在Windows Apache上安装SSL

Question

在Windows Apache上安装SSL

Joh*_*Doe 6 apache ssl lets-encrypt

1.我想做什么：

我有一个域example.me，以及一个子域text.example.me，该域托管在Windows Server上。它使用php 5.6运行Apache

我想使用Let's Encrypt和此工具https://github.com/PKISharp/win-acme安装和SSL证书

2.问题：

它似乎无法正常工作，尝试访问https://test.example.me时出现以下错误

该网站无法提供安全的连接

3.我到目前为止所做的

我遵循以下步骤进行操作：https : //commaster.net/content/how-setup-lets-encrypt-apache-windows

这是我的httpd-ssl.conf的内容

<VirtualHost *:443> ServerAdmin me@examole.com ServerName text.example.me DocumentRoot "D:/xampp/htdocs" RewriteEngine On # Redirect to the correct domain name RewriteCond %{HTTP_HOST} !^test.example.me$ [NC] RewriteRule ^/?(.*)$ https://test.example.me/$1 [NE,L,R=301] Alias /.well-known D:/xampp/htdocs/.well-known SSLEngine on SSLCertificateFile "conf/ssl.crt/text.example.me-crt.pem" SSLCertificateKeyFile "conf/ssl.key/test.example.me-key.pem" SSLCertificateChainFile "conf/ssl.csr/ca-test.example.me-crt.pem" </VirtualHost>
Run Code Online (Sandbox Code Playgroud)

我的80,443个端口可用，但Skype没有使用它，所以这不是问题。

这是我的httpd-vhosts.conf的内容

<VirtualHost *:80> ServerAdmin me@example.me ServerName test.example.me RewriteEngine On # Redirect to the HTTPS site RewriteCond %{HTTPS} off RewriteRule ^/?(.*)$ https://test.example.me/$1 [NE,L,R=301] ErrorLog logs/slog.log </VirtualHost>
Run Code Online (Sandbox Code Playgroud)

Answer 1

Pow*_*tat 2

我多年来一直在使用Let's Encrypt - 但没有（！）RewriteEngine。

这是我的http-vhosts.conf中的一个片段

<VirtualHost *:80>
  DocumentRoot "C:/webserver/html/example_html"
  ServerName www.example.com
  Redirect permanent / https://www.example.com/
  # For the case that you are using ModProxy to forward to a Tomcat, please also add:
  # ProxyPass "/.well-known/" "!"
</VirtualHost>

Run Code Online (Sandbox Code Playgroud)

从我的httpd-ssl.conf中截取的内容：

<VirtualHost *:443>
  DocumentRoot "C:/webserver/html/example_html"
  ServerName www.example.com
  Protocols h2 http/1.1

  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:SEED-SHA:DHE-RSA-SEED-SHA:!DSS
  SSLHonorCipherOrder on
  SSLCompression off
  SSLCertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/www.example.com-crt.pem"
  SSLCertificateKeyFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/www.example.com-key.pem"
  SSLCACertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/ca-www.example.com-crt.pem"

  <IfModule headers_module>
  Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
  Header always set x-frame-options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-XSS-Protection "1; mode=block"
  #Header always set Content-Security-Policy "script-src 'self'"
  </IfModule>

  BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

  #For the case that you use ModProxy to forward to a Tomcat or so
  #ProxyPass "/.well-known/" "!"

  EnableSendfile off
  EnableMMAP off 
</VirtualHost>

Run Code Online (Sandbox Code Playgroud)

另请记住，当您想要使用多个主机名时，您需要一个通配符证书 - 否则，使用 Let's Encrypt 为每个主机/域名称拥有一个证书很简单 - 但您需要为每个主机/域一个虚拟主机部分您正在使用的名称。

最后但并非最不重要的一点是，我个人的观点是，在没有必要的情况下不应该使用 ModRewrite，因为它很复杂并且大多数人并不能真正理解。

归档时间：	7 年，5 月前
查看次数：	2437 次
最近记录：	6 年，1 月前