How Can We Help?
用 Let’s Encrypt 為 Magento 安裝免費的 SSL 憑證 / CENTOS 7
==================== 更新至新版後,無法正常 renew,請改用 Dehydrated 來處理 ====================
Let’s Encrypt 是各大廠為了提升網路安全性而共同合作推出免費提供憑證的機構(CA), 以下是在 CentOS 7 將 Let’s encrypt 配置到 NGINX 的方法
先安裝 git、 EPEL repo 與 Let’s encrypt 所需套件
su yum install -y git epel-release gcc libffi-devel python-devel openssl-devel
下載 Let’s encrypt:
cd /root git clone https://github.com/letsencrypt/letsencrypt
系統會將 Let’s Encrypt 的最新版本下載到 /root/letsencrypt
先停用 NGINX 後用 letsencrypt-auto 取得 SSL 憑證檔
cd /root/letsencrypt ./letsencrypt-auto certonly -a standalone -d yourdomain.com or cd /root/letsencrypt ./letsencrypt-auto --config /home/test/configs/[your-domain].confcertonlymkdir /root/webroot cd /root/letsencrypt./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d odoo.glamping.tw./letsencrypt-auto certonly -a webroot --webroot-path=/root/webroot -d odoo.glamping.tw
Let’s encrypt 會將憑證檔案放到 /etc/letsencrypt/live/.
接下來生成 DH Parameter
mkdir /etc/nginx/cert openssl dhparam 2048 -out /etc/nginx/cert/dhparam.pemopenssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
接著設定 NGINX 的 SSL 設定,加入以下參數
ssl_certificate /etc/letsencrypt/live/odoo.glamping.tw/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/odoo.glamping.tw/privkey.pem; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:20m; ssl_session_timeout 180m; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4; add_header Strict-Transport-Security "max-age=31536000 always;
接下來重新啟動 NGINX
service nginx reload
去測試網站跑分,這樣子的設定應該可以直接拿到最高評分 A+ !
最後,由於 Lets Encrypt 憑證有效期限只有 90 天,建議每 60 天自動續約
先建立 renew script:auto-renew.sh
/root/letsencrypt/letsencrypt-auto certonly --webroot --renew-by-default --agree-tos -m cewolf@cewolf.com -w /root/webroot -d gapl.com.tw -d www.gapl.com.tw -d glamp.tw nginx -s reload
接著設定 CRON 於每兩個月的 20號 凌晨 3 點續約
0 3 20 2,4,6,8,10,12 * root /root/auto-renew.sh
Reload crond
systemctl reload crond.service
大功告成!
目前 nginx reload 並不會換上新的憑證
再找到解決方案前先這樣子跑
systemctl stop crond.service /root/letsencrypt/letsencrypt-auto renew /bin/systemctl start nginx.service
測試網站:
Qualys SSL Labs SSL Server Test
DigiCert® SSL Installation Diagnostics Tool
參考資料:
LinuxRHEL / CentOS 7 安裝 Let’s encrypt RHEL / CentOS 7 安裝 Let’s encrypt
Guide to Deploying Diffie-Hellman for TLS
用 nginx 建置一個 A+ 等級的 https 網頁伺服器
How to Validate a Let’s Encrypt Certificate on a Site Already Active on CloudFlare