用letsencrypt给apache申请证书

admin

1. ---------------------------------
   
2. 用letsencrypt给apache申请证书
   
3. 
   
4. 我用如下命令启动的apache服务
   
5. docker run -it \
   
6. -d \
   
7. --name httpd_3 \
   
8. -v /root/docker/lamp/httpd/apache2/:/usr/local/apache2/ \
   
9. -e TZ=Asia/Shanghai \
   
10. --network=docker_bridge_192_168_21 --ip=192.168.21.3 \
    
11. -p 80:80 \
    
12. -p 443:443 \
    
13. --restart unless-stopped \
    
14. httpd:latest
    
15. 
    
16. 然后网站的配置文件如下:
    
17. <VirtualHost *:80>
    
18.     ServerAdmin webmaster@域名.com
    
19.     DocumentRoot "/usr/local/apache2/htdocs/域名.com/www"
    
20.     ServerName www.域名.com
    
21.     ServerAlias www.域名.com
    
22.     ErrorLog "logs/www.域名.com-error_log"
    
23.     CustomLog "logs/www.域名.com-access_log" common
    
24. </VirtualHost>
    
25. 
    
26. 启动这容器
    
27. 现在80端口能正常访问
    
28. 
    
29. ---------------------------------
    
30. 
    
31. 然后申请证书,就这一条命令就行,以后更新证书可以直接重新运行一次这个就行
    
32. 
    
33. docker run -it --rm \
    
34.   -v /root/docker/lamp/httpd/apache2/htdocs/域名.com/zhengshu:/etc/letsencrypt \
    
35.   -v /root/docker/lamp/httpd/apache2/htdocs/域名.com/www:/var/www/html \
    
36.   certbot/certbot certonly --webroot \
    
37.   -w /var/www/html \
    
38.   -d www.域名.com \
    
39.   -m webmaster@域名.com
    
40. 
    
41. 这个命令里面如果需要为其他域名申请证书,就只需要改域名就好
    
42. 
    
43. 说明:
    
44. 存放证书的目录：/root/docker/lamp/httpd/apache2/htdocs/域名.com/zhengshu
    
45. 供验证使用的目录：/root/docker/lamp/httpd/apache2/htdocs/域名.com/www  这个就是网站的根目录,我估计验证过程可能就是certbot生成一个文件,然后证书颁发机构访问网站的这个文件,能访问说明是对的
    
46. 
    
47. ---------------------------------
    
48. 
    
49. 运行结果如下:
    
50. Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
51. Requesting a certificate for www.域名.com
    
52. 
    
53. Successfully received certificate.
    
54. Certificate is saved at: /etc/letsencrypt/live/www.域名.com/fullchain.pem
    
55. Key is saved at:         /etc/letsencrypt/live/www.域名.com/privkey.pem
    
56. This certificate expires on 2026-09-12.
    
57. These files will be updated when the certificate renews.
    
58. 
    
59. NEXT STEPS:
    
60. - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
    
61. 
    
62. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
63. If you like Certbot, please consider supporting our work by:
    
64. * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
    
65. * Donating to EFF:                    https://eff.org/donate-le
    
66. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
67. 
    
68. ---------------------------------
    
69. 结果说明:
    
70. live/www.域名.com/fullchain.pem
    
71. live/www.域名.com/privkey.pem
    
72. live/www.域名.com/chain.pem
    
73. 
    
74. `privkey.pem`  : the private key for your certificate.
    
75. `fullchain.pem`: the certificate file used in most server software.
    
76. `chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
    
77. 
    
78. 然后我看文件目录的结构,发现这2个文件其实是一个链接,真正的文件在archive/www.域名.com/这个目录下,但是估计以后重新生成这个目录的文件名字会变,那么就使用live目录下的吧
    
79. 
    
80. 那么我修改一下我的httpd配置文件吧
    
81. 
    
82. 下面是教程写的
    
83. SSLCertificateFile /usr/local/apache2/conf/server.crt
    
84. SSLCertificateKeyFile /usr/local/apache2/conf/server.key
    
85. SSLCertificateChainFile /usr/local/apache2/conf/ca.crt
    
86. 将 /data/certbot/conf/live/您的域名/fullchain.pem 映射为 server.crt
    
87. 将 /data/certbot/conf/live/您的域名/privkey.pem 映射为 server.key
    
88. 将 /data/certbot/conf/live/您的域名/chain.pem 映射为 ca.crt
    
89. 这个教程真麻烦,还改名字,直接用现成的不就好了
    
90. 
    
91. 
    
