Jusene's Blog

Let's Encrypt免费申请SSL证书

字数统计: 1.3k阅读时长: 6 min
2018/08/05 Share

Let’s Encrypt

Let’s Encrypt是一个公共且免费的SSL的项目,该项目被大量用户传播使用,是由Mozilla、Cisco、Akamai、IdenTrust、EFF等组织人员发起,主要目的是推进全网从HTTP向HTTPS过渡的进程,目前Facebook等大公司开始赞助该项目,Let’s Encrypt 已经得了 IdenTrust 的交叉签名,这意味着其证书现在已经可以被 Mozilla、Google、Microsoft 和 Apple 等主流的浏览器所信任。用户只需要在 Web 服务器证书链中配置交叉签名,浏览器客户端会自动处理好其它的一切,Let’s Encrypt 安装简单,使用非常方便。

申请证书

Let’s Encrypt上的证书申请是通过ACME协议来完成的。ACME协议规范化了证书申请、更新、撤销等流程,实现了Let’s Encrypt CA自动化操作。要使用ACME协议来申请证书,只需要一个支持该协议的客户端就可以了,官方推荐客户端Certbot。

获取Certbot

1
~]# wget https://dl.eff.org/certbot-auto

注意:Certbot从0.22.0版本开始支持ACME V2, ACME V2支持通配域名证书, 官网地址:https://cerbot.eff.org

申请证书

客户端在申请Let’s Encrypt证书的时候,要求校验域名的所有权,证明操作者是该域名的所有者,并且有权利为该域名申请证书,目前支持三种验证方式:

  • dns-01: 给域名添加一个DNS TXT解析记录
  • http-01: 在域名对应的web服务器下放置一个HTTP well-known URL资源文件
  • tls-sni-01: 在域名对应的web服务器下放置一个HTTPS well-known URL资源文件

使用Cerbot 客户端申请证书一句话就可以搞定:

1
~]# ./certbot-auto certonly -d "*.jusene.me" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

申请通配符证书,只能使用 dns-01 的方式。
certonly 表示插件,Certbot 有很多插件。不同的插件都可以申请证书,用户可以根据需要自行选择。
-d 为哪些主机申请证书。如果是通配符,输入 *.xxx.com (根据实际情况替换为你自己的域名)。
–preferred-challenges dns-01,使用 DNS 方式校验域名所有权。
–server,Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。

1
Creating virtual environment...
2
Installing Python packages...
3
Installation succeeded.
4
Saving debug log to /var/log/letsencrypt/letsencrypt.log
5
Plugins selected: Authenticator manual, Installer None
6
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
7
cancel): 710800xxx@qq.com
8
9
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
10
Please read the Terms of Service at
11
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
12
agree in order to register with the ACME server at
13
https://acme-v02.api.letsencrypt.org/directory
14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
(A)gree/(C)ancel: a          
16
17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18
Would you be willing to share your email address with the Electronic Frontier
19
Foundation, a founding partner of the Let's Encrypt project and the non-profit
20
organization that develops Certbot? We'd like to send you email about our work
21
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
23
(Y)es/(N)o: y
24
Obtaining a new certificate
25
Performing the following challenges:
26
dns-01 challenge for jusene.me
27
28
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
29
NOTE: The IP of this machine will be publicly logged as having requested this
30
certificate. If you're running certbot in manual mode on a machine that is not
31
your server, please ensure you're okay with that.
32
33
Are you OK with your IP being logged?
34
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
35
(Y)es/(N)o: y
36
37
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
38
Please deploy a DNS TXT record under the name
39
_acme-challenge.jusene.me with the following value:
40
41
l2Eoxl63LQ024bMctozqMX8smRtyOgoEpmRxUGSuomk
42
43
Before continuing, verify the record is deployed.
44
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
45
Press Enter to Continue     # 需要在域名上添加TXT解析记录
46
Waiting for verification...
47
Cleaning up challenges
48
49
IMPORTANT NOTES:
50
 - Congratulations! Your certificate and chain have been saved at:
51
   /etc/letsencrypt/live/jusene.me/fullchain.pem    # 证书所在的位置
52
   Your key file has been saved at:
53
   /etc/letsencrypt/live/jusene.me/privkey.pem      # 私钥所在的位置
54
   Your cert will expire on 2018-11-03. To obtain a new or tweaked
55
   version of this certificate in the future, simply run certbot-auto
56
   again. To non-interactively renew *all* of your certificates, run
57
   "certbot-auto renew"                             # 证书默认90天过期,更新证书使用
58
 - Your account credentials have been saved in your Certbot
59
   configuration directory at /etc/letsencrypt. You should make a
60
   secure backup of this folder now. This configuration directory will
61
   also contain certificates and private keys obtained by Certbot so
62
   making regular backups of this folder is ideal.
63
 - If you like Certbot, please consider supporting our work by:
64
65
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
66
   Donating to EFF:                    https://eff.org/donate-le

查看证书:

1
~]# tree jusene.me/
2
jusene.me/
3
├── cert.pem # Apache服务器证书
4
├── chain.pem # Apache根证书和中继证书
5
├── fullchain.pem # nginx需要的ssl_certificate文件
6
├── privkey.pem # 安全证书私钥文件
7
└── README

校验证书:

1
~]# openssl x509 -in  /etc/letsencrypt/live/jusene.com/cert.pem -noout -text 
2
...
3
X509v3 Subject Alternative Name: 
4
    DNS:*.jusene.me
5
...

配置证书

1
server {
2
    server_name jusene.com www.jusene.me;
3
    listen 443 http2 ssl;
4
    ssl on;
5
    ssl_certificate /etc/letsencrypt/live/jusene.com/fullchain.pem;
6
    ssl_certificate_key /etc/letsencrypt/live/jusene.com/privkey.pem;
7
8
9
    location / {
10
      proxy_pass https://jusene.github.io;
11
    }
12
}

证书更新

证书默认只能使用三个月,默认会在过期的20天之前会收到letsencrypt的邮件通知,那么就需要更新证书了。

1
~]# cat /etc/letsencrypt/renewal/jusene.me.conf   #在这里面记录了证书renew的基本信息,其中authenticator是manual,所以我们需要手工认证
2
~]# cat /etc/letsencrypt/renewal/jusene.me.sh
3
#!/bin/bash
4
5
echo $CERTBOT_VALIDATION > /tmp/acme   # 我们需要$CERTBOT_VALIDATION的值与_acme-challenge.jusene.me的TXT值相同才可以认证通过
6
sleep 60
7
~]# ./certbot-auto renew --manual-auth-hook /etc/letsencrypt/renewal/jusene.me.sh
CATALOG
  1. 1. Let’s Encrypt
  2. 2. 申请证书
    1. 2.1. 获取Certbot
    2. 2.2. 申请证书
  3. 3. 配置证书
  4. 4. 证书更新