Discuz! X3.2 实现全站 HTTPS 终极教程 [ - 北美网备份站

一、全站资源 https 化。

1、UCenter地址、本地附件 URL 地址、风格图片地址需全部开启https访问，否则浏览器会出现类似“网站内存在不安全的资源”的警告。如果这部分链接全部是相对链接，则请忽略本项。

若“风格管理”中将“界面基础图片目录 {IMGDIR}”和“扩展图片目录 {STYLEIMGDIR}” 地址设置为 https 开头的绝对链接，需要修复一处BUG，否则会导致这部分风格图片无法显示。

打开 source/function/cache/cache_styles.php ，查找以下三项：

$cssdata = !preg_match('/^http:\/\//i', $data['styleimgdir'])
; U7 B: U* l$ t* P2 N3 @7 @6 Q$cssdata = !preg_match('/^http:\/\//i', $data['imgdir'])# l7 x9 E& s4 ]
$cssdata = !preg_match('/^http:\/\//i', $data['staticurl'])

将其中的 /^http:\/\//i 替换为 /^http/i ，保存覆盖。

注意：修改后，若将来要使用相对链接，需要确保目录不以 http 开头。

2、解决 DiscuzTips 造成的不安全资源提示。

打开 source/plugin/manyou/Service/DiscuzTips.php ，在 echo $jsCode; 前加 // 将其注释掉。

3、百度结构化插件暂不支持 https ，将造成浏览器提示存在不安全资源。暂停使用该插件。

4、使用浏览器的开发者工具逐一排查是否存在其他 http:// 资源（包括图片、JS、CSS的，A链接无影响）。

5、清理用户签名位中的 http:// 图片，清理帖子中存在的外链图片。

二、解决QQ互联登录问题。

截至2015年12月，Discuz的QQ互联仍不支持 https 站点，我们可以进行以下操作，将QQ互联链接调整为 http:// ，QQ互联登录跳转回 http:// 后再在站点内部301到 https:// 页面。

1、考虑到防止屏蔽等因素，建议启用一个独立域名，并在论坛所在服务器新建一个该域名的站点，站点目录中使用软链接链接论坛的以下目录：api config data source static 和以下文件：admin.php api.php connect.php ，即相当于对论坛做一个镜像但仅限于QQ互联相关文件。

2、打开 source/plugin/qqconnect/connect.class.php 文件，将 40-46 行中的：

$_G['siteurl'].'

替换为：

'http://上面创建的专用网址/

3、打开 connect.php 文件，在最前方加入：

if($_SERVER['HTTP_HOST'] != 'www.你的网址.com' || ($_SERVER['HTTP_HOST'] == 'www.你的网址.com' && $_SERVER['SERVER_PORT'] != '443')) {
header('HTTP/1.1 301 Moved Permanently');
header('Location: https://www.你的网址.com'.$_SERVER['REQUEST_URI']);
exit;
}

三、解决后台应用中心无法访问的问题

在第2步基础上，访问第2步中专用域名下的 admin.php 登录后台即可正常进入应用中心。

四、禁止在第2步专用域名下更新缓存（否则前台部分图标地址会使用该域名）。

打开 source/admincp/admincp_tools.php 文件，查找：

	showtips('tools_updatecache_tips');. W  i7 R9 Q# l7 C) e

! q+ x. e+ u7 e! F) \	if($step == 1) {
) ?  q) |1 V. z+ o4 |6 @		cpmsg("<input type=\"checkbox\" name=\"type[]\" value=\"data\" id=\"datacache\" class=\"checkbox\" checked /><label for=\"datacache\">".$lang[tools_updatecache_data]."</label><input type=\"checkbox\" name=\"type[]\" value=\"tpl\" id=\"tplcache\" class=\"checkbox\" checked /><label for=\"tplcache\">".$lang[tools_updatecache_tpl]."</label><input type=\"checkbox\" name=\"type[]\" value=\"blockclass\" id=\"blockclasscache\" class=\"checkbox\" /><label for=\"blockclasscache\">".$lang[tools_updatecache_blockclass].'</label>', 'action=tools&operation=updatecache&step=2', 'form', '', FALSE);

替换为：

	showtips('tools_updatecache_tips');4 q0 ~8 J6 T# }0 d
	echo '<br>';% L+ Z8 B. o0 U( E* q* E: Z7 @

