...
| Code Block |
|---|
yum -y install epel-release mod_ssl python-certbot-apache |
Далее настраиваем certbot. Ключ –apache значит, что скрипт автоматически настроит apache сервер. Здесь и далее example.com меняем на свой домен, admin@email.com – на свой email.
| Code Block |
|---|
certbot --apache -m admin@email.com -d example.com -d www.example.com |
В процессе установки появится сообщение
| Code Block |
|---|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: |
Вводим A, чтоб согласиться c условиями.
| Code Block |
|---|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: |
Вводим N, чтоб не получать спам на почту.
| Code Block |
|---|
IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. |
1 – без переадресаций
2 – с http переадресация на https
Успешная установка заканчивается фразой:
| Code Block |
|---|
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2019-03-05. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Some rewrite rules copied from /etc/httpd/conf/httpd.conf were disabled in the vhost for your HTTPS site located at /etc/httpd/conf/httpd-le-ssl.conf because they have the potential to create redirection loops. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
Затем нам надо зайти в /etc/httpd/conf.d затем надо открыть файл abills_httpd.conf и прописать в нем два параметра
1) Congratulations! Your certificate and chain have been saved at
2) Your key file has been saved at
| Code Block |
|---|
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem |
...
Сохраняем файл, перезапускаем сервер, выполняем пункт с настройкой certbot заново.
Проверка сертификата
После установки сертификата certbot предложит проверить ssl для указанного домена на их сайте:
| Code Block |
|---|
https://www.ssllabs.com/ssltest/analyze.html?d=domain.com |
Настройка автоматического продления сертификата
Для авто продления, надо в кроне записать такой параметр:
| Code Block |
|---|
30 2 * * * root certbot renew >> /var/log/le-renew.log |