Pages

Friday, 18 August 2017

一个快速获取/更新Let's encrypt证书的xdtianyu script(测试有效)

调用 acme_tiny.py,认证、获取、更新证书,不需要额外的依赖。

下载到本地:(本地其实是指linux vps)
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.conf

wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.sh

chmod 755 letsencrypt.sh

配置文件:(编辑letsencrypt.conf)
只需要修改DOMAIN_KEY, DOMAIN_DIR, DOMAINS的值为你自己的信息:
ACCOUNT_KEY="letsencrypt-account.key"
DOMAIN_KEY="example.com.key"
DOMAIN_DIR="/var/www/example.com"
DOMAINS="DNS:example.com,DNS:whatever.example.com"
#ECC=TRUE
#LIGHTTPD=TRUE

执行过程中会自动生成需要的 key 文件。其中 ACCOUNT_KEY 为账户密钥, DOMAIN_KEY 为域名私钥, DOMAIN_DIR 为域名指向的目录,DOMAINS 为要签的域名列表, 需要 ECC 证书时取消 #ECC=TRUE 的注释,需要为 lighttpd 生成 pem 文件时,取消 #LIGHTTPD=TRUE 的注释。
(/var/www/example.com目录不存在,必须先创建它:
mkdir -p /var/www/example.com )

运行
./letsencrypt.sh letsencrypt.conf

需要已经绑定域名example.com到 /var/www/example.com目录,即通过 http://example.com http://whatever.example.com 可以访问到 /var/www/example.com 目录,用于域名的验证。

将会生成如下几个文件:
lets-encrypt-x1-cross-signed.pem
example.chained.crt          # 即网上搜索教程里常见的 fullchain.pem
example.com.key              # 即网上搜索教程里常见的 privkey.pem
example.crt
example.csr

在 nginx 里添加 ssl 相关的配置:
ssl  on;
ssl_certificate     /root/example.chained.crt;
ssl_certificate_key /root/example.com.key;

nginx的配置文件里的完整的server段如下:
server {
       listen 80;
       server_name example.com;
       root /var/www/example.com;
       index index.html index.htm index.php;
       location / {
               try_files $uri $uri/ =404;
       }
ssl on;
ssl_certificate        /root/example.chained.crt;
ssl_certificate_key    /root/example.com.key;

}

修改nginx的配置文件后,记得重启nginx.

因为Let's encrypt的证书90天后,会过期,所以添加cron定时任务:
crontab -e
加入以下内容:
0 0 1 * * ./letsencrypt.sh letsencrypt.conf >> /var/log/lets-encrypt.log 2>&1
每个月自动更新一次证书.

from https://github.com/xdtianyu/scripts/blob/master/lets-encrypt/README-CN.md
(虽然调用自项目:https://github.com/diafygi/acme-tiny,但此acme-tiny项目并不好用。不建议使用它)
https://www.v2ex.com/t/241819
(https://letsencrypt.org/docs/client-options/ 这里有各种ACME Client的实现方法,我觉得还是xdtianyu script的方法最好用

如果上面一切正常,至此你不用往下看了。

注:
修改letsencrypt.sh中openssl.cnf的位置:
文件的32行:/etc/ssl/openssl.cnf
CentOS目录:/etc/pki/tls/openssl.cnf
debian:不用改。

SSH下执行:
yum install python-argparse
chmod +x letsencrypt.sh
./letsencrypt.sh letsencrypt.conf

若出现
Traceback (most recent call last):
File "/tmp/acme_tiny.py", line 2, in
import argparse, subprocess, json, os, sys, base64, binascii, time, hashlib, re, copy, textwrap, logging
ImportError: No module named argparse

执行命令:
yum install python-argparse
-----------------------

另一个快速获取/更新Let's encrypt证书的脚本dehydrated

letsencrypt/acme client implemented as a shell-script – just add water

This is a client for signing certificates with an ACME-server (currently only provided by Let's Encrypt) implemented as a relatively simple bash-script.
It uses the openssl utility for everything related to actually handling keys and certificates, so you need to have that installed.
Other dependencies are: cURL, sed, grep, mktemp (all found on almost any system, cURL being the only exception)
Current features:
  • Signing of a list of domains
  • Signing of a CSR
  • Renewal if a certificate is about to expire or SAN (subdomains) changed
  • Certificate revocation
Please keep in mind that this software and even the acme-protocol are relatively young and may still have some unresolved issues. Feel free to report any issues you find with this script or contribute by submitting a pull request.

