在 Windows Apache 上安装 SSL

Question

1.我想做的事：

我有一个域 example.me，以及一个托管在我的 Windows Server 上的子域 text.example.me。它使用 php 5.6 运行 Apache

我想使用 Let's Encrypt 和这个工具 https://github.com/PKISharp/win-acme

安装 SSL 证书

2.问题：

它似乎不起作用，尝试访问https://test.example.me时出现以下错误

此站点无法提供安全连接

3.到目前为止我做了什么

我遵循以下每一步： https://commaster.net/content/how-setup-lets-encrypt-apache-windows

这是我的httpd-ssl.conf

的内容

<VirtualHost *:443>
    ServerAdmin me@examole.com
    ServerName text.example.me
    DocumentRoot "D:/xampp/htdocs"

    RewriteEngine On
    # Redirect to the correct domain name
    RewriteCond %{HTTP_HOST} !^test.example.me$ [NC]
    RewriteRule ^/?(.*)$ https://test.example.me/$1 [NE,L,R=301]

    Alias /.well-known D:/xampp/htdocs/.well-known

    SSLEngine on
    SSLCertificateFile "conf/ssl.crt/text.example.me-crt.pem"
    SSLCertificateKeyFile "conf/ssl.key/test.example.me-key.pem"
    SSLCertificateChainFile "conf/ssl.csr/ca-test.example.me-crt.pem"
</VirtualHost>

我的 80,443 端口可用，但 Skype 没有使用，所以这不是 问题。

这是我的httpd-vhosts.conf

的内容

<VirtualHost *:80>
    ServerAdmin me@example.me
    ServerName test.example.me

    RewriteEngine On
    # Redirect to the HTTPS site
    RewriteCond %{HTTPS} off
    RewriteRule ^/?(.*)$ https://test.example.me/$1 [NE,L,R=301]
    ErrorLog logs/slog.log
</VirtualHost>

Answer 1

我使用 Let's Encrypt 已经有几年了 - 但没有（！）RewriteEngine。

所以这是我的 http-vhosts.conf

中的一个片段

<VirtualHost *:80>
  DocumentRoot "C:/webserver/html/example_html"
  ServerName www.example.com
  Redirect permanent / https://www.example.com/
  # For the case that you are using ModProxy to forward to a Tomcat, please also add:
  # ProxyPass "/.well-known/" "!"
</VirtualHost>

从我的 httpd-ssl.conf 中截取的一段：

<VirtualHost *:443>
  DocumentRoot "C:/webserver/html/example_html"
  ServerName www.example.com
  Protocols h2 http/1.1

  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:SEED-SHA:DHE-RSA-SEED-SHA:!DSS
  SSLHonorCipherOrder on
  SSLCompression off
  SSLCertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/www.example.com-crt.pem"
  SSLCertificateKeyFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/www.example.com-key.pem"
  SSLCACertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/ca-www.example.com-crt.pem"

  <IfModule headers_module>
  Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
  Header always set x-frame-options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-XSS-Protection "1; mode=block"
  #Header always set Content-Security-Policy "script-src 'self'"
  </IfModule>

  BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

  #For the case that you use ModProxy to forward to a Tomcat or so
  #ProxyPass "/.well-known/" "!"

  EnableSendfile off
  EnableMMAP off 
</VirtualHost>                                  

另外请记住，当您想使用多个主机名时，您需要一个通配符证书 - 否则使用 Let's Encrypt 为每个主机/域名拥有一个证书很简单 - 但您需要一个虚拟主机部分您正在使用的主机/域名。

最后但并非最不重要的一点是，我个人的看法是，ModRewrite 不应该在不需要时使用，因为它很复杂，而且大多数人都没有真正理解。