the rewrite module.

您已经在Apache HTTP中启用了虚拟主机。 现在，您将启用重写模块。

步骤4 —启用重写模块 (Step 4 — Enabling the Rewrite Module)

Enabling the rewrite module within Apache HTTP is necessary to make URLs change, for example when redirecting from HTTP to HTTPS.

要更改URL，例如在从HTTP重定向到HTTPS时，必须在Apache HTTP中启用重写模块。

Use the following command to find the rewrite module:

使用以下命令查找重写模块：

You’ll see output similar to:

您将看到类似于以下内容的输出：

   

    Output
   
180  #LoadModule rewrite_module libexec/apache24/mod_rewrite.so

To enable the module you will now remove # from the beginning of the line:

要启用该模块，您现在将从行首删除# ：

Edit your file to look like the following by hitting x to delete # from the start of the line:

通过单击x从行首删除# ，将文件编辑为如下所示：

#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
LoadModule php7_module        libexec/apache24/libphp7.so

# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf

<IfModule unixd_module>

Save and exit this file.

保存并退出该文件。

You’ve now finished setting up the necessary configurations in Apache.

现在，您已完成在Apache中设置必要的配置。

第5步—获取Let加密证书 (Step 5 — Obtaining a Let’s Encrypt Certificate)

Certbot provides a variety of ways to obtain SSL certificates through various plugins. The apache plugin will take care of reconfiguring Apache HTTP. To execute the interactive installation and obtain a certificate that covers only a single domain, run the following certbot command:

Certbot提供了多种通过各种插件获取SSL证书的方法。 apache插件将负责重新配置Apache HTTP。 要执行交互式安装并获取仅涵盖单个域的证书，请运行以下certbot命令：

If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command, tagging each new domain or subdomain with the -d flag. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate. For this reason, pass the base domain name first, followed by any additional subdomains or aliases.

如果要安装对多个域或子域有效的单个证书，则可以将它们作为附加参数传递给命令，并使用-d标志标记每个新域或子域。 参数列表中的第一个域名将是Let's Encrypt用于创建证书的基本域。 因此，请首先传递基本域名，然后再传递任何其他子域或别名。

If this is your first time running certbot on this server, the client will prompt you to enter an email address and agree to the Let’s Encrypt terms of service. After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.

如果这是您第一次在此服务器上运行certbot ，客户端将提示您输入电子邮件地址并同意“让我们加密”服务条款。 完成此操作后， certbot将与Let's Encrypt服务器通信，然后进行质询以验证您是否控制了要为其申请证书的域。

If the challenge is successful, Certbot will ask how you’d like to configure your HTTPS settings:

如果挑战成功，Certbot将询问您如何配置HTTPS设置：

   

    Output
   
. . .
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

You will also be able to choose between enabling both HTTP and HTTPS access or forcing all requests to redirect to HTTPS. For better security, it is recommended to choose the option 2: Redirect if you do not have any special need to allow unencrypted connections. Select your choice then hit ENTER.

您还可以在同时启用HTTP和HTTPS访问或强制所有请求重定向到HTTPS之间进行选择。 为了获得更好的安全性，如果您不需要允许未加密的连接，则建议选择选项2: Redirect 。 选择您的选择，然后按ENTER 。

This will update the configuration and reload Apache HTTP to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:

这将更新配置并重新加载Apache HTTP以获取新设置。 certbot将以一条消息结束，告诉您该过程已成功完成，并且证书的存储位置：

   

    Output
   
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
 /usr/local/etc/letsencrypt/live/example.com/fullchain.pem
 Your key file has been saved at:
 /usr/local/etc/letsencrypt/live/example.com/privkey.pem
 Your cert will expire on yyyy-mm-dd. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot
 again. To non-interactively renew *all* of your certificates, run
 "certbot renew"
- Your account credentials have been saved in your Certbot
 configuration directory at /usr/local/etc/letsencrypt. You should
 make a secure backup of this folder now. This configuration
 directory will also contain certificates and private keys obtained
 by Certbot so making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le

Your certificates are now downloaded, installed, and configured. Try reloading your website using https:// and notice your browser’s security indicator. It’ll represent that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

您的证书现已下载，安装和配置。 尝试使用https://重新加载您的网站，并注意浏览器的安全指示器。 它表示该站点已正确保护，通常带有绿色的锁定图标。 如果使用SSL Labs服务器测试来测试服务器 ，它将获得A级。

Certbot has made some important configuration changes. When it installs the certificates in your web server it has to place them in specific paths. If you now read the content in the httpd-vhosts.conf file you’ll observe a few changes made by the Certbot program.

