本文共 8249 字,大约阅读时间需要 27 分钟。
最近更新证书的时候,certbot-auto软件自动更新,更新出现了openssl冲突,目前无法立即升级openssl,所以可以用如下命令更新
./certbot-auto renew --no-self-upgrade --no-bootstrap
重新更新了安装教程,安装更加简化。
前面介绍免费的时说道无脑推荐Let's Encrypt,那么就来一篇如何安装Let's Encrypt以及和Nginx配置。
Let's Encrypt是国外一个公共的免费SSL项目,由 Linux 基金会托管,它的来头不小,由Mozilla、思科、Akamai、IdenTrust和EFF等组织发起,目的就是向网站自动签发和管理免费证书,以便加速互联网由HTTP过渡到HTTPS。证书有效期为90天, 到期前30内可续期,实现永久免费。
官网地址:
Certbot是Let's Encrypt官方推荐的配置工具,貌似之前叫letsencrypt,下面分别介绍下CentOS6和CentOS7安装Certbot。
[root@ebs-29770 ~]# wget https://dl.eff.org/certbot-auto[root@ebs-29770 ~]# chmod a+x certbot-auto
安装过程比较慢,请耐心等待。
在CentOS7下安装Certbot需要先启用epel。
[root@ebs-29770 ~]# yum install epel-release[root@ebs-29770 ~]# yum install certbot
工具更新之后增加了--nginx选项,但是我在配置时并没有成功,所以还是使用--webroot方式 CentOS6下的命令./certbot-auto与CentOS7下的命令certbot后面携带的参数一致。
申请过程中要验证绑定的域名是否属于申请人,其原理就是申请人在域名所在的服务器上申请证书,然后Let’ s Encrypt会访问绑定的域名与客户端通信成功即可通过。
standalone模式:需要停止当前的web server服务,让出80端口,由客户端内置的web server启动与Let’ s Encrypt通信。 2. Webroot模式:不需要停止当前web server,但需要在域名根目录下创建一个临时目录,并要保证外网通过域名可以访问这个目录。 本文使用Webroot模式,Certbot在验证服务器域名的时候,会生成一个随机文件,然后Certbot的服务器会通过HTTP访问你的这个文件,因此要确保你的Nginx配置好,以便可以访问到这个文件。
修改你的服务器配置,在server模块添加:
location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /usr/share/nginx/html;}location = /.well-known/acme-challenge/ { return 404;} 接着重新加载Nginx配置:systemctl reload nginx
获取Let's Encrypt颁发的证书:
certbot certonly --webroot --m and.mz.yq@gmail.com -d mzlion.com,www.mzlion.com --agree-tos --dry-run # -d 紧接着域名,多个域名采用英文半角逗号 # 上面的配置表示多个域名共享同一对SSL证书信息 # --agree-tos 表示自动同意相关协议 # -m 表示邮箱 # --dry-run 模拟运行,建议首次将该参数配置,当看到下面的信息表示执行命令成功 IMPORTANT NOTES: - The dry run was successful.
