鉴于互联网的不稳定,建议升级网站为SSL

StartCom和沃通的证书(沃通即StartCom)有BUG和不和谐的原因,被各大浏览器厂商无限和谐,

更换网站证书更换为Let's Encrypt
项目网址
https://letsencrypt.org/

可以百度或者GOOGLE一下
申请地址
https://certbot.eff.org/
有对应操作系统指导向导


此脚本为自动化
不过先要安装OPENSSL和MODE SSL

安装 OPENSSL


[[email protected] ~]# yum install openssl mod_ssl -y

如果是有签名证书的情况下
------------------使用此步骤------------------
----------------也可以不使用------------------
自签名的证书。首先,生成2048位的加密私钥。

> [[email protected] ~]# openssl genrsa -out CA.key 2048

然后生成证书签名请求(CSR)。

> [[email protected] ~]# openssl req -new -key CA.key -out CA.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:随便填,最好是网站网址
Organizational Unit Name (eg, section) []:随便填,最好是网站网址
Common Name (eg, your name or your server's hostname) []:你申请证书的域名名字
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:XXXXXX
An optional company name []:你的网站域名

最后,生成类型为X509的自签名证书。

> [[email protected] ~]# openssl x509 -req -days 365 -in CA.csr -signkey
> CA.key -out CA.crt

Signature ok
subject=/C=CN/ST=BJ/L=BJWH/O=WoSign CA Limited/OU=CA XX G2/CN=XX/emailAddress=邮箱
Getting Private key

配置已申请的HTTPS证书

> [[email protected] ~]#vi /etc/httpd/conf.d/ssl.conf

修改以下3条,以下3条必须对应生成的证书网站生成的证书

服务器证书

Server Certificate:

SSLCertificateFile /etc/httpd/conf.d/SSL/CA.crt

服务器证书私有证书

Server Private Key:

SSLCertificateKeyFile /etc/httpd/conf.d/SSL/CA.key

授权CA证书

Certificate Authority (CA):

SSLCACertificateFile /etc/httpd/conf.d/SSL/root_bundle.crt

测试https://站点,无打叉报错为正常

参考
http://www.wosign.com/Support/ssl_installation.htm
http://freessl.wosign.com/centos-https.html

启用HTTPS

[[email protected] ~]# vi /etc/httpd/conf/httpd.conf

添加以下两个内容

强制跳转到HTTPS


RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L]

强制全站使用HTTPS

    DocumentRoot /var/www/html
    ServerName 你的网站
    SSLEngine on
    SSLCertificateFile /etc/httpd/conf.d/SSL/CA.crt
    SSLCertificateKeyFile /etc/httpd/conf.d/SSL/CA.key

升级OPENSSSL及apache php mysql
升级apache php mysql

[[email protected] ~]# yum update apache php mysql mysql-server -y

升级OPENSSSL
[[email protected] ~]# wget https://www.openssl.org/source/openssl-1.0.2h.tar.gz
解压

[[email protected] ~]#  ./config --prefix=/usr/local/openssl

[[email protected] ~]# ./config -t

[[email protected] ~]# make depend

[[email protected] ~]# make 

[[email protected] ~]# make test

[[email protected] ~]# make install

查看openssl的版本

[[email protected] ~]# openssl version

若还是旧版的话,执行下面的命令:

[[email protected] ~]# mv /usr/bin/openssl /root/
[[email protected] ~]# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

编辑
/etc/ld.so.conf
添加
/usr/local/ssl/lib

再查看版本
[[email protected] ~]# openssl version
OpenSSL 1.0.2h 3 May 2016

------------------此步骤结束------------------

安装SSL证书

certbot-auto
脚本必须放在网站可访问的目录下执行
自动化配置APACHE!! SSL文件!!

