韌館-LearnHouse

在Ubuntu 20.04上設定Apache VirtualHost加入Let's Encrypt SSL

我們都知道https是一個安全的連線加密機制,但一想到申請憑證就需要付一大筆費用。若非是商業網站像我這樣的個人網誌,就會覺得是一筆多餘的開銷
不過近幾年來出現了一個名為Let’s Encrypt的數位憑證認證機構(CA)推出免費SSL/TLS憑證服務
不過缺點就是憑證的效期只有三個月,也就是說每三個月要更新一次,但別擔心有自動更新機制。所以既然是免費的,因此本人的Blog就開始強迫走https連線囉~

申請和設定的步驟如下:

1.確保你的防火牆有開通80與443 port

sudo ufw allow 80
sudo ufw allow 443

2.安裝Let’s Encrypt工具

sudo apt install letsencrypt

3.查看certbot.timer是否啟動,每兩天會確認一次憑證效期,自動展期(renewal)30天後到期的憑證

sudo systemctl status certbot.timer

4. 取得Let's Encrypt SSL憑證,指定你的domain-name.com

sudo certbot certonly --standalone --agree-tos --preferred-challenges http -d learn-house.idv.tw

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 輸入你的mail

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 可選擇N

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for learn-house.idv.tw
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

5. 自動安裝SSL憑證。要先安裝CertBot工具,執行後若沒設定443 port的vitrualhouse則會自動幫你建一個,若已經有建立則會自動找到你virtualhost的設定檔更新

apt install python3-certbot-apache

sudo certbot --apache --agree-tos --preferred-challenges http -d learn-house.idv.tw

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for learn-house.idv.tw
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/blog.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 可選擇1

Congratulations! You have successfully enabled https://learn-house.idv.tw

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=learn-house.idv.tw
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/learn-house.idv.tw/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/learn-house.idv.tw/privkey.pem
   Your cert will expire on 2021-04-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

這樣就大功告成囉~
參考資料:https://serverspace.io/support/help/how-to-get-lets-encrypt-ssl-on-ubuntu/

posted by admin in Linux and have No Comments

Place your comment

Please fill your data and comment below.
Name
Email
Website
Your comment