注意:此版本是Apache版,Nginx版请移步<在CentOS7安装Nginx并部署Let's Encrypt免费SSL证书>，可能遇到的问题可查阅《用Certbot部署Let's Encrypt遇到的常见问题》

读完此文你可能还需要了解：

• 如何强制https访问网站？
• Apache使用htaccess文件重定向http强制https访问

写在前面

• 非root用户请在命令前面加上 sudo
• 本文用例域名为 example.com,请自行根据实际情况更改域名并绑定A记录和对应的IP地址

一 安装环境

开启epel源,不知道epel是什么的请翻阅: 什么是EPEL？如何在CentOS上安装EPEL？

yum install epel-release

安装必须的软件包(python-certbot-apache弃用)

yum install httpd mod_ssl certbot-apache

注意这里的 certbot-apache 包,这个非常重要,就是后面要用到的Cerbot程序，Certbot是一个部署Let's Encrypt证书的客户端。Certbot能够自动的在Web服务器（Apache，Nginx等）上部署从Let's Encrypt获取的证书，非常简单易用。

二 配置Apache

启动apache

systemctl start httpd

查看服务状态

systemctl status httpd

输出

httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2017-01-05 16:47:06 UTC; 1h 7min ago
     Docs: man:httpd(8)
           man:apachectl(8)
 Main PID: 9531 (httpd)
   Status: "Total requests: 10; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─9531 /usr/sbin/httpd -DFOREGROUND
           ├─9532 /usr/sbin/httpd -DFOREGROUND
           ├─9533 /usr/sbin/httpd -DFOREGROUND
           ├─9534 /usr/sbin/httpd -DFOREGROUND
           ├─9535 /usr/sbin/httpd -DFOREGROUND
           └─9536 /usr/sbin/httpd -DFOREGROUND

Jan 05 16:47:05 centos-512mb-nyc3-01 systemd[1]: Starting The Apache HTTP Server...
Jan 05 16:47:05 centos-512mb-nyc3-01 httpd[9531]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message
Jan 05 16:47:06 centos-512mb-nyc3-01 systemd[1]: Started The Apache HTTP Server.

看到Active: active(running)表示Apache服务已经在运行了.

接下来要为防火墙设置通行规则,给80(http)和443(https)端口放行

firewall-cmd --add-service=http
firewall-cmd --add-service=https
firewall-cmd --runtime-to-permanent

选项: 如果使用的是iptables防火墙,则运行下面的命令即可

iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

用curl检查域名是否可以正常访问

curl example.com

正常情况下你可以看到主页的html源码,curl还可以用来检查https链接的状态,要支持不受信任的证书需要加上-k参数

curl -k https://example.com

你可以看到页面源码以验证ssl端口是否打开.

三 安装Let's Encrypt SSL证书

生成SSL证书需要使用我们在第一步中安装好的certbot,如果你想安装一个证书验证多个域名/子域名你可以使用下面的命令,更多域名在后面跟上相关参数即可

certbot --apache -d example.com -d www.example.com

独立证书验证独立域名

certbot --apache -d example.com

你也可以不加任何域名的配置参数,直接修改Apache服务器配置

certbot --apache

接下来根据提示一步步完成证书的配置,需要注意的是期间会要求你提供一个email地址用来接收密钥的恢复和通知,如果你在上面的参数中没有配置域名参数在这里也会提示你输入域名的,如果你的虚拟主机配置文件没有指定ServerName参数,它会提示你指定虚拟主机配置文件(默认会是ssl.conf)

安装成功后会提示

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert
   will expire on 2016-04-21. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you lose your account credentials, you can recover through
   e-mails sent to [email protected].
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

生成出来的证书文件存放于 /etc/letsencrypt/live 目录.

在检查ssl连接是否生效,我们还要对CentOS默认SSL配置做一些更改以确保更安全.

四 配置Apache SSL

修改ssl.conf文件

vi /etc/httpd/conf.d/ssl.conf

找到SSLProtocol和SSLCipherSuite这两个参数将它们删除或者注释掉

. . .
# SSLProtocol all -SSLv2
. . .
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

接下来把下面的代码加在VirtualHost区域外面,需要注意的是注释掉 SSLSessionTickets

    . . .
</VirtualHost>
. . .

# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
# SSLSessionTickets Off

保存退出后检查一下语法是否正确

apachectl configtest

如果得到Syntax OK的提示说说明配置正确,这时候需要重启一下apache

systemctl restart httpd

五 检查证书状态

在浏览器中打开链接(请自行修改域名example.com)

https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest

该网站会给出一个证书评分,按照上面的安全配置如果不出意外的话你应该能拿到一个A+

六 证书自动续期

Let's Encrypt的免费证书有效期为90天,在距离到期时间30天内可以续期,我们可以使用certbot程序的renew命令来为证书续期命令是

certbot renew

由于我们刚刚安装了证书,它会提示

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.

知道续期的命令后我们可以利用cron创建一个定时任务,每天执行一次

crontab -e

加入以下内容,注意在同一行

30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

保存并退出,系统会在每天的AM2:30自动执行证书的续期命令certbot renew,执行情况会记录在/var/log/le-renew.log这个日志文件中,证书更新后apache会自动重启.