用 Let’s Encrypt 為 Magento 安裝免費的 SSL 憑證 / CENTOS 7

You are here:
< All Topics

==================== 更新至新版後,無法正常 renew,請改用 Dehydrated 來處理 ====================

 

Let’s Encrypt 是各大廠為了提升網路安全性而共同合作推出免費提供憑證的機構(CA), 以下是在 CentOS 7 將 Let’s encrypt 配置到 NGINX 的方法

先安裝 git、 EPEL repo 與 Let’s encrypt 所需套件

su
yum install -y git epel-release gcc libffi-devel python-devel openssl-devel

下載 Let’s encrypt:

cd /root
git clone https://github.com/letsencrypt/letsencrypt

系統會將 Let’s Encrypt 的最新版本下載到 /root/letsencrypt

先停用 NGINX 後用 letsencrypt-auto 取得 SSL 憑證檔

cd /root/letsencrypt
./letsencrypt-auto certonly -a standalone -d yourdomain.com

or 

cd /root/letsencrypt
./letsencrypt-auto --config /home/test/configs/[your-domain].conf certonly

mkdir /root/webroot
cd /root/letsencrypt
./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d odoo.glamping.tw
./letsencrypt-auto certonly -a webroot --webroot-path=/root/webroot -d odoo.glamping.tw

Let’s encrypt 會將憑證檔案放到 /etc/letsencrypt/live/.

接下來生成 DH Parameter

mkdir /etc/nginx/cert
openssl dhparam 2048 -out /etc/nginx/cert/dhparam.pem
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

接著設定 NGINX 的 SSL 設定,加入以下參數

    ssl_certificate      /etc/letsencrypt/live/odoo.glamping.tw/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/odoo.glamping.tw/privkey.pem;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 180m;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4;
    add_header Strict-Transport-Security "max-age=31536000 always;

接下來重新啟動 NGINX

service nginx reload

去測試網站跑分,這樣子的設定應該可以直接拿到最高評分 A+ !

最後,由於 Lets Encrypt 憑證有效期限只有 90 天,建議每 60 天自動續約

先建立 renew script:auto-renew.sh

/root/letsencrypt/letsencrypt-auto certonly --webroot --renew-by-default --agree-tos -m cewolf@cewolf.com -w /root/webroot -d gapl.com.tw -d www.gapl.com.tw -d glamp.tw
nginx -s reload

接著設定 CRON 於每兩個月的 20號 凌晨 3 點續約

0 3 20 2,4,6,8,10,12 * root /root/auto-renew.sh

Reload crond

systemctl reload crond.service

大功告成!

目前 nginx reload 並不會換上新的憑證

再找到解決方案前先這樣子跑

systemctl stop crond.service
/root/letsencrypt/letsencrypt-auto renew
/bin/systemctl start nginx.service

 

測試網站:

Qualys SSL Labs SSL Server Test

DigiCert® SSL Installation Diagnostics Tool

SSL Checker

參考資料:

LinuxRHEL / CentOS 7 安裝 Let’s encrypt RHEL / CentOS 7 安裝 Let’s encrypt

Let’s Encrypt 的 SSL 憑證安裝

Configure Magento with SSL

Optimizing HTTPS on Nginx

Guide to Deploying Diffie-Hellman for TLS

用 nginx 建置一個 A+ 等級的 https 網頁伺服器

SSL延遲有多大?

How to Validate a Let’s Encrypt Certificate on a Site Already Active on CloudFlare

Previous 於 Google Compute Engine CentOS 7.0 設定 Dehydrated 與轉移 SSL 憑證
Next 移除客戶『我的帳號』中無用的選單
Table of Contents