/ k, ~- G7 c6 |( Y0 H	if($step == 1) {
6 t0 z& `! F! o4 z9 N6 A* J4 V: Q		if($_G['siteurl'] == $_G['setting'][siteurl]) {
. {- g2 j. v8 z- ?6 r% B			cpmsg("<input type=\"checkbox\" name=\"type[]\" value=\"data\" id=\"datacache\" class=\"checkbox\" checked /><label for=\"datacache\">".$lang[tools_updatecache_data]."</label><input type=\"checkbox\" name=\"type[]\" value=\"tpl\" id=\"tplcache\" class=\"checkbox\" checked /><label for=\"tplcache\">".$lang[tools_updatecache_tpl]."</label><input type=\"checkbox\" name=\"type[]\" value=\"blockclass\" id=\"blockclasscache\" class=\"checkbox\" /><label for=\"blockclasscache\">".$lang[tools_updatecache_blockclass].'</label>', 'action=tools&operation=updatecache&step=2', 'form', '', FALSE);( J: ?0 i" {3 b
		} else {
- X8 Q8 B- G* I0 m! Q1 M+ G6 @: }			cpmsg('请切换到主域名下更新缓存', '', 'succeed', '', FALSE);

五、http:// 跳转至 https://

打开 source/class/class_core.php 文件，在

set_exception_handler(array('core', 'handleException'));

后面加入：

if($_SERVER['SERVER_PORT'] != '443' && $_SERVER['PHP_SELF'] != '/api/uc.php') {
5 ~" f5 m1 |2 Z! t5 Y	if(!preg_match("/(Zidingyi|Bot|Crawl|Spider|slurp|sohu-search|lycos|robozilla)/i", $_SERVER['HTTP_USER_AGENT'])) {
3 N# h' |  I$ O3 t% T; X; n		header('HTTP/1.1 301 Moved Permanently');& Z9 }/ C# R& X7 I
		header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);7 q8 U( A2 A# A# m8 p/ `: l
		exit;  n* l) }, T# ]8 r/ {
	} elseif(preg_match("/(Baidu|Google)/i", $_SERVER['HTTP_USER_AGENT'])) {
: K; i6 _# e: X0 T* c		header('HTTP/1.1 403 Forbidden');, o8 @- v5 z! l; W2 i
		exit;
9 E) `' N$ X% @  U* N7 ]+ |0 e5 ~: O/ l	}
0 W. t8 d  R0 _7 m9 M}

说明：当访问端口不为443（即https）时，如果不是搜索引擎则跳转到https页面，否则如果是百度或Google蜘蛛（这两个搜索引擎已支持收录https）则返回403禁止访问，避免重复收录 http 和 https 或优先收录了 http ，其它搜索引擎未定义，正常返回 http 页面（其它搜索引擎可能不支持收录 https ，因此开放 http 给他们）。

以上代码中“Zidingyi”可以任意修改，管理员使用以下UA可以不跳转到https，便于对http版进行调测：
Mozilla/5.0 (compatible; Zidingyi/2015; +http://www.xxx.com)

六、其它问题

解决 Discuz! X3.* “允许发表的域名列表”中的域名在非http协议下失效的问题

BUG描述：在后台/全局/注册与访问控制/访问控制/允许发表的域名列表中添加域名后，该域名只在http协 … 继续阅读解决 Discuz! X3.* “允许发表的域名列表”中的域名在非http协议下失效的问题

Discuz! X3.* 开启SSL后手机版图片链接替换为https地址

应用场景：后台“本地附件 URL 地址”设置为绝对链接（第三方域名、http://）情况下，当论坛应用SSL后 … 继续阅读

解决启用HTTPS后IE6/7下频繁报告“含有不安全的内容”以及“证书名称不一致”的问题

首先检查页面中所有非https链接的附件（图片、JS、CSS等），全部替换为https链接。完成这一步后，在 … 继续阅读

How To Set Up Apache with a Free Signed SSL Certificate on a VPS

Note: You may want to consider using Let's Encrypt instead of the StartSSL.com process below. Let's Encrypt is a new certificate authority that provides a free and easy way of creating SSL/TLS certificates that are trusted in most web browsers. Check out the tutorial to get started: How To Secure Apache with Let's Encrypt on Ubuntu 14.04

Prerequisites

Before we get started, here are the web tools you need for this tutorial:

Google Chrome browser
Apache installed on your VPS (cloud server)
A domain name you own
Access to an email address at that domain, either:
1. postmaster@duable.co
2. hostmaster@duable.co
3. webmaster@duable.co

StartSSL.com offers completely free verified (your users won't have to see those scary red screens saying "this site isn't trusted" anymore) SSL certificates that you can use on your website. This is a great deal as most companies charge $50-$60 for similar services. The free version is a bit tricky to set up, but it's well worth it.

