Amazon Linux使用pip安装certbot并使用Apache配置证书
配置证书
1. 更新系统和安装必要的软件包
首先,确保系统和包管理器是最新的:
sudo dnf update -y
sudo dnf install -y python3 python3-pip python3-virtualenv httpd mod_ssl
sudo yum install -y wget mariadb105-server php php-fpm php8.2-* libmemcached libmemcached-* memcached
2. 创建并激活虚拟环境
为了避免依赖冲突,使用virtualenv创建一个隔离的Python环境:
python3 -m venv myenv
source myenv/bin/activate
3. 安装certbot和Apache插件
在虚拟环境中安装certbot和certbot-apache插件:
pip install certbot certbot-apache
4. 配置Apache
确保Apache已经安装并运行:
sudo systemctl start httpd
sudo systemctl enable httpd
5. 使用certbot获取SSL证书
运行certbot命令以获取SSL证书。请将yourdomain.com替换为您的实际域名:
sudo myenv/bin/certbot --apache -d yourdomain.com -d www.yourdomain.com
certbot将自动配置Apache以使用获取的SSL证书。
6. 验证SSL证书
验证SSL证书是否已正确安装:
sudo myenv/bin/certbot certificates
7. 配置自动更新
为了确保SSL证书自动更新,设置一个cron job:
sudo crontab -e
添加以下行来每天检查并更新证书:
0 2 * * * /path/to/myenv/bin/certbot renew --quiet --deploy-hook "systemctl reload httpd"
确保将/path/to/myenv替换为您的虚拟环境的实际路径。
8. 重新启动Apache以应用更改
确保所有更改都已正确应用并重新启动Apache:
sudo systemctl reload httpd
9. 使用AWS ACM(适用于使用Elastic Load Balancer的情况)
-
请求ACM证书:
- 登录到AWS管理控制台,打开ACM控制台。
- 请求一个新的证书,输入你的域名。
- 选择DNS验证,并按照提示配置Route 53记录以验证域名。
-
配置ELB(Elastic Load Balancer):
- 打开EC2控制台,创建一个新的应用负载均衡器(ALB)或修改现有的ALB。
- 在Listener配置中添加HTTPS监听器,并选择你在ACM中创建的证书。
-
更新EC2实例的安全组:
- 确保你的EC2实例的安全组允许从负载均衡器的流量。
- 通常你需要允许HTTP(端口80)和HTTPS(端口443)流量。
10. 配置WordPress
-
更新WordPress URL:
- 登录到WordPress后台,进入“设置” > “常规”。
- 更新WordPress地址(URL)和站点地址(URL)为https://yourdomain.com。
-
强制HTTPS:
- 安装并激活一个SSL插件(如Really Simple SSL),它会帮助你自动将HTTP流量重定向到HTTPS。
11. 验证配置
- 确保你的站点通过HTTPS正常访问。
- 使用浏览器的开发者工具检查是否所有资源(如图片、CSS、JS)都通过HTTPS加载。
完成以上步骤后,你的WordPress站点应该已经配置好域名和SSL证书,并通过HTTPS安全访问。
12. 验证自动更新
您可以手动运行以下命令以测试自动更新过程:
sudo /home/ec2-user/myenv/bin/certbot renew --dry-run
这将模拟续订过程而不会实际更改证书,以确保一切正常工作。
报错1
(myenv) [ec2-user@ip-172-31-29-84 ~]$ sudo myenv/bin/certbot --apache -d yourdomain.com -d www.yourdomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError('Problem in Augeas installation')
解决Augeas依赖问题
由于Augeas安装问题导致Apache插件无法工作,您可以尝试以下步骤来解决这个问题。
安装Augeas依赖
首先,确保Augeas库已安装在系统上:
sudo dnf install augeas-libs augeas -y
然后再尝试重新运行certbot命令。
确认Augeas库路径
如果Augeas依赖安装后问题依旧,可以尝试手动设置Augeas库路径。
使用–webroot方法生成SSL证书
如果Augeas问题仍然存在,可以尝试使用--webroot方法来获取SSL证书。
确定您的webroot路径
您的webroot路径是您网站文件的根目录,例如/var/www/html。确保您的Apache配置指向该目录。
报错2
(myenv) [ec2-user@ip-10-0-0-38 ~]$ sudo myenv/bin/certbot certonly --webroot -w /var/www/html -d yourdomain.com -d www.yourdomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for yourdomain.com and www.yourdomain.comCertbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:Domain: www.yourdomain.comType: unauthorizedDetail: 192.124.249.6: Invalid response from http://www.yourdomain.com/.well-known/acme-challenge/n6NwZDCnl5skYENn2H0PFUeB9ADUCigfn-on2lSVFbs: 404Domain: yourdomain.comType: unauthorizedDetail: 192.124.249.6: Invalid response from http://yourdomain.com/.well-known/acme-challenge/AXBYIkodywil0y4eEDTX8fzCoL5A3AbawoS0gBzdzCU: 404Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