Certbot进行了一些重要的配置更改。 将证书安装在Web服务器中时，必须将其放置在特定路径中。 如果现在阅读httpd-vhosts.conf文件中的内容，您将观察到Certbot程序所做的一些更改。

For example in the <VirtualHost *:80> section the redirect rules (if chosen) are placed at the bottom of it.

例如，在<VirtualHost *:80>部分中，重定向规则(如果已选择)位于其底部。

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.your_domain.com [OR]
RewriteCond %{SERVER_NAME} =your_domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Certbot has also created a file called httpd-vhosts-le-ssl.conf where the configuration for the certificates on Apache has been placed:

Certbot还创建了一个名为httpd-vhosts-le-ssl.conf的文件，在该文件中已放置Apache上的证书配置：

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin your_email@your_domain.com
    DocumentRoot "/usr/local/www/apache24/data/your_domain.com"
    ServerName your_domain.com
    ServerAlias www.your_domain.com
    ErrorLog "/var/log/your_domain.com-error_log"
    CustomLog "/var/log/your_domain.com-access_log" common

Include /usr/local/etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /usr/local/etc/letsencrypt/live/your_domain.com/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/your_domain.com/privkey.pem
</VirtualHost>
</IfModule>

Note: If you would like to make changes to the use of cipher suites on sites with Let’s Encrypt certificates, you can do so in the /usr/local/etc/letsencrypt/options-ssl-apache.conf file.

注意：如果要更改使用Let's Encrypt证书的站点上密码套件的使用，可以在/usr/local/etc/letsencrypt/options-ssl-apache.conf文件中进行。

Having obtained your Let’s Encrypt certificate, you can now move on to set up automatic renewals.

获得了“加密加密”证书后，您现在就可以继续进行自动续订了。

步骤6 —配置自动证书续订 (Step 6 — Configuring Automatic Certificate Renewal)

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. Because of this, it is best practice to automate this process to periodically check and renew the certificate.

让我们加密证书的有效期为90天，但建议您每60天更新一次证书，以留出一定的误差。 因此，最佳做法是自动执行此过程以定期检查和续订证书。

First, let’s examine the command that you will use to renew the certificate. The certbot Let’s Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date. By using the --dry-run option, you can run a simulation of this task to test how renew works:

首先，让我们检查将用于更新证书的命令。 certbot让我们加密”客户端具有一个renew命令，该命令会自动检查当前安装的证书，如果距有效日期还不到30天，则尝试对其进行续订。 通过使用--dry-run选项，您可以模拟此任务以测试续订的工作方式：

A practical way to ensure your certificates will not get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day.

确保您的证书不会过时的一种实用方法是创建一个cron作业 ，该作业将定期为您执行自动更新命令。 由于续订会首先检查到期日期，并且仅在证书距到期日期少于30天时才执行续订，因此可以安全地创建每周或每天运行的Cron作业。

The official Certbot documentation recommends running cron twice per day. This will ensure that, in case Let’s Encrypt initiates a certificate revocation, there will be no more than half a day before Certbot renews your certificate.

Certbot官方文档建议每天运行cron两次。 这样可以确保在“让我们加密”启动证书吊销的情况下，Certbot续订证书的时间不会超过半天。

Edit the crontab to create a new job that will run the renewal twice per day. To edit the crontab for the root user, run:

编辑crontab以创建一个新作业，该作业将每天运行两次续订。 要为root用户编辑crontab ，请运行：

Place the following configuration in the file so that, twice a day, the system will look for renewable certificates and will renew them if they need to:

将以下配置放入文件中，以便系统每天两次查找可再生证书，并在需要时更新它们：

SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
# Order of crontab fields
# minute    hour    mday    month   wday    command
  0         0,12    *       *       *       /usr/local/bin/certbot renew

In the first two lines you are declaring the environment variables, hence where the executable paths are found and what shell they’re executing on. You then indicate the time frames you’re interested in and the command to execute.

在前两行中，您声明了环境变量，因此声明了可执行路径的位置以及它们在哪个shell上执行。 然后，您可以指示您感兴趣的时间范围以及要执行的命令。

With this short set of instructions you’ve configured the automatic renewal of certificates.

通过简短的说明，您已经配置了证书的自动续订。

结论 (Conclusion)

In this tutorial, you’ve installed the Let’s Encrypt client certbot, downloaded SSL certificates for a domain, configured Apache to use these certificates, and set up automatic certificate renewal. For further information see Certbot’s documentation.

在本教程中，您已经安装了Let's Encrypt客户端certbot ，下载了域的SSL证书，将Apache配置为使用这些证书，并设置了自动更新证书。 有关更多信息，请参见Certbot的文档 。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-freebsd-12-0

freebsd 9.1.1