下载脚本
[[email protected] ~]# cd ..
[[email protected] /]# ls
aquota.group bin dev home lib64 media opt root selinux sys usr
aquota.user boot etc lib lost+found mnt proc sbin srv tmp var
[[email protected] /]# cd var
[[email protected] var]# ls
cache empty lib lock mail opt run tmp yp
db games local log nis preserve spool www
[[email protected] var]# cd www
[[email protected] www]# ls
cgi-bin error html html.tgz icons manual
[[email protected] www]# cd html
[[email protected] html]# wget https://dl.eff.org/certbot-auto
https://dl.eff.org/certbot-auto
Resolving dl.eff.org... 173.239.79.196
Connecting to dl.eff.org|173.239.79.196|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44442 (43K) [text/plain]
Saving to: `certbot-auto'

100%[======================================>] 44,442 --.-K/s in 0.02s

(2.33 MB/s) - `certbot-auto' saved [44442/44442]

更改文件权限
[[email protected] html]# chmod a+x certbot-auto

执行文件
[[email protected] html]# ./certbot-auto

安装python支持
Bootstrapping dependencies for RedHat-based OSes...
yum is /usr/bin/yum
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile

  • base: mirrors.evowise.com
  • epel: linux.mirrors.es.net
  • extras: mirror.hostduplex.com
  • updates: centos-distro.1gservers.com

Package openssl-1.0.1e-48.el6_8.3.x86_64 already installed and latest version
Package openssl-devel-1.0.1e-48.el6_8.3.x86_64 already installed and latest version
Package ca-certificates-2015.2.6-65.0.1.el6_7.noarch already installed and latest version
Package python-2.6.6-66.el6_8.x86_64 already installed and latest version
Package 1:mod_ssl-2.2.15-55.el6.centos.2.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package augeas-libs.x86_64 0:1.0.0-10.el6 will be installed
---> Package dialog.x86_64 0:1.1-9.20080819.1.el6 will be installed
---> Package gcc.x86_64 0:4.4.7-17.el6 will be installed
--> Processing Dependency: libgomp = 4.4.7-17.el6 for package: gcc-4.4.7-17.el6.x86_64
--> Processing Dependency: cpp = 4.4.7-17.el6 for package: gcc-4.4.7-17.el6.x86_64
--> Processing Dependency: cloog-ppl >= 0.15 for package: gcc-4.4.7-17.el6.x86_64
--> Processing Dependency: libgomp.so.1()(64bit) for package: gcc-4.4.7-17.el6.x86_64
---> Package libffi-devel.x86_64 0:3.0.5-3.2.el6 will be installed
---> Package python-devel.x86_64 0:2.6.6-66.el6_8 will be installed
---> Package python-pip.noarch 0:7.1.0-1.el6 will be installed
---> Package python-tools.x86_64 0:2.6.6-66.el6_8 will be installed
--> Processing Dependency: tkinter = 2.6.6-66.el6_8 for package: python-tools-2.6.6-66.el6_8.x86_64
---> Package python-virtualenv.noarch 0:1.10.1-1.el6 will be installed
---> Package redhat-rpm-config.noarch 0:9.0.3-51.el6.centos will be installed
--> Running transaction check
---> Package cloog-ppl.x86_64 0:0.15.7-1.2.el6 will be installed
--> Processing Dependency: libppl_c.so.2()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64
--> Processing Dependency: libppl.so.7()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64
---> Package cpp.x86_64 0:4.4.7-17.el6 will be installed
--> Processing Dependency: libmpfr.so.1()(64bit) for package: cpp-4.4.7-17.el6.x86_64
---> Package libgomp.x86_64 0:4.4.7-17.el6 will be installed
---> Package tkinter.x86_64 0:2.6.6-66.el6_8 will be installed
--> Processing Dependency: libtk8.5.so()(64bit) for package: tkinter-2.6.6-66.el6_8.x86_64
--> Processing Dependency: libtcl8.5.so()(64bit) for package: tkinter-2.6.6-66.el6_8.x86_64
--> Processing Dependency: libTix.so()(64bit) for package: tkinter-2.6.6-66.el6_8.x86_64
--> Running transaction check
---> Package mpfr.x86_64 0:2.4.1-6.el6 will be installed
---> Package ppl.x86_64 0:0.10.2-11.el6 will be installed
---> Package tcl.x86_64 1:8.5.7-6.el6 will be installed
---> Package tix.x86_64 1:8.4.3-5.el6 will be installed
---> Package tk.x86_64 1:8.5.7-5.el6 will be installed
--> Processing Dependency: libXrender.so.1()(64bit) for package: 1:tk-8.5.7-5.el6.x86_64
--> Processing Dependency: libXft.so.2()(64bit) for package: 1:tk-8.5.7-5.el6.x86_64
--> Running transaction check
---> Package libXft.x86_64 0:2.3.2-1.el6 will be installed
---> Package libXrender.x86_64 0:0.9.8-2.1.el6_8.1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================

