Bii o ṣe le Fi Jẹ ki ijẹrisi SSL ijẹrisi lati ni aabo Afun lori RHEL/CentOS 7/6
Faagun kẹhin Jẹ ki a Encrypt ẹkọ nipa awọn iwe-ẹri ọfẹ SSL/TLS, ninu nkan yii a yoo ṣe afihan bi a ṣe le gba ati fi awọn iwe-ẹri SSL/TLS ọfẹ ti a fun nipasẹ Jẹ ki Encrypt Certificate Authority fun olupin ayelujara Apache lori CentOS/RHEL 7/6 ati Fedora awọn pinpin tun.
Ti o ba n wa lati fi sori ẹrọ Jẹ ki Encrypt fun Apache lori Debian ati Ubuntu, tẹle itọsọna yii ni isalẹ:
- Orukọ ìkápá ti a forukọsilẹ pẹlu ẹtọ
Aigbasilẹ lati tọka sẹhin si Adirẹsi IP gbangba olupin rẹ. - Olupin Apache ti a fi sii pẹlu module SSL ti ṣiṣẹ ati Alejo Alejo ti ṣiṣẹ ni ọran ti o n gbalejo awọn ibugbe pupọ tabi awọn subdomains.
Igbesẹ 1: Fi Server Server Web Apache sii
1. Ti ko ba ti fi sii tẹlẹ, httpd daemon le fi sori ẹrọ nipasẹ ipinfunni aṣẹ isalẹ:
# yum install httpd
2. Ni ibere fun Jẹ ki a encrypt sọfitiwia lati ṣiṣẹ pẹlu Apache, ṣe idaniloju pe a ti fi module SSL/TLS sori ẹrọ nipasẹ ipinfunni aṣẹ ni isalẹ:
# yum -y install mod_ssl
3. Lakotan, bẹrẹ olupin Apache pẹlu aṣẹ atẹle:
# systemctl start httpd.service [On RHEL/CentOS 7] # service httpd start [On RHEL/CentOS 6]
Igbesẹ 2: Fi sori ẹrọ Jẹ ki Encrypt SSL Certificate
4. Ọna ti o rọrun julọ ti fifi Jẹ ki Encrypt alabara jẹ nipasẹ cloning ibi ipamọ github ninu eto faili rẹ. Lati fi git sori ẹrọ rẹ o gbọdọ mu awọn ibi ipamọ Epel ṣiṣẹ pẹlu aṣẹ atẹle.
# yum install epel-release
5. Lọgan ti a ba fi kun ibi ipamọ Epel ninu eto rẹ, lọ siwaju ki o fi sori ẹrọ alabara git nipasẹ ṣiṣe pipaṣẹ ni isalẹ:
# yum install git
6. Nisisiyi, ni kete ti o ba ti fi gbogbo awọn igbẹkẹle ti o nilo sii lati le ṣe pẹlu Jẹ ki Encrypt, lọ si itọsọna /usr/agbegbe/ ki o bẹrẹ fifa ni Eniti o Encrypt ṣe fọọmu ibi ipamọ github osise rẹ pẹlu atẹle pipaṣẹ:
# cd /usr/local/ # git clone https://github.com/letsencrypt/letsencrypt
Igbesẹ 3: Gba Ọfẹ Jẹ ki a Encrypt SSL Certificate for Apache
7. Ilana ti gbigba ọfẹ Jẹ ki Encrypt Iwe-ẹri fun Apache jẹ adaṣe fun CentOS/RHEL ọpẹ si ohun itanna apache.
Jẹ ki a ṣiṣẹ Jẹ ki a Encrypt pipaṣẹ iwe afọwọkọ lati le gba Iwe-ẹri SSL kan. Lọ si Jẹ ki a Encrypt ilana fifi sori ẹrọ lati /usr/agbegbe/Letencrypt ki o ṣiṣẹ ni pipaṣẹ Letencrypt-auto nipa pipese aṣayan --apache ati < koodu> -d asia fun gbogbo ile-iṣẹ kekere ti o nilo ijẹrisi kan.
