如何在 Ubuntu 22.04/23.04 上使用 Let’s Encrypt 保护 Apache
Let’s Encrypt 是一个免费、自动化和开放的证书颁发机构 (CA)。Let’s Encrypt 提供免费的 90 天 SSL 证书。
Let’s Encrypt 提供两种类型的证书。标准的单域 SSL 和通配符 SSL,它不仅涵盖单个域,还涵盖其所有子域。
在本教程中,我们将使用 Certbot,这是一种免费的开源软件工具,用于自动颁发 Let’s Encrypt SSL 证书,并验证您的证书是否设置为自动续订。
步骤 1:更新操作系统
更新您的 Ubuntu 22.04 操作系统以确保所有现有软件包都是最新的:
$ sudo apt update && sudo apt upgrade -y
第 2 步:在 Ubuntu 22.04 上安装 Apache
您可以 apt
通过执行以下命令通过包管理器安装 Apache。
$ sudo apt install apache2
您可以通过输入以下命令启动 Apache 服务并将其配置为在启动时运行:
$ sudo systemctl start apache2
$ sudo systemctl enable apache2
Apache
使用 命令验证服务的状态 systemctl status
:
$ sudo systemctl status apache2
输出:
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running)
Docs: https://httpd.apache.org/docs/2.4/
Process: 3170 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 3174 (apache2)
Tasks: 12 (limit: 2200)
Memory: 246.8M
CPU: 18.104s
CGroup: /system.slice/apache2.service
├─3174 /usr/sbin/apache2 -k start
├─3175 /usr/sbin/apache2 -k start
├─3176 /usr/sbin/apache2 -k start
第 3 步:在 Ubuntu 22.04 上安装 Certbot
现在我们安装用于创建 Let’s Encrypt 证书的Certbot 客户端:
$ sudo apt install certbot python3-certbot-apache
要验证 Certbot 安装运行:
$ certbot --version
输出:
certbot 1.21.0
第 4 步:配置 Apache Web 服务器
导航到 /etc/apache2/sites-available
目录并运行以下命令为您的安装创建配置文件:
$ sudo nano /etc/apache2/sites-available/your-domain.conf
添加以下内容:
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName your-domain.com
ServerAlias www.your-domain.com
DocumentRoot /var/www/html/
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/your-domain.com_error.log
CustomLog ${APACHE_LOG_DIR}/your-domain.com_access.log combined
</VirtualHost>
保存文件并退出。
启用 Apache 虚拟主机:
$ sudo a2ensite your-domain.conf
之后,重新启动 Apache Web 服务器。
$ sudo systemctl restart apache2
第 5 步:获取 Let’s Encrypt SSL 证书
要使用 Certbot 获取 SSL 证书,请键入以下命令:
$ sudo certbot --apache
系统会要求您提供有效的电子邮件地址并接受服务条款:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): [email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
接下来,系统会询问您是否要与电子前沿基金会共享您的电子邮件以接收新闻和其他信息。如果您不想订阅他们的内容,请写N。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
接下来,系统会要求您选择要安装 Let’s Encrypt SSL 的域:
Account registered.
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: your-domain.com
2: www.your-domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
如果成功获取SSL证书,certbot会提示配置成功:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your-domain.com.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your-domain.com/privkey.pem
Your cert will expire on 2023-03-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
现在,您已经成功地在您的网站上安装了 SSL。
您现在可以使用 打开您的网站 https://
,您会注意到一个绿色的锁图标。
第 6 步:验证 Certbot 自动续订
Let’s Encrypt 证书的有效期只有九十天。安装 Certbot 将创建一个 cronjob 来更新任何 SSL 证书。您可以运行命令来检查服务的状态。
$ sudo systemctl status certbot.timer
输出:
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Thu 2022-12-22 16:20:05 CDT;
Trigger: Fri 2022-12-23 06:29:34 CST; 14h left
Triggers: ● certbot.service
或者,您可以使用以下命令测试续订过程。该–dry-run
标志用于模拟:
$ sudo certbot renew --dry-run --agree-tos
第 7 步:吊销证书
如果您希望从您的服务器中删除证书,可以使用带有 Let’s Encrypt 客户端的子命令来撤销它。下面的命令可用于撤销特定证书。
$ sudo certbot revoke --cert-path /etc/letsencrypt/live/your-domain.com/cert.pem
注意:替换为您希望吊销证书的域。your-domain.com
该过程在完成时不会给出确认,但如果您再次执行它,您将收到一条消息,表明证书已被吊销。
评论和结论
恭喜!您已经在您的域上成功安装了 Let’s Encrypt SSL 证书。
如果您有任何问题或反馈,请随时发表评论。