To get started, browse to StartSSL.com and using the toolbar on the left, navigate to StartSSL Products and then to StartSSL™ Free. Choose the link for Control Panel from the top of the page.

Make sure you are using Google Chrome

Choose the Express Signup. option
Enter your personal information, and click continue.
You'll get an email with a verification code inside it shortly. Copy and paste that email into the form on StartSSL's page.
They will review your request for a certificate and then send you an email with the new info. This process might take as long as 6 hours though, so be patient.
Once the email comes, use the link provided and the new authentication code (at the bottom of the email) to continue to the next step.
They will ask you to Generate a private key and you will be provided with the choice of "High" or "Medium" grade. Go ahead and choose "High".
Once your key is ready, click Install.
Chrome will show a popdown that says that the certificate has been succesfully installed to Chrome.

This means your browser is now authenticated with your new certificate and you can log into the StartSSL authentication areas using your new certificate. Now, we need to get a properly formatted certificate set up for use on your VPS. Click on the Control panel link again, and choose the Authenticate option. Chrome will show a popup asking if you want to authenticate and will show the certificate you just installed. Go ahead and authenticate with that certificate to enter the control panel.

You will need to validate your domain name to prove that you own the domain you are setting up a certificate for. Click over to the Validations Wizard in the Control panel and set Type to Domain Name Validation. You'll be prompted to choose from an email at your domain, something like [email]postmaster@yourdomain.com[/email].

Check the email inbox for the email address you selected. You will get yet another verification email at that address, so like before, copy and paste the verification code into the StartSSL website.

Next, go to the Certificates Wizard tab and choose to create a Web Server SSL/TLS Certificate.

Hit continue and then enter in a secure password, leaving the other settings as is.

You will be shown a textbox that contains your private key. Copy and paste the contents into a text editor and save the data into a file called ssl.key.

When you click continue, you will be asked which domain you want to create the certificate for:

Choose your domain and proceed to the next step.

You will be asked what subdomain you want to create a certificate for. In most cases, you want to choose www here, but if you'd like to use a different subdomain with SSL, then enter that here instead:

StartSSL will provide you with your new certificate in a text box, much as it did for the private key:

Again, copy and paste into a text editor, this time saving it as ssl.crt.

You will also need the StartCom Root CA and StartSSL's Class 1 Intermediate Server CA in order to authenticate your website though, so for the final step, go over to the Toolbox pane and choose StartCom CA Certificates:

At this screen, right click and Save As two files:

StartCom Root CA (PEM Encoded) (save to ca.pem)
Class 1 Intermediate Server CA (save to sub.class1.server.ca.pem)

For security reasons, StartSSL encrypts your private key (the ssl.key file), but your web server needs the unencrypted version of it to handle your site's encryption. To unencrypt it, copy it onto your server, and use the following command to decrypt it into the file private.key:

openssl rsa -in ssl.key -out private.key

OpenSSL will ask you for your password, so enter it in the password you typed in on StartSSL's website.

At this point you should have five files. If you're missing any, double-check the previous steps and re-download them:

ca.pem - StartSSL's Root certificate
private.key - The unencrypted version of your private key (be very careful no one else has access to this file!)
sub.class1.server.ca.pem - The intermediate certificate for StartSSL
ssl.key - The encrypted version of your private key (does not need to be copied to server)
ssl.crt - Your new certificate

You can discard the ssl.key file. If you haven't already copied the others onto your server you upload them there now:

scp {ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt} YOURSERVER:~ 2 V& L7 R, G8 ]7 S$ L. Z

Activating the certificate in Apache

Having a certificate isn't any good if you can't actually use it. This section explains how to configure Apache to use your new SSL certificate. These instructions are for Apache running on recent versions of Ubuntu VPS. For other Linux-based distros or web servers, you'll have to adjust accordingly.

