1. 加入 Debian 8 "Jessie" Backports 套件庫
# vim /etc/apt/sources.listdeb http://httpredir.debian.org/debian jessie-backports main contrib non-free
2. 安裝 letsencrypt 套件
# apt-get install certbot3. 申請 SSL 憑證
# certbot certonly --webroot -w /var/www/html -d mydomain.com4. 混合 privkey.pem 與 cert.pem 成為 ssl.pem
cd /etc/letsencrypt/live/mydomain.com/ cat privkey.pem cert.pem > ssl.pem (註)產生的 PEM 檔存在 /etc/letsencrypt/live/mydomain.com/ 下面
5. 啟用 lighttpd SSL 功能
# vim /etc/lighttpd/conf-enabled/10-ssl.conf$SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/letsencrypt/live/domain.com/ssl.pem" ssl.ca-file = "/etc/letsencrypt/live/domain.com/fullchain.pem" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH" ssl.honor-cipher-order = "enable" ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" # Using command "openssl dhparam -out dhparam.pem 4096" # to generate a prime for Diffie-Hellman key exchange. ssl.dh-file = "/etc/ssl/certs/dhparam.pem" ssl.ec-curve = "secp384r1" }從 lighttpd 1.4.46 起 mod_openssl 成為獨立模組,改為下列設定
# apt-get install lighttpd-mod-openssl
# minimal configuration server.modules += ("mod_openssl") $SERVER["socket"] == ":443" { # main site SSL ssl.engine = "enable" ssl.pemfile = "/path/site1/fullchain.pem" ssl.privkey = "/path/site1/privkey.pem" # site2 if need $HTTP["host"] == "site2.example.com" { ssl.pemfile = "/path/site2/fullchain.pem" ssl.privkey = "/path/site2/privkey.pem" } }
6. 重新續約憑證
由於 Let's Encrypt 發出的憑證僅有 90 天效期,需定期更新以維持憑證效力。# certbot renew
# cat privkey.pem cert.pem > ssl.pem (路徑 /etc/letsencrypt/live/mydomain.com/)
# /etc/init.d/lighttpd force-reload
沒有留言:
張貼留言