Getting started

For getting started I recommend taking a look at docs/domains_txt.md, docs/wellknown.md and the Usage section on this page (you'll probably only need the -c option).
Generally you want to set up your WELLKNOWN path first, and then fill in domains.txt.
Please note that you should use the staging URL when experimenting with this script to not hit Let's Encrypt's rate limits. See docs/staging.md.
If you have any problems take a look at our Troubleshooting guide.

Config

dehydrated is looking for a config file in a few different places, it will use the first one it can find in this order:
  • /etc/dehydrated/config
  • /usr/local/etc/dehydrated/config
  • The current working directory of your shell
  • The directory from which dehydrated was run
Have a look at docs/examples/config to get started, copy it to e.g. /etc/dehydrated/config and edit it to fit your needs.

Usage:

Usage: ./dehydrated [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...

Default command: help

Commands:
 --version (-v)                   Print version information
 --register                       Register account key
 --account                        Update account contact information
 --cron (-c)                      Sign/renew non-existent/changed/expiring certificates.
 --signcsr (-s) path/to/csr.pem   Sign a given CSR, output CRT on stdout (advanced usage)
 --revoke (-r) path/to/cert.pem   Revoke specified certificate
 --cleanup (-gc)                  Move unused certificate files to archive directory
 --help (-h)                      Show help text
 --env (-e)                       Output configuration variables for use in other scripts

Parameters:
 --accept-terms                   Accept CAs terms of service
 --full-chain (-fc)               Print full chain when using --signcsr
 --ipv4 (-4)                      Resolve names to IPv4 addresses only
 --ipv6 (-6)                      Resolve names to IPv6 addresses only
 --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
 --keep-going (-g)                Keep going after encountering an error while creating/renewing multiple certificates in cron mode
 --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
 --no-lock (-n)                   Don't use lockfile (potentially dangerous!)
 --lock-suffix example.com        Suffix lockfile name with a string (useful for with -d)
 --ocsp                           Sets option in CSR indicating OCSP stapling to be mandatory
 --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
 --config (-f) path/to/config     Use specified config file
 --hook (-k) path/to/hook.sh      Use specified script for hooks
 --out (-o) certs/directory       Output certificates into the specified directory
 --challenge (-t) http-01|dns-01  Which challenge should be used? Currently http-01 and dns-01 are supported
 --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1

Donate

I'm having fun developing dehydrated, but it takes time, and time is money, at least that's what I've been told.
I will definitively continue developing dehydrated for free, but if you want to support me you can do so using the following ways:

PayPal

Donate

BitCoin

Send bitcoins to 12487bHxcrREffTGwUDnoxF1uYxCA7ztKK

Server

I'm still planning on building a bigger testing-suite for dehydrated, it would be really cool to have a big(ish) server running in a datacenter somewhere without having to pay for it... If you are a server provider and can offer me a (dedicated!) machine, please contact me at donations@dehydrated.de
from https://github.com/lukas2511/dehydrated

我的补充说明:

登陆linux vps.
git clone https://github.com/lukas2511/dehydrated
cd dehydrated
echo 'mydomain.com' > domains.txt
chmod 755 dehydrated
./dehydrated --register --accept-terms
mkdir -p /var/www/dehydrated

安装nginx,编辑nginx的配置文件,
加入如下的server section:
server {
    listen 80;
    server_name mydomain.com;
    location /.well-known/acme-challenge/ {
        alias /var/www/dehydrated/;
        try_files $uri $uri/ =404;
    }
}

然后,
killall nginx && nginx

如下就是生成的证书文件和私匙文件:
/root/dehydrated/certs/mydomain.com/fullchain.pem
/root/dehydrated/certs/mydomain.com/privkey.pem

介紹
Let's Encrypt 是由許多大公司以及各大非營利團體為了推廣 HTTPS 而贊助的一家免費發佈 SSL certificate 的 Certiciate Authority。
這篇文章主要是介紹怎麼使用 Let's Encrypt 所提供的服務,會需要知道如何操作 command line interface。

限制

Let's Encrypt 目前已經正式開放,但有發行數量限制,一般人可能會遇到的:
  • Names/Certificate:單一 certificate 限制 100 個 hostname。
  • Certificates/Domain:每個 domain 每個禮拜最多 20 個 certificate,但 renew 不計算在 quota 內 (需要憑證內的 hostname 與之前完全一樣)。
  • Certificates/FQDNset:相同 hostname 的憑證每個禮拜最多發出五個。。
最新的資訊以及完整的細節請參考「Rate Limits - Let's Encrypt - Free SSL/TLS Certificates」這邊的說明。

