- 去阿里云买一个免费的ssl证书(详情:https://bbs.aliyun.com/read/573933.html?spm=5176.10695662.1996646101.searchclickresult.2acd1cb9dAaa8k)
- 支付成功后 点补全,进去后完善信息,提交审核
- 回到控制台(/订单列表) 点进度 未通过 因为还没有在 西部数码里面配置dns
- 过了一会儿再点进度 ,里面的‘’域名授权配置‘’才出现,主机记录就是西部数码dns 配置的主机名,记录值就是txt 的对应值(详情:https://www.west.cn/faq/list.asp?unid=1400)
- 过一会儿 就通过了
- 点下载进去,选apache的下载,这个页面给出了 去服务器配证书的文档。但因为ubuntu 的apache 的目录结构和他给的不一样。所以稍作调整如下:(附参考:https://blog.csdn.net/setoy/article/details/78441613 https://blog.csdn.net/mgsky1/article/details/53844332)
一、开启SSL模块
|
|
这条命令相当于
|
|
如果没有a2enmod指令,也可直接在apache2.conf中设置SSL模块加载:
|
|
##二、创建证书所在目录
文件说明:
1. 证书文件214599770780511.pem,包含两段内容,请不要删除任何一段内容。
2. 如果是证书系统创建的CSR,还包含:证书私钥文件214599770780511.key、证书公钥文件public.pem、证书链文件chain.pem。
#####
- 在Apache的安装目录下创建cert目录(/etc/apache2/cert),并且将下载的全部文件拷贝到cert目录中。
进入/etc/apache2/sites-available下编辑default-ssl.conf
我的配置如下:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151<IfModule mod_ssl.c><VirtualHost _default_:443>ServerAdmin webmaster@localhostDocumentRoot /var/www/html/pcxy/# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,# error, crit, alert, emerg.# It is also possible to configure the loglevel for particular# modules, e.g.#LogLevel info ssl:warnErrorLog ${APACHE_LOG_DIR}/error.logCustomLog ${APACHE_LOG_DIR}/access.log combined# For most configuration files from conf-available/, which are# enabled or disabled at a global level, it is possible to# include a line for only one particular virtual host. For example the# following line enables the CGI configuration for this host only# after it has been globally disabled with "a2disconf".#Include conf-available/serve-cgi-bin.conf# SSL Engine Switch:# Enable/Disable SSL for this virtual host.SSLEngine on# A self-signed (snakeoil) certificate can be created by installing# the ssl-cert package. See# /usr/share/doc/apache2/README.Debian.gz for more info.# If both key and certificate are stored in the same file, only the# SSLCertificateFile directive is needed.#cht zhushi diaole#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key#cht end#cht add conf# 添加 SSL 协议支持协议,去掉不安全的协议SSLProtocol all -SSLv2 -SSLv3# 修改加密套件如下SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUMSSLHonorCipherOrder on# 证书公钥配置SSLCertificateFile /etc/apache2/cert/public.pem# 证书私钥配置SSLCertificateKeyFile /etc/apache2/cert/214599770780511.key# 证书链配置,如果该属性开头有 '#'字符,请删除掉SSLCertificateChainFile /etc/apache2/cert/chain.pem# Server Certificate Chain:# Point SSLCertificateChainFile at a file containing the# concatenation of PEM encoded CA certificates which form the# certificate chain for the server certificate. Alternatively# the referenced file can be the same as SSLCertificateFile# when the CA certificates are directly appended to the server# certificate for convinience.#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt# Certificate Authority (CA):# Set the CA certificate verification path where to find CA# certificates for client authentication or alternatively one# huge file containing all of them (file must be PEM encoded)# Note: Inside SSLCACertificatePath you need hash symlinks# to point to the certificate files. Use the provided# Makefile to update the hash symlinks after changes.#SSLCACertificatePath /etc/ssl/certs/#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt# Certificate Revocation Lists (CRL):# Set the CA revocation path where to find CA CRLs for client# authentication or alternatively one huge file containing all# of them (file must be PEM encoded)# Note: Inside SSLCARevocationPath you need hash symlinks# to point to the certificate files. Use the provided# Makefile to update the hash symlinks after changes.#SSLCARevocationPath /etc/apache2/ssl.crl/#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl# Client Authentication (Type):# Client certificate verification type and depth. Types are# none, optional, require and optional_no_ca. Depth is a# number which specifies how deeply to verify the certificate# issuer chain before deciding the certificate is not valid.#SSLVerifyClient require#SSLVerifyDepth 10# SSL Engine Options:# Set various options for the SSL engine.# o FakeBasicAuth:# Translate the client X.509 into a Basic Authorisation. This means that# the standard Auth/DBMAuth methods can be used for access control. The# user name is the `one line' version of the client's X.509 certificate.# Note that no password is obtained from the user. Every entry in the user# file needs this password: `xxj31ZMTZzkVA'.# o ExportCertData:# This exports two additional environment variables: SSL_CLIENT_CERT and# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the# server (always existing) and the client (only existing when client# authentication is used). This can be used to import the certificates# into CGI scripts.# o StdEnvVars:# This exports the standard SSL/TLS related `SSL_*' environment variables.# Per default this exportation is switched off for performance reasons,# because the extraction step is an expensive operation and is usually# useless for serving static content. So one usually enables the# exportation for CGI and SSI requests only.# o OptRenegotiate:# This enables optimized SSL connection renegotiation handling when SSL# directives are used in per-directory context.#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire<FilesMatch "\.(cgi|shtml|phtml|php)$">SSLOptions +StdEnvVars</FilesMatch><Directory /usr/lib/cgi-bin>SSLOptions +StdEnvVars</Directory># SSL Protocol Adjustments:# The safe and default but still SSL/TLS standard compliant shutdown# approach is that mod_ssl sends the close notify alert but doesn't wait for# the close notify alert from client. When you need a different shutdown# approach you can use one of the following variables:# o ssl-unclean-shutdown:# This forces an unclean shutdown when the connection is closed, i.e. no# SSL close notify alert is send or allowed to received. This violates# the SSL/TLS standard but is needed for some brain-dead browsers. Use# this when you receive I/O errors because of the standard approach where# mod_ssl sends the close notify alert.# o ssl-accurate-shutdown:# This forces an accurate shutdown when the connection is closed, i.e. a# SSL close notify alert is send and mod_ssl waits for the close notify# alert of the client. This is 100% SSL/TLS standard compliant, but in# practice often causes hanging connections with brain-dead browsers. Use# this only for browsers where you know that their SSL implementation# works correctly.# Notice: Most problems of broken clients are also related to the HTTP# keep-alive facility, so you usually additionally want to disable# keep-alive for those clients, too. Use variable "nokeepalive" for this.# Similarly, one has to force some clients to use HTTP/1.0 to workaround# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and# "force-response-1.0" for this.# BrowserMatch "MSIE [2-6]" \# nokeepalive ssl-unclean-shutdown \# downgrade-1.0 force-response-1.0</VirtualHost></IfModule># vim: syntax=apache ts=4 sw=4 sts=4 sr noet
建立site-available 到sites-enabled的映射
sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf
重启apache
sudo /etc/init.d/apache2 restart
最后用https 访问