← 返回文档首页

SSL证书配置指南

免费SSL证书申请和配置

SSL证书为您的网站提供HTTPS加密,提升安全性和SEO排名。

Let’s Encrypt免费证书

安装Certbot

# Ubuntu/Debian
apt update
apt install certbot python3-certbot-apache python3-certbot-nginx

# CentOS/AlmaLinux
yum install certbot python3-certbot-apache python3-certbot-nginx

Apache自动配置

# 自动获取并配置证书
certbot --apache -d example.com -d www.example.com

# 仅获取证书(手动配置)
certbot certonly --apache -d example.com -d www.example.com

Nginx自动配置

# 自动获取并配置证书
certbot --nginx -d example.com -d www.example.com

# 仅获取证书(手动配置)
certbot certonly --nginx -d example.com -d www.example.com

手动验证方式

# 使用webroot验证
certbot certonly --webroot -w /var/www/example.com -d example.com -d www.example.com

# 使用standalone验证(需要停止web服务器)
systemctl stop apache2  # 或 nginx
certbot certonly --standalone -d example.com -d www.example.com
systemctl start apache2  # 或 nginx

手动配置SSL

Apache SSL配置

# /etc/apache2/sites-available/example.com-ssl.conf
<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com
    
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    
    # 安全配置
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    SSLHonorCipherOrder on
    
    # HSTS
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</VirtualHost>

# HTTP重定向到HTTPS
<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    Redirect permanent / https://example.com/
</VirtualHost>

Nginx SSL配置

# /etc/nginx/sites-available/example.com
server {
    listen 443 ssl http2;
    server_name example.com www.example.com;
    root /var/www/example.com;
    
    # SSL证书
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # SSL配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    
    # HSTS
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    
    location / {
        try_files $uri $uri/ =404;
    }
}

# HTTP重定向到HTTPS
server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;
}

证书自动续期

设置自动续期

# 测试续期
certbot renew --dry-run

# 添加到crontab
crontab -e

# 每天检查并续期(如果需要)
0 12 * * * /usr/bin/certbot renew --quiet

续期后重载服务

# 创建续期钩子脚本
vim /etc/letsencrypt/renewal-hooks/deploy/reload-webserver.sh

#!/bin/bash
systemctl reload apache2  # 或 nginx

# 设置执行权限
chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-webserver.sh

证书管理

查看证书信息

# 列出所有证书
certbot certificates

# 查看证书详情
openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -text -noout

# 检查证书有效期
openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -noout -dates

删除证书

# 删除证书
certbot delete --cert-name example.com

安全增强

生成DH参数

# 生成强DH参数(需要较长时间)
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

# 在Nginx中使用
ssl_dhparam /etc/ssl/certs/dhparam.pem;

OCSP Stapling

# Nginx OCSP配置
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

安全头部

# 安全相关头部
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

证书测试

SSL测试工具

# 测试SSL连接
openssl s_client -connect example.com:443 -servername example.com

# 检查证书链
curl -I https://example.com

常见问题排查

# 检查证书文件权限
ls -la /etc/letsencrypt/live/example.com/

# 检查web服务器配置
nginx -t  # 或 apache2ctl configtest

# 查看错误日志
tail -f /var/log/nginx/error.log
tail -f /var/log/apache2/error.log

多域名证书

单证书多域名

# 为多个域名申请一个证书
certbot --nginx -d example.com -d www.example.com -d blog.example.com -d shop.example.com

通配符证书

# 申请通配符证书(需要DNS验证)
certbot certonly --manual --preferred-challenges dns -d example.com -d *.example.com

商业SSL证书

证书类型

  • DV证书:域名验证,适合个人网站
  • OV证书:组织验证,适合企业网站
  • EV证书:扩展验证,显示绿色地址栏

安装商业证书

# 将证书文件上传到服务器
# 通常包含:certificate.crt, private.key, ca_bundle.crt

# 在web服务器中配置证书路径
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;