Ubuntu 20.04 為 Apache 設置 免費90天自動啟用SSL 憑證


標籤: ,

設置 Let’s Encrypt SSL

 (1)安裝 Let’s Encrypt 客戶端(Certbot)

讓我們首先更新軟件包並安裝 Certbot。

sudo apt update && sudo apt install certbot python3-certbot-apache

(2)取得 SSL 憑證(Certificate)

我們現在將為我們的測試網域 side1.com.tw 獲取證書。 Certbot 有一個 Apache 插件,可以自動安裝證書。

sudo certbot --apache

輸入一個電子郵件地址,可在緊急續訂和安全通知的情況下與你聯繫。

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 

執行結果如下,按A表示同意

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:a

按 n 和 ENTER 不與 Electronic Frontier Foundation 分享你的電子郵件地址。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:n

選擇要安裝SSL的網域

如果您不想使用前綴 www 在你的網站地址中,請選擇選項 1。否則選擇選項 2。

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: side1.com.tw
2: www.side1.com.tw
3: side2.com.tw
4: www.side2.com.tw
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 

未發現的情況, 請手動輸入Domain後按Enter

No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): side1.com.tw

按 2 和 ENTER 將所有流量重導向到 HTTPS。

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):2

隨後出現完成訊息

Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://side1.com.tw

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.gundam.com.tw
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.gundam.com.tw/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.gundam.com.tw/privkey.pem
   Your cert will expire on 2022-03-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le  

您可以到 https://side1.com.tw/並測試您的網站

(4)自動續訂(Auto Renewal)

由於 Let’s Encrypt 憑證在 90 天後到期,因此需要定期檢查它們是否續訂。 Certbot 將每天自動運行兩次,並更新任何在 30 天內到期的證書。

sudo certbot renew --dry-run

Leave a Reply

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *