Let’s Encrypt应该一款免费开源的SSL生成程序。操作相对比较容易,使用门槛不高。
本文介绍Certbot 来生成HTTPS证书
官网:
https://certbot.eff.org/
https://github.com/certbot/certbot
部署:
本文演示以Centos为例!官方提供多种系统的配置说明,可以自行查阅。
安装certbot:
wget https://dl.eff.org/certbot-auto
chmod 755 certbot-auto
./certbot-auto
如果出现错误信息:
Failed to find apachectl in PATH: /usr/local/nginx/sbin:/usr/local/php/bin:/usr/local/mysql/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
请执行以下代码安装:
yum -y install httpd httpd-devel
如果出现错误信息:
creating virtualenv failed(大意)
解决办法:
如果是Debian / Ubuntu系统,则
apt-get install python-pip
pip install virtualenv
如果是CentOS,则
yum install python-setuptools && easy_install pip
pip install virtualenv
先解析域名
生成证书前,需要将域名全部解析到相应的服务器上(添加域名的A记录,指向你服务器的ip),否则生成证书会失败。
然后生成(针对具体的域名的)证书:
下面的代码是生成api.yourdomain.com:
./certbot-auto --no-bootstrap certonly -d api.yourdomain.com --standalone
(看到api.yourdomain.com了吗?说明Let’s Encrypt支持二级域名,事实上,支持n级域名。)
(注:如果在运行./certbot-auto --no-bootstrap certonly -d yourdomain.com --standalone 后,遇到错误提示:
problem binding to port 443...
那么请先杀死占用443端口的那个进程:
如果在运行./certbot-auto --no-bootstrap certonly -d yourdomain.com --standalone 后,遇到错误提示:
problem binding to port 80...
那么请先杀死占用80端口的那个进程.
命令执行过程中,
需要填写你的邮箱 ,输入邮箱回车。
同意TOS条款 ,输入 Y 表示同意,回车。
还有一个同意分享邮箱,输入Y 回车。
生成成功,可到目录 /etc/letsencrypt/live/ 查看我们的证书了!最后显示:
...
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yourdomain.com/privkey.pem
Your cert will expire on 2017-11-08. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew --no-bootstrap"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@default:~# cd /etc/letsencrypt/live/yourdomain.com/
root@default:/etc/letsencrypt/live/yourdomain.com# ls
README cert.pem chain.pem fullchain.pem privkey.pem
root@default:/etc/letsencrypt/live/yourdomain.com#
(cert.pem和privkey.pem就是我们所需要的东西)
自动续期
首先我们需要将可执行文件 移动一个公共目录。
如果要放到root目录下,只要处理好权限问题也是可以的。
手动延期:
./certbot-auto renew --no-bootstrap
如果运行./certbot-auto renew --no-bootstrap遇错,那么就针对每一个域名运行一次:
./certbot-auto --no-bootstrap certonly -d yourdomain.com --standalone
------------------------------------------------------------------
letsencrypt 生成泛域名证书 - get wildcard certificates with letsencrypt
letsencrypt 可谓是穷人福音啊,一个 https 证书动辄数千,泛域名就更贵了,而前不久 letsencrypt 支持了泛域名,不过不支持三级泛域名,比如 *.kpromise.top 并不能匹配 cdn.blog.kpromise.top ,但是你可以一个证书同时包含多个泛域名,比如同时包含 *.kpromise.top、*.blog.kpromise.top 等等。本文从安装 letsencrypt 开始,记录我某次证书更新。
安装 letsencrypt
这部分可以参考:https://certbot.eff.org/docs/install.html ,具体也可以参考如下:
使用certbot-auto 生成泛域名
具体命令如下:
这里你可以使用多个 -d 比如
这个问题是由于版本太旧,可通过如下命令解决:
如果出现