First, create the folders where we'll store the keys. Enable Apache's SSL module, and restart Apache.

sudo a2enmod ssl5 g  w+ v' c1 V4 |/ ^( j5 d
sudo service apache2 restart
+ a  J+ Z; |' r" N! u' Lsudo mkdir -p /etc/apache2/ssl
# T& [0 y& M* n+ O* Z

Copy the files you set up in the previous section into the /etc/apache2/ssl folder on your VPS.

sudo mkdir -p /etc/apache2/ssl, N' P" L4 G9 H1 z: v
cp ~/{ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt} /etc/apache2/ssl
/ a, A' t4 j% @5 s; a! v4 n0 {" W

Execute:

ls /etc/apache2/ssl

And it should return:

ca.pem
" H. Y" f9 z! R% x$ L/ Tssl.crt; {% L+ F- X9 Z& Y& E
private.key2 e' m2 w3 O$ ]7 t
sub.class1.server.ca.pem

Now, open your apache2 configuration file. Unless you've already modified the default configuration, input:

nano /etc/apache2/sites-enabled/000-default

It should look something like this:

<VirtualHost *:80>
1 b5 ^3 [' s# Q& a    ServerAdmin webmaster@localhost
0 F' X. Y! v' K3 Z9 u' b
4 l/ e% l- X# J- P: ~% w" `0 `, \    DocumentRoot /var/www
* {* h1 i% Y/ g, L" B% P    <Directory />
2 S* K/ F: `) [. p4 q        Options FollowSymLinks
2 N/ g$ X  v/ c) ?. M( R5 X; {        AllowOverride None
3 }/ o, f( n1 `6 n' A& w2 N$ v6 R    </Directory>, M  k' x) Q" n( g: s1 D$ B
    <Directory /var/www/>& M* {+ J! u: k5 |- o9 |* _& {
        Options Indexes FollowSymLinks MultiViews
6 n9 |7 U4 E2 o3 h+ m        AllowOverride None! O2 e& s( w2 ~- [/ E
        Order allow,deny. l, X/ G+ s' i. O$ V
        allow from all
$ {) Q6 Q) w2 E% N8 S    </Directory>9 A9 i) a4 N- T/ y# Q/ g6 f
3 A! I8 a7 ~9 L2 J' b4 p8 w8 {. {
    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/1 l( O' Y( \/ V
    <Directory "/usr/lib/cgi-bin">0 y* s1 @% M# m
        AllowOverride None
) C$ i; L, h- J; h9 ?4 d# t( O        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch  Z% n8 y! u8 L: Z
        Order allow,deny
6 P/ f0 K7 X" O# I6 V  r        Allow from all% E* d4 P- H; v# l: i3 e
    </Directory>$ L* }3 b( S) l+ w2 h7 ]1 \

% j2 }& f7 x1 ~! N# V0 d2 z7 ~    ErrorLog ${APACHE_LOG_DIR}/error.log5 K9 h3 d& O2 X5 L
9 d/ i  w( y* G5 I4 j: P
    # Possible values include: debug, info, notice, warn, error, crit,1 ?  q, T' C1 K
    # alert, emerg.7 H0 M. E' v5 v* b- e' V, l
    LogLevel warn
/ A  @7 M9 f, _( O3 ?8 x$ W1 v. h" V+ B$ }4 Z8 |% n
    CustomLog ${APACHE_LOG_DIR}/access.log combined
4 ^$ z: f0 J0 b, z
) x# Y0 y' i: H. f( ~$ S# Z) k: h    Alias /doc/ "/usr/share/doc/") A" b: {, z7 I9 ~& G! J6 F
    <Directory "/usr/share/doc/">0 e& L6 [- \6 L6 ^# x* w
        Options Indexes MultiViews FollowSymLinks
) r) Z/ \1 w; l! B9 g& {- H        AllowOverride None7 s: z* @" V8 U
        Order deny,allow, w0 [2 E4 k4 Q* E: V# }
        Deny from all4 v8 g6 f" \3 W  ^) ^  }* d# o
        Allow from 127.0.0.0/255.0.0.0 ::1/128
6 F9 J  W% l! r+ n2 @% @! x; _  L    </Directory>: a' j5 F7 y# i

7 U/ I) x: a, Y; r7 @& F</VirtualHost>
9 s* E9 Q0 ?; k) I

Copy the entire script above (from <VirtualHost *:80> to </VirtualHost>), paste it below the existing one, and change the top line from:

<VirtualHost *:80>

<VirtualHost *:443>

And add the following lines after the <VirtualHost *:443> line:

SSLEngine on                                                                ' s% y& y* U( S6 {0 ]) H
SSLProtocol all -SSLv2                                                      0 m3 @  e! q: [) {
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM                5 C$ u. }' a& l7 }! z& W

) s4 h# \7 e) ~4 R* b- A+ C% M6 N# c4 LSSLCertificateFile /etc/apache2/ssl/ssl.crt                           . c6 D$ G; N& a+ M$ e0 f8 E" z
SSLCertificateKeyFile /etc/apache2/ssl/private.key                        ) d* r& [  [8 F! Z
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem

The end result should look like this:

<VirtualHost *:80>
2 w+ p2 ]' w2 V  z9 o    ServerAdmin webmaster@localhost4 H& Z; ^! `/ T( C5 O' b5 C

* {+ c9 v% \+ I6 M2 y    DocumentRoot /var/www! D4 g$ k+ m+ j$ D* |7 G) T
    <Directory />8 G5 r$ B  Y3 |0 I
        Options FollowSymLinks
& g, s! N+ L' x0 `1 l        AllowOverride None: \+ X* W( y- \) O) o5 d
    </Directory>6 I$ J5 R8 b9 E+ S& K! x* \! L
    <Directory /var/www/>
7 v: h, s, {; z% O' _1 U        Options Indexes FollowSymLinks MultiViews$ |+ P4 \' _( x% C- [
        AllowOverride None
# S% M2 a" r, O. t/ P4 E        Order allow,deny& k& o7 k8 J# ?9 S; e$ p( U- W
        allow from all
& f9 i  k4 N5 c# f+ _7 I, _    </Directory>0 C( q: z: L2 o2 y9 p" R3 p# d$ a

) m% P. F  b2 I* b) x    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
: C" @) ]: L7 [/ p% i9 D: ^    <Directory "/usr/lib/cgi-bin">
) t0 z: {6 i$ i& g8 f        AllowOverride None% g9 J( A% [9 S+ N! V; n! R
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
/ ]  T7 d' C( ]4 p* C0 [) V/ m        Order allow,deny
% l+ S3 b3 v5 ~" m! h- m% [        Allow from all
# ?/ ?& p" }- \& `3 D" P    </Directory>9 K* s$ Y- u! s* w2 o* E" y4 J( y
( ~2 M! H5 i# B% w2 V
    ErrorLog ${APACHE_LOG_DIR}/error.log
# G2 V1 f/ F' d* Y
' |, @. Z1 S% n1 H    # Possible values include: debug, info, notice, warn, error, crit,
: {" P0 g7 u! r' n8 t6 i" f& A    # alert, emerg.
) {( V( z/ M: d6 D6 K5 S' s0 Q    LogLevel warn8 x5 ]1 n! S  t' P& r0 l5 V
- ]+ z- z. w; N
    CustomLog ${APACHE_LOG_DIR}/access.log combined% X% J4 N& i( T. ~3 L2 y3 B3 _% }1 X4 I
- N# j- `! b3 v" l/ e
    Alias /doc/ "/usr/share/doc/"
% |5 j0 }/ l3 ?! o$ z$ a    <Directory "/usr/share/doc/">
* \! j1 ^# O& t+ ~( T0 D4 B' O        Options Indexes MultiViews FollowSymLinks
8 O( E, s+ k. _( h( ~* ]        AllowOverride None+ A; m- Y, }0 x3 w
        Order deny,allow
7 l& p  R) d3 b7 o        Deny from all
( L# m7 P$ h/ m5 ^1 |5 g/ `        Allow from 127.0.0.0/255.0.0.0 ::1/128: ^4 b6 b; ^$ g3 f/ g: w
    </Directory>  {) o5 V% a+ f; Y
* F! j2 g5 h; d: p" ~7 B6 h" E4 w: {
</VirtualHost>
" E2 Q+ J8 W4 F" W' H" T& c
* P5 I" e2 J, T+ L" G) Z<VirtualHost *:443>5 Z. x5 z6 ^4 z! K% r- G
    SSLEngine on                                                                - W+ ?% S/ P' U9 G. R' l* i
    SSLProtocol all -SSLv2                                                      # Z/ J' S% o9 i, p$ m
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM                - z% S$ G$ _( g3 ?