Package Arch Version Repository Size

Installing:
augeas-libs x86_64 1.0.0-10.el6 base 314 k
dialog x86_64 1.1-9.20080819.1.el6 base 197 k
gcc x86_64 4.4.7-17.el6 base 10 M
libffi-devel x86_64 3.0.5-3.2.el6 base 18 k
python-devel x86_64 2.6.6-66.el6_8 updates 173 k
python-pip noarch 7.1.0-1.el6 epel 1.5 M
python-tools x86_64 2.6.6-66.el6_8 updates 871 k
python-virtualenv noarch 1.10.1-1.el6 epel 1.3 M
redhat-rpm-config noarch 9.0.3-51.el6.centos base 60 k
Installing for dependencies:
cloog-ppl x86_64 0.15.7-1.2.el6 base 93 k
cpp x86_64 4.4.7-17.el6 base 3.7 M
libXft x86_64 2.3.2-1.el6 base 55 k
libXrender x86_64 0.9.8-2.1.el6_8.1 updates 24 k
libgomp x86_64 4.4.7-17.el6 base 134 k
mpfr x86_64 2.4.1-6.el6 base 157 k
ppl x86_64 0.10.2-11.el6 base 1.3 M
tcl x86_64 1:8.5.7-6.el6 base 1.9 M
tix x86_64 1:8.4.3-5.el6 base 252 k
tk x86_64 1:8.5.7-5.el6 base 1.4 M
tkinter x86_64 2.6.6-66.el6_8 updates 258 k

Transaction Summary

Install 20 Package(s)

Total download size: 24 M
Installed size: 56 M
Is this ok [y/N]: y
Downloading Packages:
(1/20): augeas-libs-1.0.0-10.el6.x86_64.rpm | 314 kB 00:00
(2/20): cloog-ppl-0.15.7-1.2.el6.x86_64.rpm | 93 kB 00:00
(3/20): cpp-4.4.7-17.el6.x86_64.rpm | 3.7 MB 00:00
(4/20): dialog-1.1-9.20080819.1.el6.x86_64.rpm | 197 kB 00:00
(5/20): gcc-4.4.7-17.el6.x86_64.rpm | 10 MB 00:00
(6/20): libXft-2.3.2-1.el6.x86_64.rpm | 55 kB 00:00
(7/20): libXrender-0.9.8-2.1.el6_8.1.x86_64.rpm | 24 kB 00:00
(8/20): libffi-devel-3.0.5-3.2.el6.x86_64.rpm | 18 kB 00:00
(9/20): libgomp-4.4.7-17.el6.x86_64.rpm | 134 kB 00:00
(10/20): mpfr-2.4.1-6.el6.x86_64.rpm | 157 kB 00:00
(11/20): ppl-0.10.2-11.el6.x86_64.rpm | 1.3 MB 00:00
(12/20): python-devel-2.6.6-66.el6_8.x86_64.rpm | 173 kB 00:00
(13/20): python-pip-7.1.0-1.el6.noarch.rpm | 1.5 MB 00:00
(14/20): python-tools-2.6.6-66.el6_8.x86_64.rpm | 871 kB 00:00
(15/20): python-virtualenv-1.10.1-1.el6.noarch.rpm | 1.3 MB 00:00
(16/20): redhat-rpm-config-9.0.3-51.el6.centos.noarch.rp | 60 kB 00:00
(17/20): tcl-8.5.7-6.el6.x86_64.rpm | 1.9 MB 00:00
(18/20): tix-8.4.3-5.el6.x86_64.rpm | 252 kB 00:00
(19/20): tk-8.5.7-5.el6.x86_64.rpm | 1.4 MB 00:00