接着会要求你添加一条txt解析: _acme-challenge.ssyer.com ,你添加后 通过 dig _acme-challenge.ssyer.com txt 命令查看是否生效,生效后按 enter 即可。
复制证书到阿里云杭州服务器,我写了coyp_letsencrypt 脚本:
然后在杭州的服务器上写了 letsencrypt 脚本:
更新或者生成证书的流程变为了先执行 ./certbot-auto certonly -d *** 生成或更新证书,接着执行 ./coyp_letsencrypt ,接着执行 ./letsencrypt 即可顺利完成啦。
(Let's Encrypt的wildcard证书
Let’s Encrypt 宣布将在 2018 年支持 wildcard SSL 证书的消息时就一阵兴奋,虽然后来跳票了一次,但最终还是于前段时间正式支持了。本文将使用 acme.sh 这个小工具来体验下此项特性。
签发证书
Let’s Encrypt 使用 ACME 协议验证域名的归属,官方证书签发工具是 Certbot 。除了官方工具,还有许多第三方工具,原理都大同小异,但有些第三方工具的功能更具有可玩性。本文一直使用 acme.sh 来签发证书,此次的 wildcard 证书签发也不例外。首先安装 amce.sh :
curl https://get.acme.sh | sh
由于 CloudXNS 的政策问题,本站目前暂使用域名提供商 namesilo 的 DNS 服务。acme.sh 需要借助 dns_lexicon 来调用 namesilo 的 API 进行域名验证。安装 dns_lexicon :
pip install dns-lexicon
在 https://www.namesilo.com/account_api.php 申请 token 后,编辑 acme.sh 的目录中的 account.conf ,追加如下内容:
1 2 |
PROVIDER=namesilo
LEXICON_NAMESILO_TOKEN=#{Applied from namesilo} |
随后即可申请签发证书。在 Let’s Encrypt 的 wildcard SSL 证书出现前,我的签发证书命令是这样的:
|
|
而现在,命令可以简化如下:
|
|
可以说大大精简了签发多域名证书的成本。另一方面,由于 Let’s Encrypt 对签发失败的次数有明确的限制(https://letsencrypt.org/docs/rate-limits),在过去,如果因为配置问题导致续签任务执行失败,在签发域名过多的情况下是有可能达到签发频率上限造成一周内无法再次签发证书从而影响网站访问的。而在其 wildcard 证书出现后,这一问题终于得以缓解。
Let’s Encrypt 的证书每 3 个月需要续签一次,除了可以使用 amce.sh 自身的 cron 定时任务进行处理外,我们还可以手动设定 cron 命令,以满足如同时签发 ecc 证书等定制化需求。示例如下:
|
|
Tips:
- 对于 ecc 证书,只需在首次签发时加上
-k ec-256参数、在续签时加上--ecc参数即可。 - 注意,如果你不确定是否配置正确,请在命令中添加
--staging标识出此次签发申请为测试申请,以免在测试阶段就达到了签发频率上限。
效果
Chrome 上可以看到证书已经加上了 wildcard 的 DNS 项.配置网站的证书,
我们以Nginx为例!
可参考以下配置哦~~
server
{
listen 443 ssl;
server_name api.yourdomain.com;
index index.html index.htm index.php;
root /home/wwwroot/api.cnsecer.com/;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #可不要
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;#可不要
ssl_prefer_server_ciphers on; #可不要
ssl_session_cache shared:SSL:10m; #可不要
ssl_session_timeout 24h; #可不要
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /\.
{
deny all;
}
access_log /home/wwwlogs/yourdomain.com.log;
}
------------------------
如何获取Let's Encrypt的免费SSL证书
Let's Encrypt是国外一个公共的免费SSL项目,由 Linux 基金会托管,它的来头不小,由Mozilla、思科、Akamai、IdenTrust和EFF等组织发起,目的就是向网站自动签发和管理免费证书,以便加速互联网由HTTP过渡到HTTPS,目前Facebook等大公司开始加入赞助行列。
Let's Encrypt已经得了 IdenTrust 的交叉签名,这意味着其证书现在已经可以被Mozilla、Google、Microsoft和Apple等主流的浏览器所信任,你只需要在Web 服务器证书链中配置交叉签名,浏览器客户端会自动处理好其它的一切,Let's Encrypt安装简单,未来大规模采用可能性非常大。
Let's Encrypt虽然还在测试当中,但是市场需求非常大,已经有非常多的朋友迫不及待地安装并用上了Let's Encrypt。Let's Encrypt向广大的网站提供免费SSL证书,不管是对于网站站长、互联网用户,还是对整个Web互联网,都是非常有利的,它有利于整个互联网的安全。
本篇文章就来为大家讲解一下如何获取Let's Encrypt免费SSL证书.
