记录一次申请 Let’s Encrypt 通配符 HTTPS 证书

发布于 2018-03-28  356 次阅读


Let's Encrypt 宣布 ACME v2 正式支持通配符证书,并将继续清除 Web 上采用 HTTPS 的障碍,让每个网站轻松获取管理证书。

在这里,就讲一下怎么为站点添加免费的 https 吧

[root@LZWP:~#] mkdir /etc/SSL/

[root@LZWP:~#] cd /etc/SSL/

#创建一个用来存放脚本的目录
[root@LZWP:/etc/SSL#] wget https://dl.eff.org/certbot-auto

[root@LZWP:/etc/SSL#] chmod u+x certbot-auto

#下载 certbot-auto,这是一个自动化脚本,赋予其适当的权限
[root@LZWP:/etc/SSL#] ./certbot-auto certonly  -d "*.itwordsweb.com" -d "itwordsweb.com" --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory

Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)

yum 是 /usr/bin/yum

yum 已被哈希 (/usr/bin/yum)

已加载插件:changelog

软件包 gcc-4.8.5-16.el7_4.2.x86_64 已安装并且是最新版本

软件包 augeas-libs-1.4.0-2.el7_4.2.x86_64 已安装并且是最新版本

软件包 1:openssl-1.0.2k-8.el7.x86_64 已安装并且是最新版本

软件包 1:openssl-devel-1.0.2k-8.el7.x86_64 已安装并且是最新版本

软件包 libffi-devel-3.0.13-18.el7.x86_64 已安装并且是最新版本

软件包 redhat-rpm-config-9.1.0-76.el7.centos.noarch 已安装并且是最新版本

软件包 ca-certificates-2017.2.14-71.el7.noarch 已安装并且是最新版本

软件包 python-devel-2.7.5-58.el7.x86_64 已安装并且是最新版本

软件包 python-virtualenv-1.10.1-4.el7.noarch 已安装并且是最新版本

软件包 python-tools-2.7.5-58.el7.x86_64 已安装并且是最新版本

软件包 python2-pip-8.1.2-5.el7.noarch 已安装并且是最新版本

无须任何处理

Creating virtual environment...

Installing Python packages...

#-d 表示为哪些主机申请证书,如果是通配符,输入 *.xxx.com (根据实际情况替换为你自己的域名)。 --preferred-challenges dns-01 表示使用 DNS 方式校验域名所有权。--server,Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要做指定。

#部署过程中会下载安装一大堆的依赖包,耐心等待(我这里是因为已经安装过了),但是如果在"Installing Python packages..."提示的地方等待了很久都不动或者提示错误,可以尝试修改 pip.conf
[root@LZWP:/etc/SSL#] vim ~/.pip/pip.conf

  [global]

  index-url = http://mirrors.aliyun.com/pypi/simple/

  [install]

  trusted-host=mirrors.aliyun.com

#如果在"Installing Python packages..."提示的地方等待了很久都不动或者提示错误,就给 pip.conf 做一些修改
Installation succeeded.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): runfali@outlook.com

#输入邮箱地址
Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

-------------------------------------------------------------------------------

(A)gree/(C)ancel: A

#条款确认
Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about EFF and

our work to encrypt the web, protect its users and defend digital rights.

-------------------------------------------------------------------------------

(Y)es/(N)o: Y

#还是条款确认
Obtaining a new certificate

Performing the following challenges:

dns-01 challenge for itwordsweb.com

dns-01 challenge for itwordsweb.com



-------------------------------------------------------------------------------

NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you're running certbot in manual mode on a machine that is not

your server, please ensure you're okay with that.



Are you OK with your IP being logged?

-------------------------------------------------------------------------------

(Y)es/(N)o: Y

#继续确认
Please deploy a DNS TXT record under the name

_acme-challenge.itwordsweb.com with the following value:



LXqN99JFAuCGkehV07puIvcM2F8-mG7YLA7hIFDc5rw



Before continuing, verify the record is deployed.

-------------------------------------------------------------------------------

Press Enter to Continue

#重点来了,这里先别动,先到域名管理后台添加 TXT 记录

看图,这是我的,主机记录为:_acme-challenge,记录值为:LXqN99JFAuCGkehV07puIvcM2F8-mG7YLA7hIFDc5rw

记录一次申请 Let's Encrypt 通配符 HTTPS 证书

另开一个 Xshell 窗口,使用 dig 测试一下,确认 TXT 记录已经生效

记录一次申请 Let's Encrypt 通配符 HTTPS 证书

记录一次申请 Let's Encrypt 通配符 HTTPS 证书

按回车,提示继续添加 TXT 记录值,添加后继续测试是否生效

记录一次申请 Let's Encrypt 通配符 HTTPS 证书

记录一次申请 Let's Encrypt 通配符 HTTPS 证书

记录一次申请 Let's Encrypt 通配符 HTTPS 证书

按回车,这次的提示表示已经成功了

记录一次申请 Let's Encrypt 通配符 HTTPS 证书

[root@LZWP:/etc/SSL#] cd /etc/letsencrypt/live/itwordsweb.com/

[root@LZWP:/etc/letsencrypt/live/itwordsweb.com#] ls

cert.pem  chain.pem  fullchain.pem  privkey.pem  README

#可见,证书文件等都在这个目录下,这几个只是软链接,实际路径是在/etc/letsencrypt/archive/itwordsweb.com/目录下

我的站点是 LNMP,所以接下来修改 Nginx 配置文件

server {       

        listen 80;

        server_name www.itwordsweb.com;

        return  301 https://$server_name$request_uri;    

    }

#设置非 HTTPS 的自动跳转到 HTTPS

server {

include /usr/local/nginx/conf/rocket-nginx.conf;

        listen 443 ssl;

        listen [::]:443 ssl ipv6only=on;



        ssl_certificate /etc/letsencrypt/live/itwordsweb.com/fullchain.pem;

        ssl_certificate_key /etc/letsencrypt/live/itwordsweb.com/privkey.pem;

        ssl_trusted_certificate /etc/letsencrypt/live/itwordsweb.com/chain.pem;

#引入相应证书、Key

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;

        ssl_prefer_server_ciphers on;

        ssl_session_cache shared:SSL:10m;

        ssl_session_timeout 10m;

#SSL 优化

        server_name www.itwordsweb.com;

        index index.html index.htm index.php default.html default.htm default.php;

        root /data/www/wordpress;

}

#以上配置文件的修改请根据你自己的配置文件做相应的修改

#修改完成后,重载 Nginx 配置文件,最后测试一下吧!

最后,设置计划任务,让证书自动续签

[root@LZWP:~#] vim /etc/crontab

  0 0 * * 1 /usr/bin/sh /etc/SSL/certbot-auto renew >> /var/log/le-renew.log

#意思是每周一的 0 点 0 分,自动续签一次,并把 logs 追加到/var/log/le-renew.log

这里附带两句证书格式转换语句(CDN 使用 SSL 的时候或许要用到)

openssl rsa -in server.pem -out server.key

openssl x509 -in server.pem -out server.crt

可以见到,本站已经把这个免费的 HTTPS 用上了

记录一次申请 Let's Encrypt 通配符 HTTPS 证书