安裝過程

我們用到的程式需要 curl,所以先安裝 curl:
# echo "for Debian/Ubuntu"
# apt-get install curl
# echo "for CentOS/RedHat"
# yum install curl
下載最新 release 的 dehydrated 並且解開,目前是 0.4.0:
$ # refer: https://github.com/lukas2511/dehydrated/releases
$ curl -LO https://github.com/lukas2511/dehydrated/archive/v0.4.0.tar.gz
$ tar -zxv -f v0.4.0.tar.gz
$ cd dehydrated-0.4.0/
或是透過 Git 下載最新版本:
$ cd ~; git clone https://github.com/lukas2511/dehydrated.git
$ cd dehydrated/
除了用 Git 下載外,也可以直接只抓執行檔:
$ curl -LO https://raw.githubusercontent.com/lukas2511/dehydrated/master/dehydrated
把程式安裝到 /etc/dehydrated/ 下:
# mkdir /etc/dehydrated/
# cp ~/dehydrated/dehydrated /etc/dehydrated/
# chmod a+x /etc/dehydrated/dehydrated
建立 SSL certificate 證驗證過程時所需要的目錄:
# mkdir -p /var/www/dehydrated/
設定 Apache 或是 nginx,在要認證的 virtual host 裡加上:
# for Apache
Alias /.well-known/acme-challenge/ /var/www/dehydrated/
# for nginx
location /.well-known/acme-challenge/ {
    alias /var/www/dehydrated/;
}
第一次需要先同意 Let's Encrypt 的條款:
# /etc/dehydrated/dehydrated --register --accept-terms
第一次產生 SSL certificate,黃色的部份請代換成網域名稱:
# /etc/dehydrated/dehydrated -c -d letsencrypt.tw
成功的話會有類似的輸出:
# INFO: Using main config file /etc/dehydrated/config
Processing letsencrypt.tw
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for letsencrypt.tw...
 + Responding to challenge for letsencrypt.tw...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!
成功後產生的檔案都在 /etc/dehydrated/certs/letsencrypt.tw/ 裡:
drwx------ 2 root root 4096 Feb 24 02:25 .
drwx------ 3 root root 4096 Feb 24 02:23 ..
-rw------- 1 root root 1651 Feb 24 02:25 cert-1456280700.csr
-rw------- 1 root root 2143 Feb 24 02:25 cert-1456280700.pem
lrwxrwxrwx 1 root root   19 Feb 24 02:25 cert.csr -> cert-1456280700.csr
lrwxrwxrwx 1 root root   19 Feb 24 02:25 cert.pem -> cert-1456280700.pem
-rw------- 1 root root 1675 Feb 24 02:25 chain-1456280700.pem
lrwxrwxrwx 1 root root   20 Feb 24 02:25 chain.pem -> chain-1456280700.pem
-rw------- 1 root root 3818 Feb 24 02:25 fullchain-1456280700.pem
lrwxrwxrwx 1 root root   24 Feb 24 02:25 fullchain.pem -> fullchain-1456280700.pem
-rw------- 1 root root 3243 Feb 24 02:25 privkey-1456280700.pem
lrwxrwxrwx 1 root root   22 Feb 24 02:25 privkey.pem -> privkey-1456280700.pem
接著就可以修改 Apache 或是 nginx 的 SSL 設定:
# for Apache
SSLCertificateFile /etc/dehydrated/certs/letsencrypt.tw/cert.pem
SSLCertificateChainFile /etc/dehydrated/certs/letsencrypt.tw/chain.pem
SSLCertificateKeyFile /etc/dehydrated/certs/letsencrypt.tw/privkey.pem
# for nginx
ssl_certificate /etc/dehydrated/certs/letsencrypt.tw/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/letsencrypt.tw/privkey.pem;
然後重新載入 Apache 或是 nginx 的設定檔 (或是直接重新啟動):
# echo "for Apache"
# service apache2 reload
# echo "for nginx"
# service nginx reload
接下來設定 /etc/cron.d/dehydrated-letsencrypt_tw (因為 /etc/cron.d/ 裡面的檔名不能有 . 這個符號,用 _ 取代),讓 cron 每天自動檢查並更新:
# for Apache
0 0 * * * root sleep $(expr $(printf "\%d" "0x$(hostname | md5sum | cut -c 1-8)") \% 86400); ( /etc/dehydrated/dehydrated -c -d letsencrypt.tw; /usr/sbin/service apache2 reload ) > /tmp/dehydrated-letsencrypt.tw.log 2>&1
# for nginx
0 0 * * * root sleep $(expr $(printf "\%d" "0x$(hostname | md5sum | cut -c 1-8)") \% 86400); ( /etc/dehydrated/dehydrated -c -d letsencrypt.tw; /usr/sbin/service nginx reload ) > /tmp/dehydrated-letsencrypt.tw.log 2>&1