(20/20): tkinter-2.6.6-66.el6_8.x86_64.rpm | 258 kB 00:00

Total 2.6 MB/s | 24 MB 00:08
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 1:tcl-8.5.7-6.el6.x86_64 1/20
Installing : libXrender-0.9.8-2.1.el6_8.1.x86_64 2/20
Installing : libXft-2.3.2-1.el6.x86_64 3/20
Installing : 1:tk-8.5.7-5.el6.x86_64 4/20
Installing : 1:tix-8.4.3-5.el6.x86_64 5/20
Installing : tkinter-2.6.6-66.el6_8.x86_64 6/20
Installing : ppl-0.10.2-11.el6.x86_64 7/20
Installing : cloog-ppl-0.15.7-1.2.el6.x86_64 8/20
Installing : libgomp-4.4.7-17.el6.x86_64 9/20
Installing : mpfr-2.4.1-6.el6.x86_64 10/20
Installing : cpp-4.4.7-17.el6.x86_64 11/20
Installing : python-devel-2.6.6-66.el6_8.x86_64 12/20
Installing : python-virtualenv-1.10.1-1.el6.noarch 13/20
Installing : gcc-4.4.7-17.el6.x86_64 14/20
Installing : python-tools-2.6.6-66.el6_8.x86_64 15/20
Installing : augeas-libs-1.0.0-10.el6.x86_64 16/20
Installing : dialog-1.1-9.20080819.1.el6.x86_64 17/20
Installing : libffi-devel-3.0.5-3.2.el6.x86_64 18/20
Installing : python-pip-7.1.0-1.el6.noarch 19/20
Installing : redhat-rpm-config-9.0.3-51.el6.centos.noarch 20/20
Verifying : libXft-2.3.2-1.el6.x86_64 1/20
Verifying : redhat-rpm-config-9.0.3-51.el6.centos.noarch 2/20
Verifying : libXrender-0.9.8-2.1.el6_8.1.x86_64 3/20
Verifying : python-pip-7.1.0-1.el6.noarch 4/20
Verifying : python-devel-2.6.6-66.el6_8.x86_64 5/20
Verifying : 1:tk-8.5.7-5.el6.x86_64 6/20
Verifying : tkinter-2.6.6-66.el6_8.x86_64 7/20
Verifying : mpfr-2.4.1-6.el6.x86_64 8/20
Verifying : libffi-devel-3.0.5-3.2.el6.x86_64 9/20
Verifying : python-virtualenv-1.10.1-1.el6.noarch 10/20
Verifying : gcc-4.4.7-17.el6.x86_64 11/20
Verifying : 1:tcl-8.5.7-6.el6.x86_64 12/20
Verifying : dialog-1.1-9.20080819.1.el6.x86_64 13/20
Verifying : libgomp-4.4.7-17.el6.x86_64 14/20
Verifying : ppl-0.10.2-11.el6.x86_64 15/20
Verifying : 1:tix-8.4.3-5.el6.x86_64 16/20
Verifying : cpp-4.4.7-17.el6.x86_64 17/20
Verifying : cloog-ppl-0.15.7-1.2.el6.x86_64 18/20
Verifying : python-tools-2.6.6-66.el6_8.x86_64 19/20
Verifying : augeas-libs-1.0.0-10.el6.x86_64 20/20

Installed:
augeas-libs.x86_64 0:1.0.0-10.el6
dialog.x86_64 0:1.1-9.20080819.1.el6
gcc.x86_64 0:4.4.7-17.el6
libffi-devel.x86_64 0:3.0.5-3.2.el6
python-devel.x86_64 0:2.6.6-66.el6_8
python-pip.noarch 0:7.1.0-1.el6
python-tools.x86_64 0:2.6.6-66.el6_8
python-virtualenv.noarch 0:1.10.1-1.el6
redhat-rpm-config.noarch 0:9.0.3-51.el6.centos