下面就真正开始获取SSL证书
[root@instance-blmkvqkm letsencrypt]# ./certbot-auto certonly -d mzlion.com,www.mzlion.com --webroot -m and.mz.yq@gmail.com/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6 DeprecationWarningSaving debug log to /var/log/letsencrypt/letsencrypt.log-------------------------------------------------------------------------------Please read the Terms of Service athttps://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agreein order to register with the ACME server athttps://acme-v01.api.letsencrypt.org/directory----------------------------------------------------------------------------------- 协议,当然需要同意(A)gree/(C)ancel: A-------------------------------------------------------------------------------Would you be willing to share your email address with the Electronic FrontierFoundation, a founding partner of the Let's Encrypt project and the non-profitorganization that develops Certbot? We'd like to send you email about EFF andour work to encrypt the web, protect its users and defend digital rights.---------------------------------------------------------------------------------- 共享您的网站,看个人意愿,这里不共享(Y)es/(N)o: NObtaining a new certificatePerforming the following challenges:http-01 challenge for ipayfor.mehttp-01 challenge for www.ipayfor.meSelect the webroot for ipayfor.me:--------------------------------------------------------------------------------- 网站根目录1: Enter a new webroot -------------------------------------------------------------------------------Press 1 [enter] to confirm the selection (press 'c' to cancel): 1Input the webroot for ipayfor.me: (Enter 'c' to cancel):/mnt/wwwSelect the webroot for www.ipayfor.me:-------------------------------------------------------------------------------1: Enter a new webroot2: /mnt/www--------------------------------------------------------------------------------- 多个域名共享一个网站根目录,其证书信息也是共享的Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2Waiting for verification...Cleaning up challengesUnable to clean up challenge directory /mnt/www/.well-known/acme-challengeGenerating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pemCreating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem-- 看到这个信息表示获取成功IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/ipayfor.me/fullchain.pem. Your cert will expire on 2017-07-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le[root@ebs-29770 letsencrypt]#
找到自己服务器的nginx配置文件,然后编辑它,修改为如下设置,域名改成自己的,其他的应该都是差不多的。
server { listen 80; server_name www.mzlion.com; #永久重定向到 https 站点 return 301 https://$server_name$request_uri;}server { listen 80; server_name www.mzlion.com; #以下配置用于Let's Encrypt服务端和客户端校验目录配置 location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /usr/share/nginx/html; } location = /.well-known/acme-challenge/ { return 404; } #永久重定向到https站点 return 301 https://$server_name$request_uri;}server { #启用 https, 使用 http/2 协议 listen 443 ssl http2; #ssl #证书路径 ssl_certificate /etc/letsencrypt/live/mzlion.com/fullchain.pem; #私钥路径 ssl_certificate_key /etc/letsencrypt/live/mzlion.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/mzlion.com/chain.pem; #可选的加密算法,顺序很重要,越靠前的优先级越高 ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH; #在 SSLv3 或 TLSv1 握手过程一般使用客户端的首选算法,如果启用下面的配置,则会使用服务器端的首选算法. ssl_prefer_server_ciphers on; #以下与证书无关了 location /{ #...省略 }} 保存配置,重新加载Nginx配置或重启:systemctl reload nginx
https,看到绿色安全锁的图标。 由于这个证书的时效只有90天,我们需要设置自动更新的功能,帮我们自动更新证书的时效。首先先在命令行模拟证书更新:
certbot renew --dry-run
模拟更新成功的效果如下:
[root@ebs-29770 ~]# certbot renew --dry-runSaving debug log to /var/log/letsencrypt/letsencrypt.log-------------------------------------------------------------------------------Processing /etc/letsencrypt/renewal/mzlion.com.conf-------------------------------------------------------------------------------Cert not due for renewal, but simulating renewal for dry runStarting new HTTPS connection (1): acme-staging.api.letsencrypt.orgRenewing an existing certificatePerforming the following challenges:http-01 challenge for mzlion.comhttp-01 challenge for www.mzlion.comWaiting for verification...Cleaning up challengesGenerating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pemCreating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem** DRY RUN: simulating 'certbot renew' close to cert expiry** (The test certificates below have not been saved.)Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/mzlion.com/fullchain.pem (success)** DRY RUN: simulating 'certbot renew' close to cert expiry** (The test certificates above have not been saved.)[root@ebs-29770 ~]#
在无法确认你的nginx配置是否正确时,一定要运行模拟更新命令,确保certbot和服务器通讯正常。使用crontab -e的命令来启用自动任务,命令行:
crontab -e
添加配置:
0 1 1 * * /mnt/apps/letsencrypt/certbot-auto renew -renew-hook "/etc/init.d/nginx reload"
上面的执行时间为:每个月1号凌晨1点执行任务
总体来说配置Let’s还是比较简单的,因为官方提供了配置工具和自动续期方案,只要我们在CentOS下做些简单的配置即可。
注意事项
更新证书时,要保证letsencrypt服务器能够访问对应域名下的/.well-known/acme-challenge/文件夹
同一个ip在3小时内最多申请10个域名的证书
同一个根域名在七天内,只能注册5个证书。同一个子域名注册或更新都是要计算次数的。
转载地址:http://cebvi.baihongyu.com/