Total Pageviews

Monday, 12 June 2017

配置Let’s Encrypt的免费SSL证书以及自动续期的方法-Certbot

本文推荐的方式,应该是目前最简单的方式了!
Let’s Encrypt应该一款免费开源的SSL生成程序。操作相对比较容易,使用门槛不高。
网上有很多Let’s Encrypt部署方法,有兴趣可以去Google一下。
本文介绍Certbot 来生成HTTPS证书


官网
https://certbot.eff.org/
https://github.com/certbot/certbot


部署
本文演示以Centos为例!官方提供多种系统的配置说明,可以自行查阅。

安装certbot:
wget https://dl.eff.org/certbot-auto
chmod 755 certbot-auto
./certbot-auto

   
如果出现错误信息:
Failed to find apachectl in PATH: /usr/local/nginx/sbin:/usr/local/php/bin:/usr/local/mysql/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

请执行以下代码安装:
yum -y install httpd httpd-devel

如果出现错误信息:
creating virtualenv failed(大意)
解决办法:
如果是Debian / Ubuntu系统,则
apt-get install python-pip
pip install virtualenv
如果是CentOS,则
yum install python-setuptools && easy_install pip
pip install virtualenv

先解析域名
生成证书前,需要将域名全部解析到相应的服务器上,否则生成证书会失败

然后生成(针对具体的域名的)证书
下面的代码是生成 yourdomain.com / www.yourdomain.com / api.yourdomain.com
如果你要生成更多域名,直接后面再加 -d xxxxx.xx  即可:
./certbot-auto certonly --standalone -d yourdomain.com -d www.yourdomain.com -d api.yourdomain.com

(看到api.yourdomain.com了吗?说明Let’s Encrypt支持二级域名,事实上,支持n级域名。

命令执行过程中,
需要填写你的邮箱 ,输入邮箱回车。
同意TOS条款 ,输入 Y 表示同意,回车。
还有一个同意分享邮箱,输入Y 回车。

生成成功,可到目录 /etc/letsencrypt/live/  查看我们的证书了!最后显示:
...
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yourdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yourdomain.com/privkey.pem
   Your cert will expire on 2017-11-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@default:~# cd /etc/letsencrypt/live/yourdomain.com/
root@default:/etc/letsencrypt/live/yourdomain.com# ls
README cert.pem  chain.pem  fullchain.pem  privkey.pem

root@default:/etc/letsencrypt/live/yourdomain.com#
(cert.pem和privkey.pem就是我们所需要的东西)

自动续期
首先我们需要将可执行文件 移动一个公共目录。
如果要放到root目录下,只要处理好权限问题也是可以的。

手动延期
./certbot-auto renew --dry-run

利用Cron自动延期
注意路径问题:
./certbot-auto renew --quiet

 Looking for Certbot support? Start here.


配置网站的证书

我们以Nginx为例!

可参考以下配置哦~~
server
    {
        listen 443;
        server_name api.yourdomain.com;
        index index.html index.htm index.php;
        root  /home/wwwroot/api.cnsecer.com/;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2; #可不要
        ssl_ciphers   ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;#可不要
        ssl_prefer_server_ciphers  on; #可不要
        ssl_session_cache    shared:SSL:10m;  #可不要
        ssl_session_timeout  24h; #可不要
        keepalive_timeout 300s; #可不要


        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /home/wwwlogs/yourdomain.com.log;
    }
------------------------

Automatic Dockerized ssl cert from  Let's Encrypt

Dockerized certbot.

Obtaining certificates

The container will run certbot against all the domains provided with the environment variable domains.
If -e distinct=true is passed, certbot will be run separately for every listed domain.
docker volume create --name nginx-certs

# docker stop nginx

docker run \
  -v nginx-certs:/etc/letsencrypt \
  -e http_proxy=$http_proxy \
  -e domains="example.com,example.org" \
  -e email="me@example.com" \
  -p 80:80 \
  -p 443:443 \
  --rm pierreprinetti/certbot:latest

# docker start nginx

Renewing certificates

You can put in crontab a call to a script shaped like this one.

With dockerized nginx

Spin your favorite reverse proxy with something like:
docker run \
  --name some-nginx \
  -v nginx-certs:/etc/nginx/certs:ro \
  -p 80:80 \
  -p 443:443 \
  --restart unless-stopped \
  -d nginx:mainline-alpine
Example configuration for example.com in your dockerized nginx:
server {
  listen      443 http2;
  listen      [::]:443 http2;
  server_name example.com;

  ssl on;
  ssl_certificate     /etc/nginx/certs/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/nginx/certs/live/example.com/privkey.pem;

  [...] 
 
from https://github.com/pierreprinetti/certbot 

No comments:

Post a Comment

Note: only a member of this blog may post a comment.