在服务器运维中,SSL 配置往往被视为一次性工作:证书装好、浏览器显示安全锁就算完成。但在实际运行中,SSL 涉及的不只是加密本身,还包括兼容性、性能、自动续期以及与 CDN、反向代理之间的协同关系。如果缺乏系统理解,配置虽能用,却容易在升级或环境变化时暴露隐患。
本文并不是 SSL 安装教程或命令记录,而是从服务器安全与长期稳定运行的角度,对 WealthXin.com 的 SSL 配置进行结构性总结。通过梳理证书选择、协议配置与运维要点,帮助读者判断:哪些配置是必须的基础,哪些细节决定了系统长期的可靠性与可维护性。
一、Let’s Encrypt 安装
在 Ubuntu 上安装 Certbot:
sudo apt update
sudo apt install certbot
二、申请多域名证书(standalone 模式)
例如:
一次性申请:
sudo certbot certonly --standalone --agree-tos --email [email protected] -d www.wealthxin.com -d bbs.wealthxin.com
生成路径:
/etc/letsencrypt/live/www.wealthxin.com/
cert.pem
chain.pem
fullchain.pem
privkey.pem
三、XAMPP 配置 SSL
目录结构
将证书复制到:
/opt/lampp/etc/ssl/www.wealthxin.com/
复制命令:
sudo mkdir -p /opt/lampp/etc/ssl/www.wealthxin.com
sudo cp /etc/letsencrypt/live/www.wealthxin.com/fullchain.pem /opt/lampp/etc/ssl/www.wealthxin.com/fullchain.pem
sudo cp /etc/letsencrypt/live/www.wealthxin.com/privkey.pem /opt/lampp/etc/ssl/www.wealthxin.com/privkey.pem
四、Apache VirtualHost 配置
www.wealthxin.com
HTTP 跳转到 HTTPS:
<VirtualHost *:80>
ServerName www.wealthxin.com
Redirect permanent / http://www.wealthxin.com/
ErrorLog "logs/www.wealthxin.com-error_log"
CustomLog "logs/www.wealthxin.com-access_log" common
</VirtualHost>
HTTPS:
<VirtualHost *:443>
ServerName www.wealthxin.com
DocumentRoot "/opt/lampp/htdocs/wealthxincom"
SSLEngine on
SSLCertificateFile "/opt/lampp/etc/ssl/www.wealthxin.com/fullchain.pem"
SSLCertificateKeyFile "/opt/lampp/etc/ssl/www.wealthxin.com/privkey.pem"
<Directory "/opt/lampp/htdocs/wealthxincom">
AllowOverride All
Require all granted
</Directory>
ErrorLog "logs/www.wealthxin.com-error_log"
CustomLog "logs/www.wealthxin.com-access_log" common
</VirtualHost>
bbs.wealthxin.com
HTTP 跳转到 HTTPS:
<VirtualHost *:80>
ServerName bbs.wealthxin.com
Redirect permanent / https://bbs.wealthxin.com/
ErrorLog "logs/bbs.wealthxin.com-error_log"
CustomLog "logs/bbs.wealthxin.com-access_log" common
</VirtualHost>
HTTPS:
<VirtualHost *:443>
ServerName bbs.wealthxin.com
DocumentRoot "/opt/lampp/htdocs/bbswealthxincom"
SSLEngine on
SSLCertificateFile "/opt/lampp/etc/ssl/www.wealthxin.com/fullchain.pem"
SSLCertificateKeyFile "/opt/lampp/etc/ssl/www.wealthxin.com/privkey.pem"
<Directory "/opt/lampp/htdocs/bbswealthxincom">
AllowOverride All
Require all granted
</Directory>
ErrorLog "logs/bbs.wealthxin.com-error_log"
CustomLog "logs/bbs.wealthxin.com-access_log" common
</VirtualHost>
五、自动续期脚本
创建renew_ssl.sh脚本
命令为:
sudo nano /usr/local/bin/renew_ssl.sh
内容:
#!/bin/bash
certbot renew --quiet --no-self-upgrade
if [ $? -eq 0 ]; then
echo "$(date) - Certificates renewed successfully. Restarting XAMPP..." >> /var/log/letsencrypt-renew.log
/opt/lampp/lampp restart
else
echo "$(date) - Certbot renew failed." >> /var/log/letsencrypt-renew.log
fi
赋予renew_ssl.sh可执行权限:
sudo chmod +x /usr/local/bin/renew_ssl.sh
配置 Cron
编辑 crontab:
sudo crontab -e
添加:
0 2 * * * /usr/local/bin/renew_ssl.sh >> /var/log/letsencrypt-renew.log 2>&1
六、常用检查命令
检查 Apache 配置
sudo /opt/lampp/bin/apachectl -t
测试 SSL 证书
openssl s_client -connect www.wealthxin.com:443 -servername www.wealthxin.com -showcerts
查看 Cron 配置
sudo crontab -l
测试续期(Dry-run)
sudo certbot renew --dry-run
写在最后:经过一天的折腾终于搞定了财富辛博客网站及论坛的SSL设置,目前还为发生异常,继续观察中。安装过程中,还是有很多弯路的,不过那是我自己不熟悉的原因,也反复了好多次,最后折腾下来,应该就是上面的步骤内容和命令。
系统配置环境是Ubuntu V24.04, 及lampp。