Yadda za a Shigar Bari Encrypt SSL Certificate zuwa Amintaccen Apache akan RHEL/CentOS 7/6


Ƙaddamar da ƙarshe Bari Mu Encrypt koyawa game da takaddun shaida kyauta na SSL/TLS, a cikin wannan labarin za mu nuna yadda ake samu da shigar da takaddun SSL/TLS kyauta wanda Let's Encrypt Certificate Authority for Apache web server on CentOS/RHEL 7/6 da Fedora rabawa kuma.

Idan kuna neman shigar Bari mu Encrypt don Apache akan Debian da Ubuntu, bi wannan jagorar da ke ƙasa:

  1. Sunan yanki mai rijista tare da ingantaccen rikodin A don nuna baya ga adireshin IP na jama'a na uwar garken.
  2. Apache uwar garken da aka shigar da tsarin SSL an kunna kuma an kunna Virtual Hosting idan kuna ɗaukar yankuna da yawa ko ƙananan yanki.

Mataki 1: Sanya Apache Web Server

1. Idan ba a riga an shigar ba, za a iya shigar da httpd daemon ta hanyar ba da umarnin da ke ƙasa:

# yum install httpd

2. Domin Bari mu ɓoye software don yin aiki tare da Apache, tabbatar da cewa an shigar da tsarin SSL/TLS ta hanyar ba da umarnin da ke ƙasa:

# yum -y install mod_ssl

3. A ƙarshe, fara uwar garken Apache tare da umarni mai zuwa:

# systemctl start httpd.service          [On RHEL/CentOS 7]
# service httpd start                    [On RHEL/CentOS 6]

Mataki 2: Shigar Bari Mu Encrypt SSL Certificate

4. Hanya mafi sauƙi na shigar da Mu Encrypt abokin ciniki shine ta hanyar cloning ma'ajin github a cikin tsarin fayil ɗin ku. Don shigar da git akan tsarin ku dole ne ku kunna wuraren ajiyar Epel tare da umarni mai zuwa.

# yum install epel-release

5. Da zarar an ƙara Epel repos a cikin tsarin ku, ci gaba da shigar da abokin ciniki git ta hanyar bin umarnin da ke ƙasa:

# yum install git

6. Yanzu, da zarar kun shigar da duk abubuwan da ake buƙata don magance Mu Encrypt, je zuwa /usr/local/ directory kuma fara ja da Bari mu Encrypt abokin ciniki ya samar da ma'ajin github na hukuma tare da masu biyowa. umarni:

# cd /usr/local/
# git clone https://github.com/letsencrypt/letsencrypt

Mataki 3: Sami Kyauta Bari Mu Rufe Takaddun shaida na SSL don Apache

7. Tsarin samun kyauta Bari mu Encrypt Certificate don Apache an sarrafa shi ta atomatik don CentOS/RHEL godiya ga plugin apache.

Bari mu gudanar Bari mu Encrypt umarnin rubutun don samun Takaddun shaida na SSL. Je zuwa Bari Mu Encrypt directory shigarwa daga /usr/local/letsencrypt kuma gudanar da umurnin letsencrypt-auto ta samar da zaɓin --apache da -d tuta ga kowane yanki na yanki kuna buƙatar takaddun shaida.

# cd /usr/local/letsencrypt
# ./letsencrypt-auto --apache -d your_domain.tld 

8. Ka ba da adireshin imel ɗin da Let's Encrypt zai yi amfani da shi don dawo da maɓallin da ya ɓace ko don sanarwa na gaggawa kuma danna Shigar don ci gaba.

9. Yarda da sharuɗɗan lasisi ta hanyar buga maɓallin Shigar.

10. A kan CentOS/RHEL, ta tsohuwa, uwar garken Apache baya amfani da manufar raba kundayen adireshi don runduna da aka kunna daga samuwa (marasa aiki) runduna kamar yadda tushen Debian ke yi.

Hakanan, an kashe kama-da-wane hosting ta tsohuwa. Bayanin Apache wanda ke ƙayyade sunan uwar garken (ServerName) ba ya nan akan fayil ɗin sanyi na SSL.

Don kunna wannan umarnin, Bari mu Encrypt zai sa ka zaɓi mai watsa shiri na kama-da-wane. Domin bai sami wani Vhost ba, zaɓi fayil ɗin ssl.conf don canza shi ta atomatik ta Bari mu Encrypt abokin ciniki kuma danna Shigar don ci gaba.

11. Na gaba, zaɓi Hanyar Sauƙi don buƙatun HTTP kuma danna Shigar don ci gaba.

12. A ƙarshe, idan komai ya tafi daidai, yakamata a nuna saƙon taya murna akan allo. Latsa Shigar don sakin faɗakarwa.

Shi ke nan! Kun yi nasarar bayar da takardar shaidar SSL/TLS don yankinku. Yanzu zaku iya fara lilon gidan yanar gizon ku ta amfani da ka'idar HTTPS.

Mataki na 4: Gwada Kyauta Bari Mu Rufe ɓoyewa akan Domain

13. Domin gwada madaidaiciyar yankin ku SSL/TLS musafiha ziyarci mahaɗin da ke ƙasa kuma gwada takardar shaidarku akan yankinku.

https://www.ssllabs.com/ssltest/analyze.html

14. Idan kun karɓi jerin rahotanni game da raunin yankinku a cikin gwaje-gwajen da aka gudanar, to kuna buƙatar gyara waɗannan ramukan tsaro cikin gaggawa.