規劃

這段在說明上面為什麼這樣規劃,對於自動化 (像是 PuppetChef) 會很有幫助:
  • 選用 dehydrated 而非官方的 certbot 是因為 dehydrated 的需求相當低,只需要有 curl 與 openssl 就可以執行,相較於官方版本需要 Python 會比較簡單。
  • 放到 /etc/dehydrated/ 下的目的是避免之後各作業系統有提供 dehydrated 的套件而衝突到 (套件通常都會把可執行檔放到 /usr/bin 或是 /usr/sbin 下),另外一方面 dehydrated 會吃同一個目錄下的 config,這對於設定上可以少一些功夫。
  • 在 cron job 裡面每天執行是因為 dehydrated 會自己檢查憑證有效期限,如果還有一個月以上的時間有效就不會 renew,所以不需要擔心每天執行會造成 Let's Encrypt 的伺服器產生負擔。
  • 在 cron job 中的 sleep $(expr $(printf "\%d" "0x$(hostname | md5sum | cut -c 1-8)") \% 86400) 設計是利用機器名稱產生出十六進位 hash 值,抓一部分轉成十進位後除以一天的秒數,得到餘數後先停這個秒數再跑 dehydrated,這樣可以避免同時間有太多機器到 Let's Encrypt 的伺服器,造成類似 DDoS 的攻擊)
----------------

通过 DNS 验证方式获取lets-encrypt证书的快速脚本

脚本基于https://github.com/lukas2511/dehydrated ,通过调用 dns 服务商接口更新 TXT 记录用于认证,实现快速获取 lets-encrypt 证书。无需root权限,无需指定网站目录及DNS解析

cloudxns

下载
wget https://github.com/xdtianyu/scripts/raw/master/le-dns/le-cloudxns.sh
wget https://github.com/xdtianyu/scripts/raw/master/le-dns/cloudxns.conf
chmod +x le-cloudxns.sh
配置
cloudxns.conf 文件内容
API_KEY="YOUR_API_KEY"
SECRET_KEY="YOUR_SECRET_KEY"
DOMAIN="example.com"
CERT_DOMAINS="example.com www.example.com im.example.com"
#ECC=TRUE
修改其中的 API_KEYSECRET_KEY 为您的 cloudxns api key ,修改 DOMAIN 为你的根域名,修改 CERT_DOMAINS 为您要签的域名列表,需要 ECC 证书时请取消 #ECC=TRUE 的注释。
运行
./le-cloudxns.sh cloudxns.conf
最后生成的文件在当前目录的 certs 目录下
cron 定时任务
如果证书过期时间不少于30天, letsencrypt.sh 脚本会自动忽略更新,所以至少需要29天运行一次更新。
每隔20天(每个月的2号和22号)自动更新一次证书,可以在 le-cloudxns.sh 脚本最后加入 service nginx reload等重新加载服务。
0 0 2/20 * * /etc/nginx/le-cloudxns.sh /etc/nginx/le-cloudxns.conf >> /var/log/le-cloudxns.log 2>&1
注意 ubuntu 16.04 不能定义 day of month 含有开始天数的 step values,可以替换命令中的 2/202,22
更详细的 crontab 参数请参考 crontab.guru 进行自定义

dnspod

下载
wget https://github.com/xdtianyu/scripts/raw/master/le-dns/le-dnspod.sh
wget https://github.com/xdtianyu/scripts/raw/master/le-dns/dnspod.conf
chmod +x le-dnspod.sh
配置
dnspod.conf 文件内容
TOKEN="YOUR_TOKEN_ID,YOUR_API_TOKEN"
RECORD_LINE="默认"
DOMAIN="example.com"
CERT_DOMAINS="example.com www.example.com im.example.com"
#ECC=TRUE
修改其中的 TOKEN 为您的 dnspod api token ,注意格式为123456,556cxxxx。 修改 DOMAIN 为你的根域名,修改 CERT_DOMAINS 为您要签的域名列表,需要 ECC 证书时请取消 #ECC=TRUE 的注释。
运行
./le-dnspod.sh dnspod.conf
最后生成的文件在当前目录的 certs 目录下
cron 定时任务
如果证书过期时间不少于30天, letsencrypt.sh 脚本会自动忽略更新,所以至少需要29天运行一次更新。
每隔20天(每个月的5号和25号)自动更新一次证书,可以在 le-dnspod.sh 脚本最后加入 service nginx reload等重新加载服务。
0 0 5/20 * * /etc/nginx/le-dnspod.sh /etc/nginx/le-dnspod.conf >> /var/log/le-dnspod.log 2>&1
注意 ubuntu 16.04 不能定义 day of month 含有开始天数的 step values,可以替换命令中的 5/205,25
更详细的 crontab 参数请参考 crontab.guru 进行自定义。

