https(全称:Hyper Text Transfer Protocol over Secure Socket Layer),是以安全为目标的 http 通道,简单讲是 http 的安全版。即 http 下加入 SSL 层,https 的安全基础是 SSL,因此加密的详细内容就需要 SSL。
LAMP 新增对 Let’s Encrypt 的支持,自动签发免费的证书,并添加自动任务到 crond,定期运行自动更新证书。
安装完 LAMP 后,lamp 命令就可以使用了,用法如下。
Usage: lamp [ add | del | list ] add Create new Apache Virtual Host del Delete Apache Virtual Host list List all of Apache Virtual Host
下面为使用 lamp 命令增加 SSL 证书支持的详细使用教程。
新增虚拟主机
注意:在新增虚拟主机之前,请务必确保域名已经解析到该服务器(VPS)的 IP 上,否则 Let’s Encrypt 验证无法通过。
使用命令:
lamp add
交互显示如下:
Please enter server names(example: www.lamp.sh lamp.sh): 此处输入网站域名 Please enter website root directory(default:/data/www/网站域名): 此处输入网站根目录路径,默认回车即可 Please enter Administrator EmAIl address: 此处输入管理员邮箱地址 Administrator Email address: 此处显示上一步输入的邮箱地址 Do you want to create a database and MySQL user with same name? [y/n]: 此处输入 y 或 n,表示创建或不创建数据库(输入 y) Virtual host [网站域名] has been created Website root directory is: /data/www/网站域名 Database [数据库名] and mysql user [数据库用户名] has been created // 数据库及同名用户创建成功 Reloading the apache config file... Syntax OK Reload success Do you want to add a SSL certificate? [y/n]: 此处输入 y 或 n,表示添加或不添加证书(输入 y) 1: Use your own SSL Certificate and Key 2: Use Let's Encrypt to create SSL Certificate and Key Please enter 1 or 2: 此处输入 1 或 2,表示使用自己的证书,或使用 Let's Encrypt 签发免费证书(输入 2) You have already chosen Let's Encrypt It will be processed automatically Installing certbot command... 此处开始下载安装 certbot 命令 Starting create Let's Encrypt SSL Certificate... 此处开始安装 certbot 运行所需的依赖库等 Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for 网站域名 Using the webroot path /data/www/网站域名 for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/网站域名/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/网站域名/privkey.pem Your cert will expire on 2018-02-02. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Let's encrypt crontab renew rule is not exist, create it! Create Let's Encrypt SSL Certificate successfully Reloading the apache config file... Syntax OK Reload success All done
结束后,查看 crond 任务,命令如下:
crontab -l
确认返回值里包含以下语句:
0 3 */7 * * /bin/certbot renew --disable-hook-validation --renew-hook "/etc/init.d/httpd restart"
Let’s Encrypt 签发的证书和私钥路径:
/etc/letsencrypt/live/网站域名/fullchain.pem /etc/letsencrypt/live/网站域名/privkey.pem
创建完虚拟主机后,网站的根目录为:/data/www/网站域名
日志文件的目录为:/data/wwwlog/网站域名
最后,别忘了将你的程序放到网站根目录下,即可使用。
祝使用愉快!