Dependency Installed:
cloog-ppl.x86_64 0:0.15.7-1.2.el6 cpp.x86_64 0:4.4.7-17.el6
libXft.x86_64 0:2.3.2-1.el6 libXrender.x86_64 0:0.9.8-2.1.el6_8.1
libgomp.x86_64 0:4.4.7-17.el6 mpfr.x86_64 0:2.4.1-6.el6
ppl.x86_64 0:0.10.2-11.el6 tcl.x86_64 1:8.5.7-6.el6
tix.x86_64 1:8.4.3-5.el6 tk.x86_64 1:8.5.7-5.el6
tkinter.x86_64 0:2.6.6-66.el6_8

Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning

日志
Version: 1.1-20080819
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

输入网站网址 空格隔开
Version: 1.1-20080819
/root/.local/share/letsencrypt/lib/python2.6/site-packages/dialog.py:779: DeprecationWarning: the DIALOG_OK attribute of Dialog instances is obsolete; use the Dialog.OK class attribute instead.
DeprecationWarning)

                 lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
                 x No names were found in your      x
                 x configuration files. Please      x
                 x enter in your domain name(s)     x
                 x (comma and/or space separated)   x
                 x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
                 x xlocalhost.com www.localhost.com x
                 x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
                 tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
                 x       <  OK  >    <Cancel>       x
                 mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj










输入邮箱地址

                    lqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
                    x Enter email address (used  x
                    x for urgent notices and     x
                    x lost key recovery)         x
                    x lqqqqqqqqqqqqqqqqqqqqqqqqk x
                    x [email protected]           x x
                    x mqqqqqqqqqqqqqqqqqqqqqqqqj x
                    tqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
                    x   <  OK  >  <Cancel>       x
                    mqqqqqqqqqqqqqqqqqqqqqqqqqqqqj






保存日志
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

同意协议

lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Please read the Terms of Service at                               x
x https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. x
x You must agree in order to register with the ACME server at       x
x https://acme-v01.api.letsencrypt.org/directory                    x
tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x                   <Agree >          <Cancel>                      x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj







保存日志,开始验证连接
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org x
x Obtaining a new certificate x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

验证并申请证书
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org x
x Obtaining a new certificate x
x Performing the following challenges: x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

申请证书
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org x
x Obtaining a new certificate x
x Performing the following challenges: x
x tls-sni-01 challenge for localhost.com x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

验证网站所有权并申请
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org x
x Obtaining a new certificate x
x Performing the following challenges: x
x tls-sni-01 challenge for localhost.com x
x tls-sni-01 challenge for www.localhost.com x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

配置SSL.conf
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x We were unable to find a vhost with a ServerName or Address of x
x localhost.com. x
x Which virtual host would you like to choose? x
x (note: conf files with multiple vhosts are not yet supported) x
x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
x x1 ssl.conf | | HTTPS x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x < Select > < Cancel > x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

配置SSL.conf
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x We were unable to find a vhost with a ServerName or Address of x
x www.localhost.com. x
x Which virtual host would you like to choose? x
x (note: conf files with multiple vhosts are not yet supported) x
x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
x x1 ssl.conf | | HTTPS x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x < Select > < Cancel > x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

申请证书并验证
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org x
x Obtaining a new certificate x
x Performing the following challenges: x
x tls-sni-01 challenge for localhost.com x
x tls-sni-01 challenge for www.localhost.com x
x Waiting for verification... x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

关闭握手
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org x
x Obtaining a new certificate x
x Performing the following challenges: x
x tls-sni-01 challenge for localhost.com x
x tls-sni-01 challenge for www.localhost.com x
x Waiting for verification... x
x Cleaning up challenges x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

保存证书
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org x
x Obtaining a new certificate x
x Performing the following challenges: x
x tls-sni-01 challenge for localhost.com x
x tls-sni-01 challenge for www.localhost.com x
x Waiting for verification... x
x Cleaning up challenges x
x Generating key (2048 bits): x
x /etc/letsencrypt/keys/0000_key-certbot.pem x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

保存证书
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org x
x Obtaining a new certificate x
x Performing the following challenges: x
x tls-sni-01 challenge for localhost.com x
x tls-sni-01 challenge for www.localhost.com x
x Waiting for verification... x
x Cleaning up challenges x
x Generating key (2048 bits): x
x /etc/letsencrypt/keys/0000_key-certbot.pem x
x Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem x
x x
x x
x x
x x
x x
x x
x x
x x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