一、 安装Let's Encrypt免费SSL准备
1、Let's Encrypt官网:
1、官方网站:https://letsencrypt.org/
2、项目主页:https://github.com/letsencrypt/letsencrypt
2、安装Let's Encrypt脚本依赖环境:(这一部分可以跳过,因为官方提供的Let's Encrypt脚本会自动检测并安装)
# Debian
apt-get install git
# CentOS 6
yum install centos-release-SCL && yum update
yum install python27
scl enable python27 bash
yum install python27-python-devel python27-python-setuptools python27-python-tools python27-python-virtualenv
yum install augeas-libs dialog gcc libffi-devel openssl-devel python-devel
yum install python-argparse
# CentOS 7
yum install -y git python27
yum install -y augeas-libs dialog gcc libffi-devel openssl-devel python-devel
yum install python-argparse
3、查看自己的VPS主机到底是安装了哪个操作系统版本,可以执行命令:cat /etc/issue 或者 cat /etc/redhat-release。
二、获取Let's Encrypt免费SSL证书
1、获取Let's Encrypt免费SSL证书很简单,你只需要执行以下命令,就会自动在你的VPS上生成SSL证书和私钥。
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto
2、经过部落测试,上述代码对于Debian系统支持最好,可以完成自动检测并安装相应的软件。如果你是使用其它的Linux系统,Redhat或CentOS 6可能需要配置EPEL软件源,Python需要2.7版本以上。
3、执行上述命令后,会弹出对话框,同意用户协议。
4、接着会提示让你关闭Nginx或者Apache。
5、Let's Encrypt需要用到80和443端口,所以你需要关闭那些占用这两个端口的应用。
6、当你看以下内容时,就表明你的Let's Encrypt免费SSL证书获取成功了。
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/urdomain.com/fullchain.pem. Your cert will
expire on 2016-03-09. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- If like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
三、利用脚本快速获取Let's Encrypt SSL证书
1、嫌上面的麻烦,不妨来试试利用脚本快速获取Let's Encrypt SSL证书,调用 acme_tiny.py 认证、获取、更新证书,不需要额外的依赖。
1、项目主页:https://github.com/xdtianyu/scripts/tree/master/lets-encrypt
2、下载到本地:
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.conf
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.sh
chmod +x letsencrypt.sh
3、配置文件。只需要修改 DOMAIN_KEY DOMAIN_DIR DOMAINS 为你自己的信息
ACCOUNT_KEY="letsencrypt-account.key"
DOMAIN_KEY="urdomain.com.key"
DOMAIN_DIR="/var/www/urdomain.com"
DOMAINS="DNS:urdomain.com,DNS:www.urdomain.com"
4、本脚本在Debian下运行正常,但是如果你使用的是CentOS,你还需要修改letsencrypt.sh中openssl.cnf的位置,先找到你的CentOS的openssl.cnf位置。然后打开letsencrypt.sh,将路径/etc/ssl/openssl.cnf替换为你的新路径,例如/etc/pki/tls/openssl.cnf。
PS:20151214更新,该脚本已经更新,现在不需要对CentOS的openssl.cnf进行修改了.