5 U9 ^  d7 R; `. ?# @' ~) _9 G    SSLCertificateFile /etc/apache2/ssl/ssl.crt                           
) \( d$ v. w8 ], U; h    SSLCertificateKeyFile /etc/apache2/ssl/private.key                        
9 h4 O2 n0 m5 N$ W. t& N    SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem 
% P- ]% [( A1 Z9 k, K* m, R5 z    ServerAdmin webmaster@localhost
  F- P% X5 \: a8 k5 j+ Z! m- \6 z8 D9 p
: H. N" h, |7 F6 k0 x8 ]    DocumentRoot /var/www
- A" M1 C! [% d& u2 Y. H7 v    <Directory />
5 E5 [5 Q: ^. K. _        Options FollowSymLinks+ A3 y( [8 h( a- }; Q
        AllowOverride None. E0 t2 O, `- E( e4 P2 S! ?* U
    </Directory>
( R$ j9 g# q6 ~. l4 N; F! f    <Directory /var/www/>1 z  d: ?7 A( J* K( y* U- c
        Options Indexes FollowSymLinks MultiViews2 H4 F5 x' f2 r. V+ c2 Y- z4 ^# X
        AllowOverride None$ [- s9 z2 z% L6 [1 k/ \
        Order allow,deny! K* Z5 `( F  H% m: x5 U
        allow from all9 e7 o+ _. D; b0 x
    </Directory>
7 a: ^2 v6 l& s$ \8 i2 X2 {+ _2 s$ l
0 l- ]8 j$ P& W2 g& r    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/! S+ R6 V/ i; T$ n9 b6 O* f
    <Directory "/usr/lib/cgi-bin">/ ]# ^8 H; Z% b% ]1 S& j
        AllowOverride None
) }* Z: a  F: j* y2 o$ q0 [        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
7 f5 I: g, C9 D$ H& t: k        Order allow,deny. n' c4 O* K! `
        Allow from all' {( `" o, @& {, o* K
    </Directory>' J4 V8 `$ z2 O

/ K* z0 L/ C1 g+ Z    ErrorLog ${APACHE_LOG_DIR}/error.log
% K! N- b9 M: h: t2 J7 z* f" t3 K6 V
    # Possible values include: debug, info, notice, warn, error, crit,! {9 m- ^6 k7 f# j! i
    # alert, emerg.. k0 G9 f" V, s
    LogLevel warn& o1 B# m  H8 j$ Y! `5 |: `' M

( H' A% j6 J2 s1 l5 `; e    CustomLog ${APACHE_LOG_DIR}/access.log combined
) c. z- n8 {3 t, Y5 e  G# |# r
. b8 s4 `& W* Q6 J    Alias /doc/ "/usr/share/doc/"6 Y2 A9 Q9 M5 X8 j
    <Directory "/usr/share/doc/">
: e! {. m" R3 n5 i5 P$ z& x1 C" `        Options Indexes MultiViews FollowSymLinks  ^6 b! m  [6 j1 q' e$ S7 ^1 V2 X* A
        AllowOverride None6 k, i7 \. L( f, |  i
        Order deny,allow3 D% V9 M; u3 p9 S4 H8 L% `
        Deny from all
  r" |  u! _" b( {        Allow from 127.0.0.0/255.0.0.0 ::1/128
: X+ ]: `0 q- _) Z8 [$ e    </Directory>* q8 P1 ]$ I6 g5 P; m

2 G  t6 }; i. R; I% L</VirtualHost>

Save your files and restart Apache with:

sudo service apache2 restart

You can check Apache's log files to see if there are any show stopping errors with this command:

cat /var/log/apache2/error.log0 x" k$ j4 J+ E* ~4 Q+ o/ d3 G

If everything looks good, try accessing your site in your web browser using an HTTPS URL (e.g. https://www.YOURSITE.com). When your site loads, you should see a little green padlock icon next to the URL. Click on it and you should see the following. The connections tab should show that the site's identity has been verified by StartCom.

Congratulations! You are all set!

Reference Links:

Here are some of the other posts I consulted when putting this together. If you run into any problems they might be a source of inspiration on how to fix them:

This tutorial will show you how to set up a TLS/SSL certificate from https://letsencrypt.org/ on an Ubuntu 14.04 server running Apache as a web server. We will also cover how to automate the certificate renewal process using a cron job.

SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.

First, we will download the certbot-auto Let’s Encrypt client from the EFF download site. The client will automatically pull down available updates as necessary after installation.

We can download the certbot-auto Let’s Encrypt client to the /usr/local/sbin directory by typing:

Generating the SSL Certificate for Apache using the certbot-auto Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.