# cd /usr/local/letsencrypt # ./letsencrypt-auto --apache -d your_domain.tld
8. Pese adirẹsi imeeli ti yoo ṣee lo nipasẹ Jẹ ki Encrypt lati bọsipọ bọtini ti o sọnu tabi fun awọn akiyesi kiakia ki o tẹ Tẹ lati tẹsiwaju.
9. Gba awọn ofin ti iwe-aṣẹ nipasẹ titẹ bọtini Tẹ.
10. Lori CentOS/RHEL, nipasẹ aiyipada, olupin Apache ko lo imọran ti yiya sọtọ awọn ilana fun awọn ọmọ ogun ti o ṣiṣẹ lati awọn ogun ti o wa (alaiṣiṣẹ) bi pinpin orisun Debian ṣe.
Pẹlupẹlu, alejo gbigba foju di alaabo nipasẹ aiyipada. Alaye Apache eyiti o ṣalaye orukọ olupin naa (Orukọ olupin) kii ṣe lori faili iṣeto SSL.
Lati mu itọsọna yii ṣiṣẹ, Jẹ ki Encrypt yoo tọ ọ lati yan agbalejo foju kan. Nitori ko ri eyikeyi Vhost wa, yan faili ssl.conf lati ṣe atunṣe laifọwọyi nipasẹ Jẹ ki Encrypt client ki o tẹ Tẹ lati tẹsiwaju.
11. Itele, yan ọna Rọrun fun awọn ibeere HTTP ki o tẹ Tẹ lati gbe siwaju.
12. Lakotan, ti ohun gbogbo ba lọ dada, o yẹ ki ifiranṣẹ ikini kan han loju iboju. Tẹ Tẹ lati tu itusilẹ naa silẹ.
O n niyen! O ti ṣaṣeyọri iwe-ẹri SSL/TLS fun agbegbe rẹ. Bayi o le bẹrẹ lilọ kiri lori aaye ayelujara rẹ nipa lilo ilana HTTPS.
Igbesẹ 4: Ṣe idanwo ọfẹ Jẹ ki a Encrypt Encryption lori ase
13. Lati le ṣe idanwo straightness ti agbegbe rẹ SSL/TLS bowo ọwọ ṣabẹwo si ọna asopọ isalẹ ki o ṣe idanwo ijẹrisi rẹ lori agbegbe rẹ.
https://www.ssllabs.com/ssltest/analyze.html
14. Ti o ba gba lẹsẹsẹ awọn iroyin nipa ailagbara aaye rẹ ninu awọn idanwo ti a ṣe, lẹhinna o nilo lati ṣatunṣe awọn ihò aabo wọnyẹn ni kiakia.
Iwọn apapọ ti kilasi C jẹ ki agbegbe rẹ jẹ ailabo pupọ. Lati ṣatunṣe awọn iṣoro aabo wọnyi, ṣii faili iṣeto Apache SSL ki o ṣe awọn ayipada wọnyi:
# vi /etc/httpd/conf.d/ssl.conf
Wa fun laini pẹlu SSLProtocol alaye ki o ṣafikun -SSLv3 ni opin ila naa.
Tẹ jinle ninu faili naa, wa ki o sọ asọye laini pẹlu SSLCipherSuite nipa gbigbe # si iwaju rẹ ki o ṣafikun akoonu atẹle ni laini yii:
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on SSLOptions +StrictRequire
15. Lẹhin ti o ti ṣe gbogbo awọn ayipada loke, fipamọ ati pa faili naa, lẹhinna tun bẹrẹ Apem daemon lati lo awọn ayipada.
# systemctl restart httpd.service [On RHEL/CentOS 7] # service httpd restart [On RHEL/CentOS 6]
16. Bayi, ṣe idanwo ipo ti fifi ẹnọ kọ nkan ti aṣẹ rẹ lẹẹkansii, nipa lilo si ọna asopọ kanna bi loke. Lati ṣe awọn atunyẹwo lu ọna asopọ kaṣe Clear lati oju opo wẹẹbu naa.
https://www.ssllabs.com/ssltest/analyze.html
Bayi o yẹ ki o gba kilasi A lapapọye igbelewọn, eyiti o tumọ si pe agbegbe rẹ ni ifipamo giga.
