环境是:debian7+apache2.2+阿里云免费ssl服务,站点以前的http已经在运行了,
1、开通阿里云免费SSL&DNS解析配置
购买位置:打开阿里云找到“产品”-“安全”-“CA证书服务”-点击“立即购买”;
选择方法:证书类型选择”专业版OV SSL”->”1个域名”->”Symantec”(这里选择完成后上面证书类型出现了“免费型DV SSL”)->证书类型选择”免费型DV SSL”->然后继续购买就可以了;
域名验证类型:一路点击后来到后台中的CA证书服务(也可以自己从阿里后台找),在”进度”栏目中有”补全”,点击”补全”,一直输入一直往下点击,直到有个”域名验证类型”,这里选择DNS。
全部填写完成后等待一会就开通了。
DNS解析配置:紧接上步,开通成功会有要求添加txt的解析记录,解析记录的值也会给你,然后去添加
2、开启Apache的SSL
找到/etc/apache2/mods-enable文件夹,里边有很多模块,打开文件ssl.load:
#LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
去掉#
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
执行命令,必须要执行
a2enmod ssl
apache中开启端口监听:打开/etc/apache2/ports.conf,在Listen 443上面添加NameVirtualHost *:443
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
NameVirtualHost *:443
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
服务器防火墙入口端口添加443
3、上传证书&修改配置文件
去阿里云后台”CA证书服务”中找,找到后解压上传到/etc/apacahe2/ssl/domainname/中(domainname可以是网站名称),目录中有:123456789012345.key,123456789012345.pem,chain.pem,public.pem
打开/etc/apache2/sites-enable文件夹,找到需要配置的网站配置文件,这里我就以domainname.conf为例,很简单就是把原来的VirtualHost复制一下,修改一下端口号,然后添加SSLEngine部分的信息,代码如下:
<VirtualHost *:80>
ServerName domainname.com
ServerAlias domainname.com
DocumentRoot /www/domainname
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /www/domainname/>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName domainname.com443
ServerAlias domainname.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM
SSLHonorCipherOrder on
SSLCertificateFile /etc/apache2/ssl/domainname/public.pem
SSLCertificateKeyFile /etc/apache2/ssl/domainname/123456789012345.key
SSLCertificateChainFile /etc/apache2/ssl/domainname/chain.pem
DocumentRoot /www/domainname
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /www/domainname/>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
4、重启apache
service apache2 restart