To execute the interactive installation and obtain a certificate that covers only a single domain, run the certbot-auto command with:

If you want to install a single certificate that is valid for multiple domains or subdomains, you can pass them as additional parameters to the command. The first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases:

After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both http and https access or force all requests to redirect to https.

When the installation is finished, you should be able to find the generated certificate files at /etc/letsencrypt/live. You can verify the status of your SSL certificate with the following link (don’t forget to replace example.com with your base domain):

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The certbot-auto Let's Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

Because we recently installed the certificate, the command will only check for the expiration date and print a message informing that the certificate is not due to renewal yet. The output should look similar to this:

Notice that if you created a bundled certificate with multiple domains, only the base domain name will be shown in the output, but the renewal should be valid for all domains included in this certificate.

A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance.

Let's edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run:

Save and exit. This will create a new cron job that will execute the letsencrypt-auto renew command every Monday at 2:30 am. The output produced by the command will be piped to a log file located at /var/log/le-renewal.log.

For more information on how to create and schedule cron jobs, you can check our https://www.digitalocean.com/community/tutorials/how-to-use-cron-to-automate-tasks-on-a-vps guide.

One of the most standard ways to run tasks in the background on Linux machines is with cron jobs. They’re useful for scheduling tasks on the VPS and automating different maintenance-related jobs. “Cron” itself is a daemon (or program) that runs in the background. The schedule for the different jobs that are run is in a configuration file called “crontab.”

Almost all distros have a form of cron installed by default. However, if you’re using a system that doesn’t have it installed, you can install it with the following commands:

The syntax for the different jobs we’re going to place in the crontab might look intimidating. It’s actually a very succinct and easy-to-parse if you know how to read it. Every command is broken down into:

The command can be virtually any command you would normally run on the command line. The schedule component of the syntax is broken down into 5 different options for scheduling in the following order:

Here is a list of examples for some common schedules you might encounter while configuring cron.

You can also use different options for each placeholder. To run a command every 15 minutes:

You can use division in your schedule. Instead of listing out 0,15,30,45, you could also use the following:

Notice the “2-6” range. This syntax will run the command between the hours of 2:00am and 6:00am.

The scheduling syntax is incredibly powerful and flexible. You can express just about every possible time imaginable.

Once you’ve settled on a schedule and you know the job you want to run, you’ll have to have a place to put it so your daemon will be able to read it. There are a few different places, but the most common is the user’s crontab. If you’ll recall, this is a file that holds the schedule of jobs cron will run. The files for each user are located at /var/spool/cron/crontab, but they are not supposed to be edited directly. Instead, it's best to use the crontab command.

This will bring up a text editor where you can input your schedule with each job on a new line.

If you’d like to view your crontab, but not edit it, you can use the following command:

If you’re a privileged user, you can edit another user’s by specifying crontab -u <user> -e

For every cron job that gets executed, the user’s email address that’s associated with that user will get emailed the output unless it is directed into a log file or into /dev/null. The email address can be manually specified if you provide a “MAILTO” setting at the top of the crontab. You can also specify the shell you’d like run, the path where to search for the cron binary and the home directory with the following example:

This particular job will output "Run this command every minute." That output will get emailed every minute to the “mailto:example@digitalocean.com” email address I specified. Obviously, that might not be an ideal situation. As mentioned, we can also pipe the output into a log file or into an empty location to prevent getting an email with the output.

If you want to pipe into an empty location, use /dev/null. Here is a PHP script that gets executed and runs in the background.

Restricting access to cron is easy with the /etc/cron.allow and /etc/cron.deny files. In order to allow or deny a user, you just need to place their username in one of these files, depending on the access required. By default, most cron daemons will assume all users have access to cron unless one of these file exists. To deny access to all users and give access to the user tdurden, you would use the following command sequence:

First, we lock out all users by appending "ALL" to the deny file. Then, by appending the username to the allow file, we give the user access to execute cron jobs.

There are several shorthand commands you can use in your crontab file to make administering a little easier. They are essential shortcuts for the equivalent numeric schedule specified:

Note: Not all cron daemons can parse this syntax (particularly older versions), so double-check it works before you rely on it.

To have a job that runs on start up, you would edit your crontab file (crontab -e) and place a line in the file similar to the following:

This particular command would get executed and then emailed out to the user specified in the crontab.