[英]Install SSL on Windows Apache
1.我想做什么:
我有一個域example.me,以及一個托管在我的Windows Server上的子域text.example.me。 它使用php 5.6運行Apache
我想使用Let's Encrypt和此工具安裝和SSL證書https://github.com/PKISharp/win-acme
2.問題:
它似乎沒有工作,我在嘗試訪問https://test.example.me時收到以下錯誤
此站點無法提供安全連接
3.到目前為止我做了什么
我遵循了以下每一步: https : //commaster.net/content/how-setup-lets-encrypt-apache-windows
這是我的httpd-ssl.conf的內容
<VirtualHost *:443>
ServerAdmin me@examole.com
ServerName text.example.me
DocumentRoot "D:/xampp/htdocs"
RewriteEngine On
# Redirect to the correct domain name
RewriteCond %{HTTP_HOST} !^test.example.me$ [NC]
RewriteRule ^/?(.*)$ https://test.example.me/$1 [NE,L,R=301]
Alias /.well-known D:/xampp/htdocs/.well-known
SSLEngine on
SSLCertificateFile "conf/ssl.crt/text.example.me-crt.pem"
SSLCertificateKeyFile "conf/ssl.key/test.example.me-key.pem"
SSLCertificateChainFile "conf/ssl.csr/ca-test.example.me-crt.pem"
</VirtualHost>
我的80,443端口是可用的,而不是被Skype使用,所以這不是問題。
這是我的httpd-vhosts.conf的內容
<VirtualHost *:80>
ServerAdmin me@example.me
ServerName test.example.me
RewriteEngine On
# Redirect to the HTTPS site
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*)$ https://test.example.me/$1 [NE,L,R=301]
ErrorLog logs/slog.log
</VirtualHost>
我使用Let's Encrypt幾年 - 但沒有(!)RewriteEngine。
所以這是從我的http-vhosts.conf剪掉的
<VirtualHost *:80>
DocumentRoot "C:/webserver/html/example_html"
ServerName www.example.com
Redirect permanent / https://www.example.com/
# For the case that you are using ModProxy to forward to a Tomcat, please also add:
# ProxyPass "/.well-known/" "!"
</VirtualHost>
從我的httpd-ssl.conf剪斷:
<VirtualHost *:443>
DocumentRoot "C:/webserver/html/example_html"
ServerName www.example.com
Protocols h2 http/1.1
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:SEED-SHA:DHE-RSA-SEED-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLCertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/www.example.com-crt.pem"
SSLCertificateKeyFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/www.example.com-key.pem"
SSLCACertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/ca-www.example.com-crt.pem"
<IfModule headers_module>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header always set x-frame-options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
#Header always set Content-Security-Policy "script-src 'self'"
</IfModule>
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
#For the case that you use ModProxy to forward to a Tomcat or so
#ProxyPass "/.well-known/" "!"
EnableSendfile off
EnableMMAP off
</VirtualHost>
另外請記住,當您想要使用多個主機名時,您需要一個通配符證書 - 否則,讓Let's Encrypt為每個主機/ domian名稱提供一個證書很簡單 - 但是每個主機/域需要一個虛擬主機部分你正在使用的名字。
最后但並非最不重要的是,我的個人觀點是,在沒有必要時不應該使用ModRewrite,因為它很復雜,並且大多數人都不太了解。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.