为基于XAMPP的网站申请Let’s Encrypt永久免费SSL证书
由于XAMPP采用的Apache2并非安装在标准位置,采用certbot默认参数安装会报错,必须使用命令行参数来指导certbot进行安装。
我的vps使用的是Debian,xampp安装位置为/opt/lampp。
以下是安装步骤:
1. 安装certbot
$ sudo apt-get install certbot python-certbot-apache2. 添加VirtualHost
更改目录至XAMPP安装目录(一般为/opt/lampp),用文本编辑器打开etc/httpd.conf文件。在文件中查找以下行,并删除行首的#字号以取消该行注释。
Include etc/extra/httpd-vhosts.conf接下来,用文本编辑器编辑/etc/extra/httpd-vhosts.conf文件,修改尾部的VirtualHost设置:
<VirtualHost *:80>
ServerAdmin rain@dvbrain.tk
DocumentRoot "/opt/lampp/htdocs"
ServerName dvbrain.tk
ServerAlias www.dvbrain.tk
ErrorLog "logs/dvbrain.tk-error_log"
CustomLog "logs/dvbrain.tk-access_log" common
</VirtualHost>重启Apache2:
$ sudo /opt/lampp/xampp stopapache
$ sudo /opt/lampp/xampp startapache验证VirtualHost配置:
# /opt/lampp/bin/apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 is a NameVirtualHost
default server dvbrain.tk (/opt/lampp/etc/extra/httpd-vhosts.conf:23)
port 80 namevhost dvbrain.tk (/opt/lampp/etc/extra/httpd-vhosts.conf:23)
alias www.dvbrain.tk3. 申请证书
使用以下命令申请证书并自动配置Apache2使用申请的证书:
$ sudo certbot --apache --apache-server-root /opt/lampp/etc --apache-ctl /opt/lampp/bin/apachectl -d dvbrain.tk -d www.dvbrain.tk其中,–apache-server-root配置为httpd.conf文件所在的目录,–apache-ctl配置为apachectl文件的路径,用于控制Apache2启停。-d为申请证书的域名,在申请证书过程中会进行验证,应与VirtualHost中的配置相匹配。
申请过程中会询问是否重定向HTTP至HTTPS:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):建议选择2: Redirect,禁止HTTP访问。
申请成功后可以看到:
Congratulations! You have successfully enabled https://dvbrain.tk,
and https://www.dvbrain.tk
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=dvbrain.tk
https://www.ssllabs.com/ssltest/analyze.html?d=www.dvbrain.tk4. 验证证书
通过浏览器打开https://www.ssllabs.com/ssltest/analyze.html?d=dvbrain.tk进行验证,可见证书已经生效:
5. 禁用TLS 1.0、1.1
上面测试的结果是B,问题在于开启了已过时的TLS 1.0和1.1。
关闭的方法:编辑/etc/letsencrypt/options-ssl-apache.conf文件,将其中的:
SSLProtocol all -SSLv2 -SSLv3修改为:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1重启Apache2。
6. 验证证书自动更新
certbot在申请证书成功后会自动设置定时更新命令,通过以下命令可以查看自动更新配置:
$ sudo systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Tue 2020-03-31 14:11:39 EDT 1h 12min left Tue 2020-03-31 11:39:26 EDT 1h 19min ago certbot.timer certbot.service以下命令可以测试自动更新:
$ sudo certbot renew --dry-run
......
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/dvbrain.tk/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
......大功告成!