92. 下面是我最终用的
    
93. SSLCertificateFile "/usr/local/apache2/htdocs/域名.com/zhengshu/live/www.域名.com/fullchain.pem"
    
94. SSLCertificateKeyFile "/usr/local/apache2/htdocs/域名.com/zhengshu/live/www.域名.com/privkey.pem"
    
95. SSLCertificateChainFile "/usr/local/apache2/htdocs/域名.com/zhengshu/live/www.域名.com/chain.pem"
    
96. 
    
97. 改好了配置文件,重启httpd容器
    
98. docker restart httpd_3
    
99. 
    
100. 最后用https访问,就能访问了
     

复制代码

admin

1. ---------------------------------
   
2. 在无痕模式下,域名直接访问的时候会提示没有https
   
3. 那么还是同时也给域名申请证书吧
   
4. 运行下面的命令
   
5. 
   
6. docker run -it --rm \
   
7.   -v /root/docker/lamp/httpd/apache2/htdocs/域名.com/zhengshu:/etc/letsencrypt \
   
8.   -v /root/docker/lamp/httpd/apache2/htdocs/域名.com/www:/var/www/html \
   
9.   certbot/certbot certonly --webroot \
   
10.   -w /var/www/html \
    
11.   -d 域名.com -d www.域名.com \
    
12.   -m webmaster@域名.com
    
13. 
    
14. ---------------------------------
    
15. 
    
16. 运行以后结果如下:
    
17. 
    
18. Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
19. 
    
20. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
21. You have an existing certificate that contains a portion of the domains you
    
22. requested (ref: /etc/letsencrypt/renewal/www.域名.com.conf)
    
23. 
    
24. It contains these names: www.域名.com
    
25. 
    
26. You requested these names for the new certificate: 域名.com,
    
27. www.域名.com.
    
28. 
    
29. Do you want to expand and replace this existing certificate with the new
    
30. certificate?
    
31. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
32. (E)xpand/(C)ancel: E
    
33. Renewing an existing certificate for 域名.com and www.域名.com
    
34. 
    
35. Successfully received certificate.
    
36. Certificate is saved at: /etc/letsencrypt/live/www.域名.com/fullchain.pem
    
37. Key is saved at:         /etc/letsencrypt/live/www.域名.com/privkey.pem
    
38. This certificate expires on 2026-09-12.
    
39. These files will be updated when the certificate renews.
    
40. 
    
41. NEXT STEPS:
    
42. - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
    
43. 
    
44. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
45. If you like Certbot, please consider supporting our work by:
    
46. * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
    
47. * Donating to EFF:                    https://eff.org/donate-le
    
48. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
49. 
    
50. 
    
51. ---------------------------------
    
52. 
    
53. 然后顺便给域名也同时配置一个https
    
54. 
    
55. 
    
56. <VirtualHost _default_:443>
    
57. 
    
58. DocumentRoot "/usr/local/apache2/htdocs/域名.com/www"
    
59. ServerName 域名.com:443
    
60. ServerAdmin webmaster@域名.com
    
61. ErrorLog /proc/self/fd/2
    
62. TransferLog /proc/self/fd/1
    
63. 
    
64. SSLEngine on
    
65. 
    
66. SSLCertificateFile "/usr/local/apache2/htdocs/域名.com/zhengshu/live/www.域名.com/fullchain.pem"
    
67. 
    
68. SSLCertificateKeyFile "/usr/local/apache2/htdocs/域名.com/zhengshu/live/www.域名.com/privkey.pem"
    
69. 
    
70. SSLCertificateChainFile "/usr/local/apache2/htdocs/域名.com/zhengshu/live/www.域名.com/chain.pem"
    
71. 
    
72. <FilesMatch "\.(cgi|shtml|phtml|php)$">
    
73.     SSLOptions +StdEnvVars
    
74. </FilesMatch>
    
75. <Directory "/usr/local/apache2/cgi-bin">
    
76.     SSLOptions +StdEnvVars
    
77. </Directory>
    
78. 
    
79. BrowserMatch "MSIE [2-5]" \
    
80.          nokeepalive ssl-unclean-shutdown \
    
81.          downgrade-1.0 force-response-1.0
    
82. 
    
83. CustomLog /proc/self/fd/1 \
    
84.           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
    
85. 
    
86. </VirtualHost>                                 
    
87. 
    
88. 删掉多余的注释以后就这么多,我是直接复制默认的配置的,这样配置没啥问题
    
89. ---------------------------------
    
90. 
    
91. 最后在无痕模式下,直接域名访问,也能正常https,查看证书是域名
    
92. 
    
93. 然后用www访问也能https,这里查看证书也是不带www的域名,那么未来每次弄-d参数还是都带上吧
    

复制代码