Let's Encrypt是一个由非营利性组织 互联网安全研究小组(ISRG)提供的免费、自动化和开放的证书颁发机构(CA)。
简单的说,借助 Let's Encrypt 颁发的证书可以为网站免费启用 HTTPS(SSL/TLS) 。
Let's Encrypt免费证书的签发/续签都是脚本自动化的,官方提供了几种证书的申请方式方法,点击此处 快速浏览。
官方推荐使用 Certbot 客户端来签发证书,这种方式可参考文档自行尝试。
环境
$ cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) $ uname -a Linux ansheng 3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ whoami root
我们使用的申请工具是Certbot,这里我使用CentOS7+Nginx进行自动签证,如果你想用其他的方式,访问Certbot。
实操
安装epel源
$ yum install -y epel-release
安装Certbot
$ yum install python2-certbot-nginx -y
安装Nginx
$ yum install nginx -y
这里用ssl.virplus.com这个域名来做实验,需要在域名管理里面增加一条A记录,然后IP只想我们自己服务器的IP,我这里的IP是149.129.86.210
$ ping -c 2 ssl.virplus.com PING ssl.virplus.com (149.129.86.210) 56(84) bytes of data. 64 bytes from 149.129.86.210 (149.129.86.210): icmp_seq=1 ttl=64 time=0.342 ms 64 bytes from 149.129.86.210 (149.129.86.210): icmp_seq=2 ttl=64 time=0.288 ms --- ssl.virplus.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.288/0.315/0.342/0.027 ms
对Nginx进行一个简单的配置
$ vim /etc/nginx/conf.d/ssl.conf
server {
listen 80;
server_name ssl.virplus.com;
}启动nginx
$ systemctl start nginx
使用Certbot进行签证
$ certbot --nginx certonly
......
# 进行签证的时候,会报这个错误,其他服务器都没有这个错误,只有阿里云有
ImportError: No module named 'requests.packages.urllib3'
在github找到了解决办法,如下:
$ rm -fr /usr/lib/python2.7/site-packages/urllib3/packages/ssl_match_hostname $ pip uninstall requests $ pip uninstall urllib3 $ yum remove python-urllib3 $ yum remove python-requests $ yum install python-urllib3 $ yum install python-requests $ yum install python2-certbot-nginx
然后再重新申请
$ certbot --nginx certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): xxdaac@gmail.com # 输入自己的邮箱,签证完成之后会给你发邮件,然后自己激活下就成了 Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A # 同意 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y # Yes Starting new HTTPS connection (1): supporters.eff.org Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: ssl.virplus.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 # 输入域名的需要,如果有多个域名,以逗号隔开,类似"1,2,3" Obtaining a new certificate Performing the following challenges: http-01 challenge for ssl.ansheng.me Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-v02.api.letsencrypt.org IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/ssl.virplus.com/fullchain.pem # 公钥 Your key file has been saved at: /etc/letsencrypt/live/ssl.virplus.com/privkey.pem # 私钥 Your cert will expire on 2019-04-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Nginx配置https
$ vim /etc/nginx/conf.d/ssl.conf
server {
listen 80;
server_name ssl.ansheng.me;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name ssl.ansheng.me;
charset utf-8;
ssl_certificate "/etc/letsencrypt/live/ssl.ansheng.me/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/ssl.ansheng.me/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}上面的配置中,访问http://ssl.virplus.com会强制跳转到https://ssl.virplus.com
重新加载配置
$ nginx -s reload
通过curl命令进行测试
$ curl -I http://ssl.virplus.com HTTP/1.1 301 Moved Permanently Server: nginx/1.12.2 Date: Wed, 09 Jan 2019 10:03:07 GMT Content-Type: text/html Content-Length: 185 Connection: keep-alive Location: https://ssl.virplus.com/ # 跳转正常
然后我们在访问https://ssl.virplus.com/
$ curl -I https://ssl.ansheng.me/ HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Wed, 09 Jan 2019 10:04:42 GMT Content-Type: text/html; charset=utf-8 Content-Length: 3700 Last-Modified: Tue, 06 Mar 2018 09:26:21 GMT Connection: keep-alive ETag: "5a9e5ebd-e74" Accept-Ranges: bytes
https也可以正常访问,这时你可以浏览器打开https://ssl.virplus.com/,然后看看SSL证书的信息。
自动续费
在crontab里面增加一个定时任务,每天都执行,快到期的时候就会续费了
$ crontab -l 0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
http://www.virplus.com/thread-192.htm
转载请注明:2019-3-16 于 VirPlus 发表