from https://github.com/xdtianyu/scripts/tree/master/le-dns
https://www.v2ex.com/t/255004
---------

手动申请Let's Encrypt的证书

因为letsencrypt用的是python, 而且直接往/etc写, 我就想把它单独开. 另外还有git要bash等…
目前BETA使用的是acme-v01.api.letsencrypt.org服务器

好处

  • 不和任何端口冲突
  • 可以在任何地方运行letsencrypt

坏处

  • 需要配置下web server
  • 需要自己放置验证文件

详解

NGINX预配置

添加以下设置到验证的域名的80 http配置
location /.well-known {
  default_type text/plain;
}

申请证书

$ letsencrypt --server https://acme-v01.api.letsencrypt.org/directory -a manual -d hshh.org -d www.hshh.org certonly
多个 “-d 域名” 将生成SAN证书.
执行以上命令会提示需要在相应的域目录下/.well-known/acme-challenge/添加验证文件, 手动放入后验证通过.

吊销证书

$ cd /etc/letsencrypt/live/hshh.org/
$ letsencrypt --server https://acme-v01.api.letsencrypt.org/directory revoke --cert-path cert.pem

NGINX HTTPS 配置

listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /path/etc/letsencrypt/live/hshh.org/fullchain.pem;
ssl_certificate_key /path/etc/letsencrypt/live/hshh.org/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=31536000;

NGINX HTTP 配置

return 301 https://$server_name$request_uri;

Web Root 模式

其中申请证书修改为
$ letsencrypt --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path /path/web/documentroot -d hshh.org certonly

from https://www.hshh.org/letsencrypt/memo
------------

轻量级的 letsencrypt.sh (HTTP-01篇)

letsencrypt.sh 是个非常轻量级的 Let's Encrypt 客户端. 本身用 bash 来写, 经过修改也可以用 zsh.

优点

  • 支持 HTTP-01 和 DNS-01 验证
  • 支持自动签名多个域名(domain.txt)
  • 支持签名CSR
  • 支持续约即将到期的证书或者修改子域名(SAN)后的证书
  • 吊销证书
  • 没有其他太多的依赖.

安装方法

FreeBSD下面就直接ports安装吧, 可选使用 bash 或者 zsh. 我是选了zsh.
cd /usr/ports/security/letsencrypt.sh
make install clean

使用方法

letsencrypt.sh 配置

ports 安装的配置文件在 /usr/local/etc/letsencrypt.sh/
  • 将 config.sh.example 复制一份并重命名为 config.sh
cd /usr/local/etc/letsencrypt.sh
cp config.sh.example config.sh
  • 修改 config.sh 中的 BASEDIR 为 /usr/local/etc/letsencrypt.sh , 并去掉行前的注释.
BASEDIR=/usr/local/etc/letsencrypt.sh
  • 编辑 domains.txt 新增要签发的域名
hshh.org www.hshh.org
test.hshh.org

nginx 配置

在对应的域名配置下增加或修改. domains.txt 里面有多少个域名就要做多少个域名, 不管是不是SAN的.
location /.well-known/acme-challenge {
 alias  /usr/local/etc/letsencrypt.sh/.acme-challenges;
 default_type text/plain;
}
配置好后重载nginx: service nginx reload

签发证书

直接运行 letsencrypt.sh -c 即可

证书使用

成功签发的证书将放在 /usr/local/etc/letsencrypt.sh/certs 下对应的域名目录, 如果是SAN证书, 则以行首第一个域名命名.
一般只需要使用 fullchain.pem 和 privkey.pem

nginx 的 ssl 配置

ssl_certificate  /usr/local/etc/letsencrypt.sh/certs/hshh.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt.sh/certs/hshh.org/privkey.pem;

from https://www.hshh.org/letsencrypt/letsencrypt.sh_http-01

-----------

Free HTTPS certificates without having to trust the letsencrypt cli with sudo/root  

from https://github.com/diafygi/letsencrypt-nosudo

No comments:

Post a Comment