5、执行过程中会自动生成需要的 key 文件。运行:
./letsencrypt.sh letsencrypt.conf
6、注意需要已经绑定域名到 /var/www/www.urdomain.com 目录,即通过 http://urdomain.com https://www.urdomain.com 可以访问到 /var/www/urdomain.com目录,用于域名的验证。
7、正常按照上面的操作即可成功获取到Let's Encrypt SSL证书,不过经过部落测试最大的问题就是“DNS query timed out”,由于域名DNS解析的问题导致无法验证域名从而获取SSL证书不成功。
Traceback (most recent call last):
File "/tmp/acme_tiny.py", line 198, in
main(sys.argv[1:])
File "/tmp/acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File "/tmp/acme_tiny.py", line 149, in get_crt
domain, challenge_status))
ValueError: hkh.freehao123.info challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'url': u'http://hkh.freehao123.info/.well-known/acme-challenge/sikHlqvbN4MrWkScgr1oZ9RX-lR1l__Z7FWVLhlYR0Q', u'hostname': u'hkh.freehao123.info', u'addressUsed': u'', u'port': u'80', u'addressesResolved': None}], u'https://acme-v01.api.letsencrypt.org/acme/challenge/5m1su6O5MmJYlGzCJnEUAnvhweAJwECBhEcvsQi5B2Q/1408863', u'token': u'sikHlqvbN4MrWkScgr1oZ9RX-lR1l__Z7FWVLhlYR0Q', u'error': {u'type': u'urn:acme:error:connection', u'detail': u'DNS query timed out'}, u'type': u'http-01'}
8、经过对比发现,国内的DNSPOD、阿里云DNS、CloudXNS等都会出现Let's Encrypt 验证域名超时的情况,
国外的Namecheap DNS、Linode DNS、Domain.com DNS等都是没有问题.
Let's Encrypt免费SSL证书续期
1、Let's Encrypt免费SSL证书有效期是90天,也就是每三个月你就得续期一次。采用官方的方法获取到的免费SSL证书,你不需要更改Apache和Nginx配置代码,执行以下代码即可自动替换证书为新的(注意修改域名和邮箱):
./letsencrypt-auto certonly --renew-by-default --email you@gmail.com -d urdomain.com -d www.urdomain.com 采用上面脚本快速获取Let's Encrypt免费SSL证书的,在90天内再次执行命令即可:./letsencrypt.sh letsencrypt.conf。
Let's Encrypt免费SSL证书使用小结Let's Encrypt免费SSL证书获得方式比较简单,不管采用何种方式,只要能够得到证书和密钥,我们就可以在自己的服务器上配置好SSL。上面讲到了Apache和Nginx的配置方法,如果你有自己的虚拟主机面板,可以直接通过后台添加证书和私钥文件即可.
首次生成证书
从Github签出Let’s Encrypt的源代码
进入本地源代码目录
cd letsencrypt
Let’s Encrypt提供多种认证方式,因为之前在VPS上有了HTTP的网站,所以这里采用了webroot的方式,其他方式请参考官方文档
如果是主域名的认证:
./letsencrypt-auto --debug certonly --webroot --email name@your_main_domain.com -d www.your_main_domain.com -d your_main_domain.com -w /var/www/your_main_domain.com
子域名的认证:
./letsencrypt-auto --debug certonly --webroot --email name@your_main_domain.com -d subdomain.your_main_domain.com -w /var/www/your_main_domain.com/subdomain
然后在弹出的蓝底白字提示框中一路点击”OK”
注意如下问题:
- 请将命令中的name, your_main_domain.com, subdomain替换成你自己的名字,域名以及子域名
- 因为Gentoo目前是在试验阶段,所以命令行加上–debug参数
- 参数–email如果没有在命令行加上,会在随后弹出的对话框里提示你填写
- -w指定Web服务器网址内容放置的目录,请指定自己放置的目录
生成的证书放在/etc/letsencrypt/live/[网站域名]下
| 文件名 | 内容 |
|---|---|
| cert.pem | 服务端证书 |
| chain.pem | 浏览器需要的所有证书但不包括服务端证书,比如根证书和中间证书 |
| fullchain.pem | 包括了cert.pem和chain.pem的内容 |
| privkey.pem | 证书的私钥 |
一般情况下fullchain.pem和privkey.pem就够用了。
Web服务端配置
采用的Nginx做的Web服务器,所以这里贴下我的服务端配置
因为同一个VPS上放置了多个站点,所以Nginx采用vhost的方式,将主域名以及子域名的Nginx配置文件单独编写,并放置在/etc/nginx/sites-available/下,如果哪个网站启用,则在/etc/nginx/sites-enabled/下创建/etc/nginx/sites-available/对应目录的软链接。这一套原本是Ubuntu发行版里面Nginx的默认配置,个人觉得不错,所以照搬到Gentoo里使用。
Nginx的主配置文件/etc/nginx/nginx.conf需要加入如下配置:
http {
## # Virtual Host Configs ##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
子域名vhost的配置,在/etc/nginx/sites-available/下创建文件subdomian并填入如下内容
