11月 02, 2016

Lighttpd 網頁伺服器 SSL 憑證申請(Let's Encrypt)

1. 加入 Debian 8 "Jessie" Backports 套件庫

# vim /etc/apt/sources.list
deb http://httpredir.debian.org/debian jessie-backports main contrib non-free

2. 安裝 letsencrypt 套件

# apt-get install letsencrypt -t jessie-backports

3. 申請 SSL 憑證

# letsencrypt certonly --webroot -w /var/www/html -d mydomain.com

4. 混合 privkey.pem 與 cert.pem 成為 ssl.pem

cd /etc/letsencrypt/live/mydomain.com/
cat privkey.pem cert.pem > ssl.pem

(註)產生的 PEM 檔存在 /etc/letsencrypt/live/mydomain.com/ 下面

5. 啟用 lighttpd SSL 功能

# vim /etc/lighttpd/conf-enabled/10-ssl.conf
$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.pemfile = "/etc/letsencrypt/live/domain.com/ssl.pem"
  ssl.ca-file =  "/etc/letsencrypt/live/domain.com/fullchain.pem"
  ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH"
  
  ssl.honor-cipher-order = "enable"  
  ssl.use-sslv2 = "disable"
  ssl.use-sslv3 = "disable"  
  
  # Using command "openssl dhparam -out dhparam.pem 4096" 
  # to generate a prime for Diffie-Hellman key exchange.
  ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
  ssl.ec-curve = "secp384r1"  
}

6. 重新續約憑證

由於 Let's Encrypt 發出的憑證僅有 90 天效期,需定期更新以維持憑證效力。
# letsencrypt renew
# cat privkey.pem cert.pem > ssl.pem (路徑 /etc/letsencrypt/live/mydomain.com/)
# /etc/init.d/lighttpd force-reload

7. 線上SSL檢測工具

沒有留言:

張貼留言