在Ubuntu上为Apache部署自动续期的Let's Encrypt服务
如果你使用的是Nginx作为web服务应用软件请移步:Ubuntu中为Nginx部署自动续期的Let's Encrypt服务
一 安装Certbot客户端
更新系统
sudo apt update
安装certbot
sudo apt install certbot python3-certbot-apache
二 检查Apache虚拟主机配置
在Ubuntu中apache的网站配置文件位于
sudo nano /etc/apache2/sites-available/your_domain.conf
需要注意的是,certbot会根据配置文件中的这两个参数来查找域名
ServerName your_domain ServerAlias www.your_domain
修改了apache的conf配置文件后需要重启服务
sudo apache2ctl configtest #检查配置文件语法 sudo systemctl reload apache2 #重启服务
三 配置防火墙规则
ubuntu的防火墙默认是关闭的,如果不确定可以使用sudo ufw status来查看状态
Status: inactive
启动服务
sudo systemctl start ufw.service
开机自启动
sudo ufw enable
关闭开机自启动
udo ufw disable
给Apache放行
sudo ufw allow 'Apache Full'
删除多余Apache配置项
sudo ufw delete allow 'Apache'
查看当前生效的规则
sudo ufw status
结果显示
Status: active To Action From -- ------ ---- Apache Full ALLOW Anywhere 22/tcp ALLOW Anywhere Apache Full (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6)
四 为网站生成SSL证书
sudo certbot --apache
该过程会有几下几个步骤
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): you@your_domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N
Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: your_domain 2: www.your_domain - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):
Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/your_domain/fullchain.pem Key is saved at: /etc/letsencrypt/live/your_domain/privkey.pem This certificate expires on 2022-07-10. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. Deploying certificate Successfully deployed certificate for your_domain to /etc/apache2/sites-available/your_domain-le-ssl.conf Successfully deployed certificate for www.your_domain.com to /etc/apache2/sites-available/your_domain-le-ssl.conf Congratulations! You have successfully enabled HTTPS on https:/your_domain and https://www.your_domain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
五 让Certbot为证书自动续期
sudo systemctl status certbot.timer
输出
certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset:>
Active: active (waiting) since Mon 2022-04-11 20:52:46 UTC; 4min 3s ago
Trigger: Tue 2022-04-12 00:56:55 UTC; 4h 0min left
Triggers: ● certbot.service
Apr 11 20:52:46 jammy-encrypt systemd[1]: Started Run certbot twice daily.测试设置结果
sudo certbot renew --dry-run
输出
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/your_domain.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Account registered. Simulating renewal of an existing certificate for your_domain and www.your_domain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/your_domain/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
至此,恭喜!你已大功告成