Различия
Показаны различия между двумя версиями страницы.
Предыдущая версия справа и слева Предыдущая версия | Следующая версия Следующая версия справа и слева | ||
security:free-ssl [2019/07/29 08:41] admin |
security:free-ssl [2021/01/16 14:58] admin |
||
---|---|---|---|
Строка 3: | Строка 3: | ||
{{ https:// | {{ https:// | ||
- | < | + | Старый способ получения сертификатов через '' |
- | [[security: | + | |
- | </ | + | |
- | + | ||
- | [[https:// | + | |
- | + | ||
- | + | ||
- | * Сертификат без установки программ: | + | |
- | * [[https:// | + | |
- | * [[google-likes-https|Гугл предпочитает https]] | + | |
- | * [[https:// | + | |
- | + | ||
- | + | ||
- | ===== Установка необходимо ПО ===== | + | |
- | + | ||
- | <code bash> | + | |
- | cd ~ | + | |
- | git clone https:// | + | |
- | </ | + | |
- | + | ||
- | ===== Получение бесплатного SSL сертификата ===== | + | |
- | + | ||
- | <code bash> | + | |
- | cd letsencrypt | + | |
- | ./ | + | |
- | </ | + | |
- | + | ||
- | При | + | |
- | + | ||
- | Далее необходимо | + | |
- | + | ||
- | После чего получим следующее сообщение: | + | |
< | < | ||
- | Make sure your web server displays the following content at | + | ./letsencrypt-auto has insecure permissions! |
- | http://site.ru/.well-known/ | + | To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/ |
- | + | Upgrading certbot-auto 1.9.0 to 1.11.0... | |
- | abcdef-abcdef-abcdef | + | Replacing certbot-auto... |
- | + | Your system is not supported by certbot-auto anymore. | |
- | If you don't have HTTP server configured, you can run the following | + | Certbot will no longer receive updates. |
- | command on the target server (as root): | + | Please visit https:// |
- | + | ||
- | mkdir -p /tmp/ | + | |
- | cd /tmp/letsencrypt/ | + | |
- | printf " | + | |
- | # run only once per server: | + | |
- | $(command | + | |
- | " | + | |
- | s = BaseHTTPServer.HTTPServer(('', | + | |
- | s.serve_forever()" | + | |
</ | </ | ||
- | Таким образом, | + | Теперь можно воспользоваться мастером, который подскажет, |
- | + | ||
- | Проверяем, | + | |
- | + | ||
- | <code bash> | + | |
- | curl --head http:// | + | |
- | HTTP/1.1 200 OK | + | |
- | curl http:// | + | |
- | abcdef-abcdef-abcdef | + | |
- | </ | + | |
- | + | ||
- | После этого нажимаем Enter в программе | + | |
- | + | ||
- | <note tip> | + | |
- | Если после создания файла вместо него отдается страница CMS, необходимо настроить веб-сервер. А также на будущее, | + | |
- | </ | + | |
- | + | ||
- | На примере Apache, сразу | + | |
- | + | ||
- | <file .htaccess> | + | |
- | # отдаем файлы для проверки Let's Encrypt | + | |
- | RewriteRule ^(\.well-known/ | + | |
- | </ | + | |
- | + | ||
- | <note tip> | + | |
- | Если в .htaccess | + | |
- | </ | + | |
- | + | ||
- | <file ini .htaccess> | + | |
- | Allow from all | + | |
- | Satisfy Any | + | |
- | </ | + | |
- | + | ||
- | <note tip> | + | |
- | Если отдаются неправильные заголовки, их можно отключить: | + | |
- | </ | + | |
- | + | ||
- | <file ini .htaccess> | + | |
- | Header unset Content-Type | + | |
- | </ | + | |
- | + | ||
- | В случае успеха, | + | |
- | + | ||
- | < | + | |
- | IMPORTANT NOTES: | + | |
- | - Congratulations! Your certificate and chain have been saved at | + | |
- | / | + | |
- | | + | |
- | the future, simply run Let's Encrypt again. | + | |
- | - If you like Let's Encrypt, please consider supporting our work by: | + | |
- | + | ||
- | | + | |
- | | + | |
- | </ | + | |
- | + | ||
- | ===== Установка полученных сертификатов ===== | + | |
- | + | ||
- | Теперь необходимо прописать в настройки веб-сервера пути к сертификатам и сделать редирект на https. | + | |
- | + | ||
- | <note tip> | + | |
- | Так как | + | |
- | </ | + | |
- | + | ||
- | ^ Файл | + | |
- | | privkey.pem | + | |
- | | cert.pem | + | |
- | | chain.pem | + | |
- | | fullchain.pem | соединение chain.pem и cert.pem | + | |
- | + | ||
- | ==== Apache ==== | + | |
- | + | ||
- | Для активации SSL сертификатов '' | + | |
- | + | ||
- | <file ini site.conf> | + | |
- | + | ||
- | < | + | |
- | SSLEngine on | + | |
- | SSLCertificateFile / | + | |
- | SSLCertificateChainFile / | + | |
- | SSLCertificateKeyFile / | + | |
- | </ | + | |
- | + | ||
- | </ | + | |
- | + | ||
- | Для редиректов с www и http на https: | + | |
- | + | ||
- | <file ini .htaccess> | + | |
- | # 301 редирект с адресов с www на адреса без www | + | |
- | RewriteCond %{HTTP_HOST} ^www\.site\.ru$ [NC] | + | |
- | RewriteRule ^(.*)$ https:// | + | |
- | + | ||
- | # Редирект на HTTPS | + | |
- | RewriteCond %{HTTPS} !=on | + | |
- | RewriteRule ^(.*)$ https:// | + | |
- | </ | + | |
- | + | ||
- | ==== Nginx ==== | + | |
- | + | ||
- | <file ini site.conf> | + | |
- | server { | + | |
- | listen 443; | + | |
- | ssl on; | + | |
- | ssl_certificate / | + | |
- | ssl_certificate_key / | + | |
- | } | + | |
- | </ | + | |
- | + | ||
- | ===== Продление сертификата ===== | + | |
- | + | ||
- | До просрочки будут приходить письма напоминания о необходимости продления сертификата такого рода: | + | |
- | + | ||
- | < | + | |
- | Hello, | + | |
- | + | ||
- | Your certificate (or certificates) for the names listed below will expire in | + | |
- | 0 days (on 25 Feb 17 17:21 +0000). Please make sure to renew | + | |
- | your certificate before then, or visitors to your website will encounter errors. | + | |
- | + | ||
- | pushorigin.ru | + | |
- | + | ||
- | For any questions or support, please visit https:// | + | |
- | Unfortunately, | + | |
- | + | ||
- | For details about when we send these emails, please visit | + | |
- | https:// | + | |
- | that this reminder email is still sent if you've obtained a slightly | + | |
- | different certificate by adding or removing names. If you've replaced | + | |
- | this certificate with a newer one that covers more or fewer names than | + | |
- | the list above, you may be able to ignore this message. | + | |
- | + | ||
- | If you want to stop receiving all email from this address, click | + | |
- | http:// | + | |
- | (Warning: this is a one-click action that cannot be undone) | + | |
- | + | ||
- | Regards, | + | |
- | The Let's Encrypt Team | + | |
- | </ | + | |
- | + | ||
- | Само продление: | + | |
- | + | ||
- | <code bash> | + | |
- | ./ | + | |
- | service nginx reload | + | |
- | </ | + | |
- | + | ||
- | Надо не забыть перегрузить веб-сервер! | + | |
- | + | ||
- | По материалам [[http:// | + | |
+ | По сути, нужно установить snap-пакет: |