server {
listen 443 ssl;
server_name subdomain.your_main_domain.com;
# http://www.acunetix.com/blog/articles/configure-web-server-disclose-identity/ server_tokens off;
access_log /var/log/nginx/subdomain.your_main_domain.com.access_log;
error_log /var/log/nginx/subdomain.your_main_domain.com.error_log;
index index.html index.htm index.php;
root /var/www/your_main_domain.com/subdomain;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_session_cache builtin:1000 shared:SSL:10m;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/subdomain.your_main_domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/subdomain.your_main_domain.com/privkey.pem;
ssl_session_timeout 5m;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options deny;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https: http://ip.qgy18.com; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self' https://translate.googleapis.com; frame-src https://disqus.com https://www.slideshare.net";
# https://www.troyhunt.com/shhh-dont-let-your-response-headers/ proxy_hide_header Vary;
fastcgi_hide_header X-Powered-By;
fastcgi_hide_header X-Runtime;
fastcgi_hide_header X-Version;
include php-fpm.conf;
}
server {
server_name subdomain.your_main_domain.com;
listen 80;
server_tokens off;
access_log /dev/null;
location ^~ /.well-known/acme-challenge/ {
alias /home/name/.well-known/;
try_files $uri =404;
}
location / {
rewrite ^/(.*)$ https://subdomain.your_main_domain.com/$1 permanent;
}
}
}
php-fpm.conf(全路径 /etc/nginx/php-fpm.conf)的内容:
location ~ \.php$ {
# With php5-fpm: #fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_param SCRIPT_FILENAME /var/www/$domain$subdomain$fastcgi_script_name; include fastcgi_params;
}
注意的问题
- Gentoo的CONFIG_PROTECT问题。大家都知道,对于软件的更新,除了软件包自身的更新外,还需要配置文件的更新。如果一个软件已经安装并运行,它已经在使用配置文件(这个文件有可能用户已经定制过),那么当这个软件升级后,配置文件有可能发生更新(只要和正在使用的配置文件内容不同就会更新),这个时候,机器上正在使用的配置文件和软件升级后的配置文件就可能发生冲突(如果内容不一致的话)。Gentoo定义了一个变量CONFIG_PROTECT(可以在/etc/portage/make.conf中定义)来负责保护本地的正在使用的配置文件内容,如果配置文件的路径写在CONFIG_PROTECT中(多个配置用空格分开,路径为全路径),那么当配置文件对应的软件升级后,这个配置文件不会被自动升级,而是在软件升级完后系统会提示用户配置文件有更新,或者用户敲入etc-update命令后引导用户解决配置文件冲突问题。参考官方文档
- 如果CONFIG_PROTECT=”-*“表示取消配置文件保护
- 如果想让所有的配置文件都被保护,则应该这样写CONFIG_PROTECT=”*”
更新证书
Let’s Encrypt证书的默认有效期只有90天,所以需要定时更新服务端的证书避免过期
一条命令更新所有服务端的证书
./letsencrypt-auto renew
添加为定时任务, 编辑这个文件
sudo vi /etc/cron.monthly/letsencrypt_renew
添加如下内容:
#!/bin/sh
/path/to/letsencrypt/letsencrypt-auto --debug renew > /var/log/letsencrypt/renew.log 2>&1
授予/etc/cron.monthly/letsencrypt_renew可执行权限
sudo chmod a+x /etc/cron.monthly/letsencrypt_renew在线HTTPS配置检查
可以使用Jerry Qu推荐的两个在线HTTPS配置扫描服务来检查你的网站HTTPS配置的问题,并根据建议做相应的修复。
Qualys SSL Labs’s SSL Server Test
参考资料
Let’s Encrypt官网
Let’s Encrypt,免费好用的 HTTPS 证书
听说DNSpod也支持Let’s Encrypt了
免费SSL安全证书Let’s Encrypt安装使用教程(附Nginx/Apache配置)
LET’S ENCRYPT免费SSL证书申请过程
Using Free SSL/TLS Certificates from Let’s Encrypt with NGINX
在线获取Let's Encrypt的免费SSL证书(在线获取的免费SSL证书好像不太靠谱,我试过)
免费,私密,安全。
2、Get HTTPS for free
源码:https://github.com/diafygi/gethttpsforfree
https://github.com/diafygi/howtogetfreehttps
免费,私密,安全.