配置SSL.conf
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x We were unable to find a vhost with a ServerName or Address of x
x localhost.com. x
x Which virtual host would you like to choose? x
x (note: conf files with multiple vhosts are not yet supported) x
x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
x x1 ssl.conf | | HTTPS x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x < Select > < Cancel > x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

保存证书
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org x
x Obtaining a new certificate x
x Performing the following challenges: x
x tls-sni-01 challenge for localhost.com x
x tls-sni-01 challenge for www.localhost.com x
x Waiting for verification... x
x Cleaning up challenges x
x Generating key (2048 bits): x
x /etc/letsencrypt/keys/0000_key-certbot.pem x
x Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem x
x Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf x
x x
x x
x x
x x
x x
x x
x x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

配置SSL.conf
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x We were unable to find a vhost with a ServerName or Address of x
x www.localhost.com. x
x Which virtual host would you like to choose? x
x (note: conf files with multiple vhosts are not yet supported) x
x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
x x1 ssl.conf | localhost.com | HTTPS x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x < Select > < Cancel > x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

保存证书
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org x
x Obtaining a new certificate x
x Performing the following challenges: x
x tls-sni-01 challenge for localhost.com x
x tls-sni-01 challenge for www.localhost.com x
x Waiting for verification... x
x Cleaning up challenges x
x Generating key (2048 bits): x
x /etc/letsencrypt/keys/0000_key-certbot.pem x
x Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem x
x Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf x
x Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf x
x x
x x
x x
x x
x x
x x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

配置证书类型
简单加密 还是 全站加密
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Please choose whether HTTPS access is required or optional. x
x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
x x Easy Allow both HTTP and HTTPS access to these sites x x
x x Secure Make all requests redirect to secure HTTPS access x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x < OK > x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

配置SSL.conf
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org x
x Obtaining a new certificate x
x Performing the following challenges: x
x tls-sni-01 challenge for localhost.com x
x tls-sni-01 challenge for www.localhost.com x
x Waiting for verification... x
x Cleaning up challenges x
x Generating key (2048 bits): x
x /etc/letsencrypt/keys/0000_key-certbot.pem x
x Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem x
x Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf x
x Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf x
x Created redirect file: le-redirect-localhost.com.conf x
x x
x x
x x
x x
x x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

保存证书
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org x
x Obtaining a new certificate x
x Performing the following challenges: x
x tls-sni-01 challenge for localhost.com x
x tls-sni-01 challenge for www.localhost.com x
x Waiting for verification... x
x Cleaning up challenges x
x Generating key (2048 bits): x
x /etc/letsencrypt/keys/0000_key-certbot.pem x
x Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem x
x Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf x
x Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf x
x Created redirect file: le-redirect-localhost.com.conf x
x Rollback checkpoint is empty (no changes made?) x
x x
x x
x x
x x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

完成

 lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
 x Congratulations! You have successfully enabled                  x
 x https://localhost.com and https://www.localhost.com             x
 x                                                                 x
 x You should test your configuration at:                          x
 x https://www.ssllabs.com/ssltest/analyze.html?d=localhost.com    x
 x https://www.ssllabs.com/ssltest/analyze.html?d=www.localhost.comx
 tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
 x                           <  OK  >                              x
 mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj







IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/localhost.com/fullchain.pem. Your cert will
    expire on 2010-03-00. To obtain a new or tweaked version of this
    certificate in the future, simply run certbot-auto again with the
    "certonly" option. To non-interactively renew all of your
    certificates, run "certbot-auto renew"
  • If you lose your account credentials, you can recover through
    e-mails sent to [email protected].
  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

3个月更新一次
使用此命令
certbot-auto renew
如果懒,写个计划任务脚本
参见
https://imququ.com/post/letsencrypt-certificate.html

如果提示失败,那么请使用rollback命令
前提是日志有保存!

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: localhost.com
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    !!!!! e011376b4af110335.1a0cc4ffefb107b4.acme.invalid !!!!!
    from 127.000.000.001:443. Received certificate containing
    'localhost, www.localhost.com'

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

标签: none

添加新评论