Gabaɗaya kima na ajin C yana sa yankinku rashin tsaro sosai. Don gyara waɗannan matsalolin tsaro, buɗe fayil ɗin sanyi na Apache SSL kuma ku yi canje-canje masu zuwa:

# vi /etc/httpd/conf.d/ssl.conf

Nemo layi tare da bayanin SSLProtocol kuma ƙara -SSLv3 a ƙarshen layin.

Zurfafa cikin fayil ɗin, bincika kuma yi sharhi kan layi tare da SSLCipherSuite ta sanya # a gabansa kuma ƙara abun ciki mai zuwa ƙarƙashin wannan layin:

SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLOptions +StrictRequire

15. Bayan kun yi duk canje-canjen da ke sama, ajiyewa kuma rufe fayil ɗin, sannan sake kunna Apache daemon don amfani da canje-canje.

# systemctl restart httpd.service          [On RHEL/CentOS 7]
# service httpd restart                    [On RHEL/CentOS 6]

16. Yanzu, sake gwada matsayin ɓoyayyen yanki na yankinku, ta hanyar ziyartar wannan hanyar haɗin yanar gizon da ke sama. Don yin sake gwaje-gwaje danna mahadar share cache daga gidan yanar gizon.

https://www.ssllabs.com/ssltest/analyze.html 

Yanzu ya kamata ku sami ƙimar A gaba ɗaya, wanda ke nufin yankin ku yana da tsaro sosai.

Mataki 4: Sabunta atomatik Bari mu ɓoye takaddun shaida akan Apache

17. Wannan nau'in beta na Let's Encrypt software yana fitar da takaddun shaida tare da ranar karewa bayan kwanaki 90. Don haka, don sabunta takardar shaidar SSL, dole ne ku sake aiwatar da letsencrypt-auto umarni kafin ranar karewa, tare da zaɓuɓɓuka iri ɗaya da tutoci da aka yi amfani da su don samun takardar shaidar farko.

An gabatar da misalin yadda ake sabunta takardar shaidar da hannu a ƙasa.

# cd /usr/local/letsencrypt
# ./letsencrypt-auto certonly --apache --renew-by-default  -d your_domain.tld

18. Don sarrafa wannan tsari, ƙirƙiri rubutun bash mai zuwa wanda github erikaheidi ya bayar, a cikin /usr/local/bin/ directory tare da abun ciki mai zuwa. (An ɗan gyara rubutun don yin la'akari da jagorar shigarwa na letsencrypt).

# vi /usr/local/bin/le-renew-centos

Ƙara abun ciki mai zuwa zuwa fayil le-renew-centos:

!/bin/bash

domain=$1
le_path='/usr/local/letsencrypt'
le_conf='/etc/letsencrypt'
exp_limit=30;

get_domain_list(){
        certdomain=$1
        config_file="$le_conf/renewal/$certdomain.conf"

        if [ ! -f $config_file ] ; then
                echo "[ERROR] The config file for the certificate $certdomain was not found."
                exit 1;
        fi

        domains=$(grep --only-matching --perl-regex "(?<=domains \= ).*" "${config_file}")
        last_char=$(echo "${domains}" | awk '{print substr($0,length,1)}')

        if [ "${last_char}" = "," ]; then
                domains=$(echo "${domains}" |awk '{print substr($0, 1, length-1)}')
        fi

        echo $domains;
}

if [ -z "$domain" ] ; then
        echo "[ERROR] you must provide the domain name for the certificate renewal."
        exit 1;
fi

cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"

if [ ! -f $cert_file ]; then
        echo "[ERROR] certificate file not found for domain $domain."
        exit 1;
fi

exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)

echo "Checking expiration date for $domain..."

if [ "$days_exp" -gt "$exp_limit" ] ; then
        echo "The certificate is up to date, no need for renewal ($days_exp days left)."
        exit 0;
else
        echo "The certificate for $domain is about to expire soon. Starting renewal request..."
        domain_list=$( get_domain_list $domain )
        "$le_path"/letsencrypt-auto certonly --apache --renew-by-default --domains "${domain_list}"
        echo "Restarting Apache..."
        /usr/bin/systemctl restart httpd
        echo "Renewal process finished for domain $domain"
        exit 0;
fi

19. Bada izinin aiwatar da rubutun, shigar da kunshin bc kuma gudanar da rubutun don gwada shi. Yi amfani da sunan yankinku azaman madaidaicin matsayi don rubutun. Ba da umarni na ƙasa don cika wannan matakin:

# yum install bc
# chmod +x /usr/local/bin/le-renew-centos
# /usr/local/bin/le-renew-centos your_domain.tld

20. A ƙarshe, ta amfani da tsara tsarin Linux, ƙara sabon aikin cron don gudanar da rubutun kowane watanni biyu, tabbatar da cewa za a sabunta takardar shaidar ku kafin ranar karewa.

# crontab -e

Ƙara layi mai zuwa a kasan fayil ɗin.

0 1 1 */2 * /usr/local/bin/le-renew-centos your_domain.tld >> /var/log/your_domain.tld-renew.log 2>&1

Shi ke nan! Sabar ku ta Apache da ke gudana a saman tsarin CentOS/RHEL yanzu tana ba da abun cikin SSL ta amfani da takardar shaidar SSL Mu Encrypt kyauta.