相关帖子:
Looking for Certbot support? Start here: https://certbot.eff.org/support/
http://briteming.blogspot.de/2017/04/ssl.html
http://briteming.blogspot.com/2017/08/lets-encrypt-shell-script.html
https://wiki.archlinux.org/index.php/Let’s_Encrypt
https://wiki.archlinux.org/index.php/Certbot
https://linuxstory.org/deploy-lets-encrypt-ssl-certificate-with-certbot/
https://www.linode.com/docs/quick-answers/websites/secure-http-traffic-certbot/
---------------------------------
let's encypt certificate automatic renew.
le.py
安装
pip install -r requirements.txt
curl -LO https://github.com/zengxs667/le.py/raw/master/le.py
chmod +x le.py
Usage
usage: le.py [-h] [-s SERVER] [-a ACCOUNT] {reg,new} ...
positional arguments:
{reg,new}
reg Create a new account and register
new New certificate or renew certificate
optional arguments:
-h, --help show this help message and exit
-s SERVER, --server SERVER
The ACME server to use
-a ACCOUNT, --account ACCOUNT
The account file
创建账户
./le.py -a ~/account.json reg yourmail@example.org
-a 参数指定了将账户保存在你的 HOME 目录下的 account.json 文件中。
如果没有 -a 参数,则默认使用当前目录中的 account.json 文件。如果显示
INFO:root:Registration finished. 表示注册成功。申请证书
Let's Encrypt 目前支持的证书密钥类型包括:- RSA
- 2048
- 4096
- 8192
- ECC
- P-256 (prime256v1)
- P-384 (secp384r1)
DNS 验证
# 生成 RSA 密钥
# openssl genrsa 2048 > key.pem
# 生成 EC256 密钥
# openssl ecparam -genkey -name prime256v1 -noout -out key.pem
openssl genrsa 2048 > key.pem
./le.py -a ~/account.json new -t dns-01 -k key.pem -o crt.pem domain1.example.org
HTTP 验证
openssl genrsa 2048 > key.pem
./le.py -a ~/account.json new -t http-01 -k key.pem -o crt.pem --challenge-dir /usr/share/nginx/acme domain1.example.org
/.well-known/acme-challenge 指向 /usr/share/nginx/acme 文件夹。在 Nginx 中将如下语句放入 Server 段即可:location ^~ /.well-known/acme-challenge {
default_type "text/plain";
alias /usr/share/nginx/acme;
}
INFO:root:Certificate issue finished 表示成功,此时 crt.pem 就是包含了证书链的证书。自动 renew 证书
要自动 renew 证书只需要设置一下 crontab 即可:* * * * */4 /root/le.py -a /root/account.json new -t http-01 -k /etc/nginx/ssl/private/key.pem -o /etc/nginx/ssl/crt.pem --challenge-dir /usr/share/nginx/acme domain1.example.org >> /var/log/le.py.log && nginx -s reload
from https://github.com/zengxs/le.py
--------------------------------
simp_le
Simple Let’s Encrypt client.
simp_le --email you@example.com -f account_key.json \
-f account_reg.json \
-f fullchain.pem -f key.pem \
-d example.com -d www.example.com --default_root /var/www/html \
-d example.net:/var/www/other_html
simp_le --help.N.B. this was originally a fork of https://github.com/kuba/simp_le, which is unmaintained and has some breakage due to bitrot. Thanks to @kuba for the original implementation.
Manifest
- UNIX philosophy: Do one thing and do it well!
simp_le --valid_min ${seconds?} -f cert.pemimplies thatcert.pemis valid for at at leastvalid_min(defaults to 2592000 seconds / 30 days). Register new ACME CA account if necessary. Issue new certificate if no previous key/certificate/chain found. Renew only if necessary.- (Sophisticated) “manager” for
${webroot?}/.well-known/acme-challengeonly. No challenges other thanhttp-01. Existing web-server must be running already. - No magical webserver auto-configuration.
