Centos apache Let’s Encrypt免费SSL 配置

一 安装环境

yum install epel-release

yum install httpd mod_ssl certbot-apache

二 配置Apache

systemctl start httpd

systemctl status httpd

配置防火墙

firewall-cmd --add-service=http
firewall-cmd --add-service=https
firewall-cmd --runtime-to-permanent

检查你的域名

curl example.com

三 安装Let’s Encrypt SSL证书

证书链(需要配置为apache VHost)

certbot --apache -d example.com -d www.example.com
单独证书

certbot --apache -d www.example.com

生成出来的证书文件存放于 /etc/letsencrypt/live 目录.

四 配置Apache SSL

取消老旧加密协议

. . . # SSLProtocol all -SSLv2 . . . # SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

在VHost外层加入配置，设置ssl加密等级还有设置http头等

</VirtualHost>
. . .

# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
# SSLSessionTickets Off

五 证书自动续期

crontab -e
每个礼拜天 2:10 重新续期证书

10 2 * * 0 /usr/bin/certbot renew >> /var/log/le-renew.log