The last notes
All English-language materials have been translated fully automatically using the Google service
Installing free ssl using the bitrixvm menu
The easiest way is to use the built-in certificate installation tools:
- - Log into the console as root
- - Selecting item 8. Manage pool web servers
- - Next 3. Configure certificates
- - And in it 1. Configure "Let's encrypt" certificate
- - First, we specify the site identifier in the system. For example default or master
- - Next, specify the domain for which you want to sign the certificate
- - At the end, we indicate the mail to which notifications from Let's Encrypt will be received
Free Certificate Installation
Updating the system
yum update Go to the folder /usr/local/sbin
cd / usr / local / sbin Downloading Certbot
wget https://dl.eff.org/certbot-auto Set the rights to execute the script
chmod a + x certbot-auto Start obtaining a certificate for nginx
certbot-auto --nginx If all is well, then we restart nginx
service nginx restart More detailed manual on Obtaining and installing a free Let's Encrypt SSL certificate on 1C-Bitrix: Virtual machine for nginx
Installing a paid certificate
We take the files site.ru.crt and site.ru.key and put them in the folder /etc/nginx/ssl/
In the file /etc/nginx/bx/conf/ssl.conf change the paths to the certificate and its key
# If they come here using HTTP, bounce them to the correct scheme
# Nginx internal code used for the plain HTTP requests
# that are sent to HTTPS port to distinguish it from 4XX in a log and an error page redirection.
error_page 497 https: // $ host $ request_uri;
# Increase keepalive connection lifetime
keepalive_timeout 70;
keepalive_requests 150;
# SSL encryption parameters
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers' TLS13-CHACHA20-POLY1305-SHA256: TLS13-AES-128-GCM-SHA256: TLS13-AES-256-GCM-SHA384: ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECD-GCM-SHA256: ECDHE-ECDSA-GCM-SHA128 ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256: DHE-DSS-AES128-GCM-SHA256: kEDH + AESGCM: ECDHE-RS8 SHA256: ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES128-SHA: ECDHE-ECDSA-AES128-SHA: ECDHE-RSA-AES256-SHA384: ECDHE-ECDSA-AES256-SHA256: RSA-SHA384: ECDHE-ECDSA-AES256-SHA: DHE-RSA-AES128-SHA256: DHE-RSA-AES128-SHA: DHE-DSS-AES128-SHA256: DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA: DHE- RSA-AES256-SHA: AES128-GCM-SHA256: AES256-GCM-SHA384: AES128-SHA256: AES256-SHA256: AES128-SHA: AES256-SHA: AES: CAMELLIA:! ANULL:! ENULL:! EXPORT:! ANULL:! ENULL::! EXPORT:! ! RC4:! MD5:! PSK:! AECDH:! EDH-DSS-DES-CBC3-SHA:! EDH-RSA-DES-CBC3-SHA:! KRB5-DES-CBC3-SHA ';
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/site.ru.crt;
ssl_certificate_key /etc/nginx/ssl/site.ru.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# performance
ssl_session_cache shared: SSL: 10m;
ssl_session_timeout 10m;
Checking the settings nginx
service nginx configtest
or
nginx -t If all is well, then we restart nginx
service nginx restart A very detailed article on Installing ssl-certificate for Bitrix environment bitrix vm
An alternative way to install LetsEncrypt
Might be useful if the first two don't work
yum install certbotGetting certificates for the required domain
After applying the command, select Place files in webroot directory (webroot). This is currently the third menu option. Specify the path to the domain's home directory. In bitrixvm for the default site it is /home/bitrix/www/
Enter your email and agree to the terms of service
Certificate received. You will receive a message with the following content:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.ru/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.ru/privkey.pem
Your cert will expire on YYYY-MM-DDSave the paths to the certificates - we still need them
In the site config /etc/nginx/bx/site_avaliable/bx_ext_ssl_domain.ru.conf we set the paths to new certificates
ssl_certificate /etc/letsencrypt/live/domain.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.ru/privkey.pem;Reload nginx
nginx -s reloadCertificate installation completed
Free LetsEncrypt certificates are issued for a period of up to 3 months, so it is advisable to put them on the crowns to automatically renew them. For example, every week
0 0 * * 5 certbot renew &> /dev/nullWhen issuing certificates, remember that certbot allows you to issue up to 5 certificates per day, after which a ban follows for several days. Try to complete the setup on the first try
Installing Let’s Encrypt on a site with the Vesta
panel
bash script
#! / bin / bash
# How to Install Let’s Encrypt Certificate on VestaCP
USERNAME = 'username'
DOMAIN = 'mydomain.com'
# Go to folder
cd / usr / local
# Clone git repositories
git clone https://github.com/letsencrypt/letsencrypt.git
git clone https://github.com/interbrite/letsencrypt-vesta.git
git clone https://github.com/certbot/certbot.git
# Create the “webroot” directory where Let’s Encrypt will write the files needed for domain verification.
mkdir -p / etc / letsencrypt / webroot
# Now also symlink the Apache conf file in your Apache conf.d directory.
ln -s /usr/local/letsencrypt-vesta/letsencrypt.conf /etc/httpd/conf.d/letsencrypt.conf
# Symlink letsencrypt-auto and letsencrypt-vesta in / usr / local / bin for easier access.
ln -s / usr / local / letsencrypt / letsencrypt-auto / usr / local / bin / letsencrypt-auto
ln -s / usr / local / letsencrypt-vesta / letsencrypt-vesta / usr / local / bin / letsencrypt-vesta
# Restart server
service httpd restart
# Install at
yum install at
# Command for get SSL certificate and automatic Renewals every 60 days
letsencrypt-vesta -a 60 $ USERNAME $ DOMAIN If you need to install a certificate for a domain and subdomains, then use the following commands
v-add-letsencrypt-user user
v-add-letsencrypt-domain user domain.ru alias.domain.ru
Comments