- Owner of
${webroot?}/.well-known/acme-challengemust be able to run the script, without privilege escalation (sudo,root, etc.). crontabfriendly: fully automatable - no prompts, etc.- No configuration files. CLI flags as the sole interface! Users should write their own wrapper scripts or use shell aliases if necessary.
- Support multiple domains with multiple roots. Always create single
SAN certificate per
simp_lerun. - Flexible storage capabilities. Built-in
simp_le -f fullchain.pem -f key.pem,simp_le -f chain.pem -f cert.pem -f key.pem, etc. - Do not allow specifying output file paths. Users should symlink if necessary!
- No need to allow specifying an arbitrary command when renewal has
happened, just check the exit code:
0if certificate data was created or updated;1if renewal not necessary;2in case of errors.
--server(support multiple ACME v2 CAs).- Support for revocation.
- Implicit agreement to the selected ACME CA's terms of service.
Installation
sudo ./bootstrap.sh
./venv.sh
export PATH=$PWD/venv/bin:$PATH
Usage with Docker
If you want to use simp_le with Docker, have a look at simp_le for Docker.Help
Have a look into./examples/ and
https://github.com/zenhack/simp_le/wiki/Examples.If you’re having problems you can chat with us on IRC (#simp_le at Freenode)
from https://github.com/zenhack/simp_le
NAME:
lego - Let's Encrypt client written in Go
USAGE:
lego [global options] command [command options] [arguments...]
VERSION:
4.3.1
COMMANDS:
run Register an account, then create and install a certificate
revoke Revoke a certificate
renew Renew a certificate
dnshelp Shows additional help for the '--dns' global option
list Display certificates and accounts information.
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--domains value, -d value Add a domain to the process. Can be specified multiple times.
--server value, -s value CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client. (default: "https://acme-v02.api.letsencrypt.org/directory")
--accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.
--email value, -m value Email used for registration and recovery contact.
--csr value, -c value Certificate signing request filename, if an external CSR is to be used.
--eab Use External Account Binding for account registration. Requires --kid and --hmac.
--kid value Key identifier from External CA. Used for External Account Binding.
--hmac value MAC key from External CA. Should be in Base64 URL Encoding without padding format. Used for External Account Binding.
--key-type value, -k value Key type to use for private keys. Supported: rsa2048, rsa4096, rsa8192, ec256, ec384. (default: "ec256")
--filename value (deprecated) Filename of the generated certificate.
--path value Directory to use for storing the data. (default: "/root/.lego") [$LEGO_PATH]
--http Use the HTTP challenge to solve challenges. Can be mixed with other types of challenges.
--http.port value Set the port and interface to use for HTTP based challenges to listen on.Supported: interface:port or :port. (default: ":80")
--http.proxy-header value Validate against this HTTP header when solving HTTP based challenges behind a reverse proxy. (default: "Host")
--http.webroot value Set the webroot folder to use for HTTP based challenges to write directly in a file in .well-known/acme-challenge. This disables the built-in server and expects the given directory to be publicly served with access to .well-known/acme-challenge
--http.memcached-host value Set the memcached host(s) to use for HTTP based challenges. Challenges will be written to all specified hosts.
--tls Use the TLS challenge to solve challenges. Can be mixed with other types of challenges.
--tls.port value Set the port and interface to use for TLS based challenges to listen on. Supported: interface:port or :port. (default: ":443")
--dns value Solve a DNS challenge using the specified provider. Can be mixed with other types of challenges. Run 'lego dnshelp' for help on usage.
--dns.disable-cp By setting this flag to true, disables the need to wait the propagation of the TXT record to all authoritative name servers.
--dns.resolvers value Set the resolvers to use for performing recursive DNS queries. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.
--http-timeout value Set the HTTP timeout value to a specific value in seconds. (default: 0)
--dns-timeout value Set the DNS timeout value to a specific value in seconds. Used only when performing authoritative name servers queries. (default: 10)
--pem Generate a .pem file by concatenating the .key and .crt files together.
--cert.timeout value Set the certificate timeout value to a specific value in seconds. Only used when obtaining certificates. (default: 30)
--help, -h show help
--version, -v print the version
项目地址:https://github.com/go-acme/lego
用法:https://go-acme.github.io/lego/usage/cli/