Igbesẹ 4: Tunse Aifọwọyi Jẹ ki a Encrypt Awọn iwe-ẹri lori Apache
17. Ẹya beta yii ti Jẹ ki Encrypt sọfitiwia tu awọn iwe-ẹri silẹ pẹlu ọjọ ipari lẹhin ọjọ 90. Nitorinaa, lati tun ṣe ijẹrisi SSL naa, o gbọdọ ṣiṣẹ pipaṣẹ Letencrypt-auto lẹẹkansii ṣaaju ọjọ ipari, pẹlu awọn aṣayan kanna ati awọn asia ti a lo lati gba ijẹrisi akọkọ.
Apẹẹrẹ lori bii a ṣe le tunse ijẹrisi pẹlu ọwọ ni a gbekalẹ ni isalẹ.
# cd /usr/local/letsencrypt # ./letsencrypt-auto certonly --apache --renew-by-default -d your_domain.tld
18. Lati ṣe adaṣe ilana yii, ṣẹda iwe afọwọkọ bash wọnyi ti a pese nipasẹ github erikaheidi, ninu /usr/agbegbe/bin/ itọsọna pẹlu akoonu atẹle. (iwe afọwọkọ ti wa ni iyipada diẹ lati ṣe afihan itọsọna fifi sori ẹrọ letsencrypt wa).
# vi /usr/local/bin/le-renew-centos
Ṣafikun akoonu atẹle si le-renew-centos faili:
!/bin/bash
domain=$1
le_path='/usr/local/letsencrypt'
le_conf='/etc/letsencrypt'
exp_limit=30;
get_domain_list(){
certdomain=$1
config_file="$le_conf/renewal/$certdomain.conf"
if [ ! -f $config_file ] ; then
echo "[ERROR] The config file for the certificate $certdomain was not found."
exit 1;
fi
domains=$(grep --only-matching --perl-regex "(?<=domains \= ).*" "${config_file}")
last_char=$(echo "${domains}" | awk '{print substr($0,length,1)}')
if [ "${last_char}" = "," ]; then
domains=$(echo "${domains}" |awk '{print substr($0, 1, length-1)}')
fi
echo $domains;
}
if [ -z "$domain" ] ; then
echo "[ERROR] you must provide the domain name for the certificate renewal."
exit 1;
fi
cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"
if [ ! -f $cert_file ]; then
echo "[ERROR] certificate file not found for domain $domain."
exit 1;
fi
exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)
echo "Checking expiration date for $domain..."
if [ "$days_exp" -gt "$exp_limit" ] ; then
echo "The certificate is up to date, no need for renewal ($days_exp days left)."
exit 0;
else
echo "The certificate for $domain is about to expire soon. Starting renewal request..."
domain_list=$( get_domain_list $domain )
"$le_path"/letsencrypt-auto certonly --apache --renew-by-default --domains "${domain_list}"
echo "Restarting Apache..."
/usr/bin/systemctl restart httpd
echo "Renewal process finished for domain $domain"
exit 0;
fi
19. Fifun awọn igbanilaaye ipaniyan fun iwe afọwọkọ, fi sori ẹrọ package bc ki o ṣiṣẹ iwe afọwọkọ lati le danwo rẹ. Lo orukọ ìkápá rẹ bi paramita ipo fun iwe afọwọkọ naa. Ṣe awọn ofin isalẹ lati ṣe igbesẹ yii:
# yum install bc # chmod +x /usr/local/bin/le-renew-centos # /usr/local/bin/le-renew-centos your_domain.tld
20. Lakotan, lilo siseto eto Linux, ṣafikun iṣẹ cron tuntun kan lati le ṣiṣẹ iwe afọwọkọ ni gbogbo oṣu meji, ni idaniloju pe iwe-ẹri rẹ yoo ni imudojuiwọn ṣaaju ọjọ ipari.
# crontab -e
Ṣafikun laini atẹle ni isalẹ faili naa.
0 1 1 */2 * /usr/local/bin/le-renew-centos your_domain.tld >> /var/log/your_domain.tld-renew.log 2>&1
O n niyen! Olupin Apache rẹ ti n ṣiṣẹ lori oke ti eto CentOS/RHEL n ṣiṣẹ lọwọlọwọ akoonu SSL nipa lilo ọfẹ Jẹ ki a Enripto SSL ijẹrisi.