要讓網頁支援SSL,先決條件,你得申請或購買SSL的憑證,取回的憑證會有以下檔案。
放置憑證檔
/etc/pki/tls/certs/
root.cer, server.cer, server-chain.cer(不一定有中繼憑證)
/etc/pki/tls/private/
privatekey.key
安裝 mod_ssl
檢查 mod_ssl
如果沒有顯示任何東囑,請安裝
編輯 ssl.conf
# vi /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/server.cer
SSLCertificateKeyFile /etc/pki/tls/private/privatekey.key
SSLCACertificateFile /etc/pki/tls/certs/root.cer
# 中繼視情況加上,無則省略
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
完整ssl.conf 範列
Listen 443 https
<VirtualHost _default_:443>
SSLEngine on
DocumentRoot /home/ddns/public_html
ServerName ddnss.tc.edu.tw
<Directory "/home/ddns/public_html">
Options -Indexes
AllowOverride All
Require all granted
</Directory>
SSLCertificateFile /etc/pki/tls/certs/your_certificate.crt
SSLCertificateKeyFile /etc/pki/tls/private/your_private.key
SSLCACertificateFile /etc/pki/tls/certs/your_ca_certificate.crt
# SSLCertificateChainFile /etc/pki/tls/certs/your_cert_chain.crt
</VirtualHost>
SELINUX 設置
上面的所有憑證檔案,你都得給他們 cert_t 的type
如果沒設置SELINUX,重啟APACHE後,會出現這樣的錯誤,竟然系統說找不到檔案??
11月 20 00:55:40 example.com httpd[21960]: AH00526: Syntax error on line 102 of /etc/httpd/conf.d/ssl.conf:
11月 20 00:55:40 example.com httpd[21960]: SSLCertificateFile: file '/etc/pki/tls/certs/server.cer' does not exist or is empty
防火牆
HTTP指定到HTTPS
這個放在你原本的80埠設定裡
<VirtualHost *:80>
...
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
重啟 APACHE
相關連結
[Centos7] SSL自簽憑證+APACHE+Selinux