ABillS
Space shortcuts
Child pages
  • SSL-сертификат от Let's Encrypt на Centos 7 и 8

Versions Compared

Old Version 1

changes.mady.by.user Stepan Bezhuk Volodymyrovych

Saved on

compared with

New Version Current

changes.mady.by.user Stepan Bezhuk Volodymyrovych

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Открываем порты

Для корректной работы надо открыть порт 443 и порт 80 иначе certbot не сможет установить соединения с сервером и выдаст ошибку

Code Block
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT

Установка certbot

Далее нам надо установить certbot

Code Block
yum -y install epel-release mod_ssl python-certbot-apache

Далее настраиваем certbot. Ключ –apache значит, что скрипт автоматически настроит apache сервер. Здесь и далее example.com меняем на свой домен, admin@email.com – на свой email.


Code Block
certbot --apache -m admin@email.com -d example.com -d www.example.com

В процессе установки появится сообщение


Code Block
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:

Вводим A, чтоб согласиться c условиями.


Code Block
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

Вводим N, чтоб не получать спам на почту.


Code Block
IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.


1без переадресаций
2с http переадресация на https

Успешная установка заканчивается фразой:


Code Block
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-03-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Some rewrite rules copied from /etc/httpd/conf/httpd.conf were
   disabled in the vhost for your HTTPS site located at
   /etc/httpd/conf/httpd-le-ssl.conf because they have the potential
   to create redirection loops.
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Затем нам надо зайти в /etc/httpd/conf.d затем надо открыть файл abills_httpd.conf и прописать в нем два параметра

1) Congratulations! Your certificate and chain have been saved at

2) Your key file has been saved at

Code Block
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

И наконец надо перегрузить сервис apache

Code Block
systemctl restart httpd.service


Если в процессе установки возникла ошибка:

Warning

Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

Необходимо в конфиге apache /etc/httpd/conf.d/vhosts.conf (если файла нет, его нужно создать) добавить виртуальный хост на 80 порт:


Code Block
vim /etc/httpd/conf.d/vhosts.conf

Добавление виртуального хоста


Code Block
<VirtualHost *:80>
    ServerAdmin admin@email.com
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/html
</VirtualHost>

Сохраняем файл, перезапускаем сервер, выполняем пункт с настройкой certbot заново.

Проверка сертификата

После установки сертификата certbot предложит проверить ssl для указанного домена на их сайте:


Code Block
https://www.ssllabs.com/ssltest/analyze.html?d=domain.com

Настройка автоматического продления сертификата

Для авто продления, надо в кроне записать такой параметр:

Code Block
30 2 * * * root certbot renew >> /var/log/le-renew.log