1. 加入 Debian 8 "Jessie" Backports 套件庫
# vim /etc/apt/sources.listdeb http://httpredir.debian.org/debian jessie-backports main contrib non-free
2. 安裝 letsencrypt 套件
# apt-get install certbot3. 申請 SSL 憑證
# certbot certonly --webroot -w /var/www/html -d mydomain.com4. 混合 privkey.pem 與 cert.pem 成為 ssl.pem
cd /etc/letsencrypt/live/mydomain.com/ cat privkey.pem cert.pem > ssl.pem (註)產生的 PEM 檔存在 /etc/letsencrypt/live/mydomain.com/ 下面
5. 啟用 lighttpd SSL 功能
# vim /etc/lighttpd/conf-enabled/10-ssl.conf
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/domain.com/ssl.pem"
ssl.ca-file = "/etc/letsencrypt/live/domain.com/fullchain.pem"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH"
ssl.honor-cipher-order = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
# Using command "openssl dhparam -out dhparam.pem 4096"
# to generate a prime for Diffie-Hellman key exchange.
ssl.dh-file = "/etc/ssl/certs/dhparam.pem"
ssl.ec-curve = "secp384r1"
}
6. 重新續約憑證
由於 Let's Encrypt 發出的憑證僅有 90 天效期,需定期更新以維持憑證效力。# certbot renew
# cat privkey.pem cert.pem > ssl.pem (路徑 /etc/letsencrypt/live/mydomain.com/)
# /etc/init.d/lighttpd force-reload
沒有留言:
張貼留言