Let’s Encrypt
Let’s Encrypt是一个公共且免费的SSL的项目,该项目被大量用户传播使用,是由Mozilla、Cisco、Akamai、IdenTrust、EFF等组织人员发起,主要目的是推进全网从HTTP向HTTPS过渡的进程,目前Facebook等大公司开始赞助该项目,Let’s Encrypt 已经得了 IdenTrust 的交叉签名,这意味着其证书现在已经可以被 Mozilla、Google、Microsoft 和 Apple 等主流的浏览器所信任。用户只需要在 Web 服务器证书链中配置交叉签名,浏览器客户端会自动处理好其它的一切,Let’s Encrypt 安装简单,使用非常方便。
申请证书
Let’s Encrypt上的证书申请是通过ACME协议来完成的。ACME协议规范化了证书申请、更新、撤销等流程,实现了Let’s Encrypt CA自动化操作。要使用ACME协议来申请证书,只需要一个支持该协议的客户端就可以了,官方推荐客户端Certbot。
获取Certbot
1 | ~]# wget https://dl.eff.org/certbot-auto |
注意:Certbot从0.22.0版本开始支持ACME V2, ACME V2支持通配域名证书, 官网地址:https://cerbot.eff.org
申请证书
客户端在申请Let’s Encrypt证书的时候,要求校验域名的所有权,证明操作者是该域名的所有者,并且有权利为该域名申请证书,目前支持三种验证方式:
- dns-01: 给域名添加一个DNS TXT解析记录
- http-01: 在域名对应的web服务器下放置一个HTTP well-known URL资源文件
- tls-sni-01: 在域名对应的web服务器下放置一个HTTPS well-known URL资源文件
使用Cerbot 客户端申请证书一句话就可以搞定:
1 | ~]# ./certbot-auto certonly -d "*.jusene.me" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory |
申请通配符证书,只能使用 dns-01 的方式。
certonly 表示插件,Certbot 有很多插件。不同的插件都可以申请证书,用户可以根据需要自行选择。
-d 为哪些主机申请证书。如果是通配符,输入 *.xxx.com (根据实际情况替换为你自己的域名)。
–preferred-challenges dns-01,使用 DNS 方式校验域名所有权。
–server,Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
1 | Creating virtual environment... |
2 | Installing Python packages... |
3 | Installation succeeded. |
4 | Saving debug log to /var/log/letsencrypt/letsencrypt.log |
5 | Plugins selected: Authenticator manual, Installer None |
6 | Enter email address (used for urgent renewal and security notices) (Enter 'c' to |
7 | cancel): 710800xxx@qq.com |
8 | |
9 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
10 | Please read the Terms of Service at |
11 | https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must |
12 | agree in order to register with the ACME server at |
13 | https://acme-v02.api.letsencrypt.org/directory |
14 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
15 | (A)gree/(C)ancel: a |
16 | |
17 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
18 | Would you be willing to share your email address with the Electronic Frontier |
19 | Foundation, a founding partner of the Let's Encrypt project and the non-profit |
20 | organization that develops Certbot? We'd like to send you email about our work |
21 | encrypting the web, EFF news, campaigns, and ways to support digital freedom. |
22 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
23 | (Y)es/(N)o: y |
24 | Obtaining a new certificate |
25 | Performing the following challenges: |
26 | dns-01 challenge for jusene.me |
27 | |
28 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
29 | NOTE: The IP of this machine will be publicly logged as having requested this |
30 | certificate. If you're running certbot in manual mode on a machine that is not |
31 | your server, please ensure you're okay with that. |
32 | |
33 | Are you OK with your IP being logged? |
34 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
35 | (Y)es/(N)o: y |
36 | |
37 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
38 | Please deploy a DNS TXT record under the name |
39 | _acme-challenge.jusene.me with the following value: |
40 | |
41 | l2Eoxl63LQ024bMctozqMX8smRtyOgoEpmRxUGSuomk |
42 | |
43 | Before continuing, verify the record is deployed. |
44 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
45 | Press Enter to Continue # 需要在域名上添加TXT解析记录 |
46 | Waiting for verification... |
47 | Cleaning up challenges |
48 | |
49 | IMPORTANT NOTES: |
50 | - Congratulations! Your certificate and chain have been saved at: |
51 | /etc/letsencrypt/live/jusene.me/fullchain.pem # 证书所在的位置 |
52 | Your key file has been saved at: |
53 | /etc/letsencrypt/live/jusene.me/privkey.pem # 私钥所在的位置 |
54 | Your cert will expire on 2018-11-03. To obtain a new or tweaked |
55 | version of this certificate in the future, simply run certbot-auto |
56 | again. To non-interactively renew *all* of your certificates, run |
57 | "certbot-auto renew" # 证书默认90天过期,更新证书使用 |
58 | - Your account credentials have been saved in your Certbot |
59 | configuration directory at /etc/letsencrypt. You should make a |
60 | secure backup of this folder now. This configuration directory will |
61 | also contain certificates and private keys obtained by Certbot so |
62 | making regular backups of this folder is ideal. |
63 | - If you like Certbot, please consider supporting our work by: |
64 | |
65 | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate |
66 | Donating to EFF: https://eff.org/donate-le |
查看证书:
1 | ~]# tree jusene.me/ |
2 | jusene.me/ |
3 | ├── cert.pem # Apache服务器证书 |
4 | ├── chain.pem # Apache根证书和中继证书 |
5 | ├── fullchain.pem # nginx需要的ssl_certificate文件 |
6 | ├── privkey.pem # 安全证书私钥文件 |
7 | └── README |
校验证书:
1 | ~]# openssl x509 -in /etc/letsencrypt/live/jusene.com/cert.pem -noout -text |
2 | ... |
3 | X509v3 Subject Alternative Name: |
4 | DNS:*.jusene.me |
5 | ... |
配置证书
1 | server { |
2 | server_name jusene.com www.jusene.me; |
3 | listen 443 http2 ssl; |
4 | ssl on; |
5 | ssl_certificate /etc/letsencrypt/live/jusene.com/fullchain.pem; |
6 | ssl_certificate_key /etc/letsencrypt/live/jusene.com/privkey.pem; |
7 | |
8 | |
9 | location / { |
10 | proxy_pass https://jusene.github.io; |
11 | } |
12 | } |
证书更新
证书默认只能使用三个月,默认会在过期的20天之前会收到letsencrypt的邮件通知,那么就需要更新证书了。
1 | ~]# cat /etc/letsencrypt/renewal/jusene.me.conf #在这里面记录了证书renew的基本信息,其中authenticator是manual,所以我们需要手工认证 |
2 | ~]# cat /etc/letsencrypt/renewal/jusene.me.sh |
3 | |
4 | |
5 | echo $CERTBOT_VALIDATION > /tmp/acme # 我们需要$CERTBOT_VALIDATION的值与_acme-challenge.jusene.me的TXT值相同才可以认证通过 |
6 | sleep 60 |
7 | ~]# ./certbot-auto renew --manual-auth-hook /etc/letsencrypt/renewal/jusene.me.sh |