如今谈到安全问题，SSL证书是必要的。但是，SSL证书的费用一直很高。有了LetsEncrypt，这种情况已经改变。Let's Encrypt允许你为你的域名生成一个免费的SSL证书。 在这篇文章中，将指导你如何在CentOS7上用Apache设置Let's Encrypt。 在开始之前，请确保你准备好以下东西

• 用非root的sudo用户访问服务器的SSH。
• 你的域名的DNS记录和A记录应该被设置到你的服务器上。

使用你的sudo账户登录到服务器。对于这个设置，我们将需要以下模块

• httpd - Apache服务器的软件包
• mod_ssl - 这个模块确保加密的流量能够正常提供。
• python-certbot-apache - 用于生成Certbot证书的软件包。

要安装这些软件包，请执行以下命令

sudo yum install httpd mod_ssl python-certbot-apache

现在你可以通过执行以下命令来启动Apache

sudo systemctl start httpd

你可以用以下方法停止Apache

sudo systemctl stop httpd

在本教程中，我们将使用域名example.org为例。你应该用你自己的域名来替换它。

从Let's Encrypt生成证书很容易，可以在几分钟内完成。

如果你想安装一个覆盖你的域名的单一证书。

以及一个子域，你可以用这个命令开始

sudo certbot --apache -d example.org -d abc.example.org

在这种情况下，Let's Encrypt将把example.org作为基本域，而其他域作为子域。我们总是建议将你的基本域作为第一个参数，因为那是你的证书将被生成的域。

如果你不想添加子域，而只想为一个域获取证书，你可以通过以下方式实现

sudo certbot --apache -d example.org

当你执行这个命令时，你会得到一个逐步的指南来设置你的证书。以下是您将被询问的内容

• 电子邮件 - 这个电子邮件将被Let's Encrypt用来通知你有关丢失的密钥恢复和更新证书的通知。
• 虚拟主机文件 - 如果你的域名没有在虚拟主机文件中指定，它将要求你选择你的主机文件
• 启用HTTP/HTTPS或启用安全模式 - 这是Let's Encrypt要求您选择是否接受HTTP请求或强制所有流量为HTTPS。强制所有流量转为HTTPS模式总是更好的选择。

When you are done with the installation, you would see a success message

Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.org/fullchain.pem. Your cert will expire on 2017-10-03. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.

With that, we have now generated our own certificates.

The security settings shipped with CentOS 7 are a bit dated, which means it is vulnerable to recent threats. Let’s fix them
We will open the ssl.conf file ( or the Virtual Host file that you selected when generating the certificate) in the nano editor.
sudo nano /etc/httpd/conf.d/ssl.conf
We have to find the following words - SSLProtocol and SSLCipherSuite and remove them.
Use Ctrl+W when the file is open in Nano Editor, and search for the above words, and delete these lines.

SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
We have deleted obsolete changes, but we need to be up-to-date with the latest settings. Fortunately, thanks to this configuration from Cipherlist site, we can be up-to-date with the latest security patches.
Copy the settings from the Apache section on the site, and paste it on your conf file after the **** block

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
#Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

When you are done, press Ctrl + X, and then press Y to save your file.
Restart apache for your new settings to take effect.
sudo systemctl restart httpd

Now that we are done with all the steps, you can check your certificates by going to the above link. Note : Replace example.org with your base link

https://www.ssllabs.com/ssltest/analyze.html?d=example.org&latest

If everything is set up properly, you should get an A+ rating, which indicates your site’s certificate settings are properly configured.
However, it is important to keep your settings file updated as new vulnerabilities are detected. Check cipher list on a regular basis to be up-to-date with security patches.
With that, we have configured free SSL Certificates using Let's Encrypt and Apache on CentOS 7.