这个错误提示表明 certbot 在尝试获取证书时,无法验证你的域名 guoxinglong.asia 和 www.guoxinglong.asia。具体来说,证书颁发机构(CA)无法找到这些域名的有效 A 记录和 AAAA 记录。以下是解决步骤:
解决步骤
-
检查 DNS 记录
确保你的域名
guoxinglong.asia和www.guoxinglong.asia的 DNS 记录已经正确配置,并且指向你的服务器的 IP 地址。- 登录到你的域名注册商或 DNS 服务提供商的管理控制台。
获取SSL证书
使用以下命令来获取SSL证书:
sudo myenv/bin/certbot certonly --webroot -w /var/www/html -d yourdomain.com -d www.yourdomain.com(myenv) [ec2-user@ip-172-31-24-7 ~]$ sudo myenv/bin/certbot certonly --webroot -w /var/www/html -d guoxinglong.asia -d www.guoxinglong.asia
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)(Enter 'c' to cancel): gxlguoxinglong@163.com- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for guoxinglong.asia and www.guoxinglong.asiaSaving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for guoxinglong.asia and www.guoxinglong.asiaSuccessfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/guoxinglong.asia/fullchain.pem
Key is saved at: /etc/letsencrypt/live/guoxinglong.asia/privkey.pem
This certificate expires on 2024-09-05.
These files will be updated when the certificate renews.NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
配置Apache以使用SSL证书
获取SSL证书后,您需要手动编辑Apache配置以使用这些证书。
编辑Apache配置
打开您的Apache配置文件,通常位于/etc/httpd/conf.d/ssl.conf或您的虚拟主机配置文件中。
添加或修改以下行以指向您的SSL证书和密钥文件:
<VirtualHost *:80>ServerName guoxinglong.asiaServerAlias www.guoxinglong.asiaDocumentRoot /var/www/html# 重定向所有HTTP请求到HTTPSRedirect permanent / https://guoxinglong.asia/
</VirtualHost><VirtualHost *:443>ServerName guoxinglong.asiaServerAlias www.guoxinglong.asiaDocumentRoot /var/www/htmlSSLEngine onSSLCertificateFile /etc/letsencrypt/live/guoxinglong.asia/fullchain.pemSSLCertificateKeyFile /etc/letsencrypt/live/guoxinglong.asia/privkey.pemSSLCertificateChainFile /etc/letsencrypt/live/guoxinglong.asia/chain.pem<Directory /var/www/html>Options Indexes FollowSymLinksAllowOverride AllRequire all granted</Directory>
</VirtualHost>
确保将yourdomain.com替换为您的实际域名。
重新加载Apache
sudo systemctl reload httpd
验证SSL证书
您可以使用以下命令来验证证书是否已正确安装:
sudo myenv/bin/certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:Certificate Name: guoxinglong.asiaSerial Number: 3ec93cbac9cdbc85a5f755a69efcfadf01bKey Type: ECDSADomains: guoxinglong.asia www.guoxinglong.asiaExpiry Date: 2024-10-08 02:43:39+00:00 (VALID: 89 days)Certificate Path: /etc/letsencrypt/live/guoxinglong.asia/fullchain.pemPrivate Key Path: /etc/letsencrypt/live/guoxinglong.asia/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
配置自动更新
为了确保SSL证书自动更新,您可以设置一个cron job:
-
编辑cron配置
sudo crontab -e -
添加以下行来每天检查并更新证书
0 2 * * * /home/ec2-user/myenv/bin/certbot renew --quiet --deploy-hook "systemctl reload httpd"