安裝設定Let's Encrypt (Apache2)

系統環境 :
    OS: Debian GNU/Linux 12 (bookworm) x86_64
    Host: PRO ADL-U Cubi 5 (MS-B0A8) 1.0
    Kernel: 6.8.4-3-pve
    Uptime: 5 hours, 52 mins
    Packages: 556 (dpkg)
    Shell: bash 5.2.15
    Terminal: /dev/pts/3
    CPU: 12th Gen Intel i7-1255U (4) @ 4.700GHz
    Memory: 241MiB / 4096MiB
    Apache2

1. 請先設定好DNS對應，使外部DNS可連線到該站台，並安裝必要元件

    apt-get update
    apt-get install certbot python3-certbot-apache -y

2. 顯示Certbot參數

certbot -h

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  (the certbot nginx plugin is not installed)
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-name or --cert-path)
    delete          Delete a certificate (supply --cert-name)

manage your account:
    register        Create an ACME account
    unregister      Deactivate an ACME account
    update_account  Update an ACME account
    show_account    Display account details
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
  -h all                print a detailed help page including all topics
  --version             print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

3. 申請憑證

certbot certonly --apache -w /var/www/xxxxxx/ -d xx.aa.bb.cc --email [email protected]

4. 確認憑證

  申請完成之後，應該會在 /etc/letsencrypt/live/xx.aa.bb.cc 中找到憑證入如下

lrwxrwxrwx 1 root root  43 Jun  7 22:53 cert.pem -> ../../archive/xx.aa.bb.cc/cert1.pem
lrwxrwxrwx 1 root root  44 Jun  7 22:53 chain.pem -> ../../archive/xx.aa.bb.cc/chain1.pem
lrwxrwxrwx 1 root root  48 Jun  7 22:53 fullchain.pem -> ../../archive/xx.aa.bb.cc/fullchain1.pem
lrwxrwxrwx 1 root root  46 Jun  7 22:53 privkey.pem -> ../../archive/xx.aa.bb.cc/privkey1.pem

5. Apache2 conf放上憑證    

vim /etc/apache2/sites-availible/xxxxxx.conf

<VirtualHost *:443>
        SSLEngine on
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/xxxxxx
        SSLCertificateFile /etc/letsencrypt/live/xx.aa.bb.cc/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/xx.aa.bb.cc/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/xx.aa.bb.cc/chain.pem
</VirtualHost>

存檔之後 Restart Apache Service

systemctl restart apache2

6. 檢查SSL設定是否正確

7. 確認 certbot.timer 執行正常、Certificates renew正常

systemctl status certbot.timer

* certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; preset: enabled)
     Active: active (waiting) since Fri 2024-06-07 17:37:05 CST; 6h ago
    Trigger: Sat 2024-06-08 08:04:10 CST; 8h left
   Triggers: * certbot.service

Jun 07 17:37:05 systemd[1]: Started certbot.timer - Run certbot twice daily.

certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/xx.aa.bb.cc.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for xx.aa.bb.cc

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/mdfk.goddamn.idv.tw/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -