永久免费的SSL证书 - Let's Encrypt 证书部署 HTTPS 并自动续期

信息安全,免费资源

2017-02-26

7110

8

Let's Encrypt是一个公共且免费SSL的项目,由Mozilla、Cisco、Akamai、IdenTrust、EFF等组织发起,主要的目的是为了推进网站从HTTP向HTTPS过度。

我的部署环境

系统: centOS 7.1
web服务器:Nginx 1.10.2
python 2.7

安装 certbot

 执行

sudo yum install certbot

获取证书

certbot certonly --webroot -w /usr/share/nginx/html -d ubock.com -d www.ubock.com

 /usr/share/nginx/html是网站根目录
 -d 后面是域名,多个域名就是写多个-d

 上图片中输入邮箱,然后确认

上图片中直接Agree

如果出现下面的提示后一直卡住不动,可以重新执行一次,我就是重新执行后才行的

Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org

如果出现下面的提示,则需要修改nginx配置:

Failed authorization procedure. ubock.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ubock.com/.well-known/acme-challenge/N0RmkJZzCapvbUkwlsyGE_7D-tj-bl6FidIQy4zPUFI [139.0.0.0]: 404

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
 e-mails sent to u@ubock.com.
 - The following errors were reported by the server:

 Domain: ubock.com
 Type: unauthorized
 Detail: Invalid response from
 http://ubock.com/.well-known/acme-challenge/N0RmkJZzCapvbUkwlsyGE_7D-tj-bl6FidIQy4zPUFI
 [139.0.0.0]: 404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

 

修改/etc/nginx/nginx.conf文件,在http的server中添加如下配置:

location ~ /.well-known {
    allow all;
}

再重新执行获取证书命令

如果出现如下提示,恭喜你,成功了,证书有效期3个月,到时候后可以续期

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ubock.com/fullchain.pem. Your cert will
   expire on 2017-05-27. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew all of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 

在完成Let's Encrypt证书的生成之后,我们会在"/etc/letsencrypt/live/ubock.com/"域名目录下有4个文件就是生成的 密钥证书文件。

cert.pem - Apache服务器端证书
chain.pem - Apache根证书和中继证书
fullchain.pem - Nginx所需要ssl_certificate文件
privkey.pem - 安全证书KEY文件

 

部署证书到Nginx

证书的路径最好不要移动,这样续期时就不需要再移动了

修改/etc/nginx/nginx.conf文件

upstream tomcats{
    server 127.0.0.1:8080;
}

# Settings for a TLS enabled server.

server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  www.ubock.com ubock.com;
        root         /usr/share/nginx/html;
        index  index.html index.htm;

        ssl_certificate "/etc/letsencrypt/live/ubock.com/fullchain.pem";#证书文件
        ssl_certificate_key "/etc/letsencrypt/live/ubock.com/privkey.pem";#证书KEY文件
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; #按照这个套件配置
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/.conf;
        location / {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto https;
            proxy_redirect off;
            proxy_pass http://tomcats;#负载服务器
        }

        error_page 404 /404.html;
        location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
 }

 

修改好后保存退出
重新启动nginx服务:

systemctl restart nginx


打开网页就会看地址栏前个安全锁图标:

  

实现http强制重定向https

修改/etc/nginx/nginx.conf文件,在http的server最后增加如下配置:

 location / {
 rewrite ^(.*) https://$host$1 permanent;
 }

 注意不能添加在

location ~ /.well-known {
    allow all;
}

 前面,否则续期时可能会有问题

 

证书自动续期

 

当证书成功获取后,用下面命令测试是否可以续期,此命令只是测试用,不会更新证书

certbot renew --dry-run 

 当出现下面提示后,则测试成功,可以续期

[root@VM_151_73_centos ~]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ubock.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ubock.com
http-01 challenge for www.ubock.com
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
 DRY RUN: simulating 'certbot renew' close to cert expiry           (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/ubock.com/fullchain.pem (success)
 DRY RUN: simulating 'certbot renew' close to cert expiry           (The test certificates above have not been saved.)

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

 

 

 

在系统中添加周期性执行更新证书任务命令

 输入:

crontab -e

 回车,然后可以像使用vi编辑其他任何文件那样修改crontab文件
在最后添加如下命令:

30 4 * * 1 certbot renew --renew-hook "systemctl restart nginx" --quiet > /dev/null 2>&1 &

 设置了每周一凌晨4点30自动更新证书,如果更新成功就自动重启nginx服务,证书在到期前30天内才能更新,多余的更新会自动忽略掉的,每周更新还有一个好处是更新可能会失败,这样最多还有4次的尝试机会来保证不会过期.
修改好后保存退出。

 关于crontab的用法请查看 周期性执行任务命令 crontab

小额赞助,鼓励博主写出更多好文章

发表评论

全部评论:8条

网友 2017-06-11

引用来之于网友的内容

certbot renew --dry-run 的时候出错了。提示 Cleaning up challenges Unable to clean up challenge directory /var/www/html/huis-api/.well-known/acme-challenge Attempting to renew cert from /etc/letsencrypt/renewal/api.hui***.com.conf produced an unexpected error: Failed authorization procedure. api.huishima.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://api.****.com/.well-known/acme-challenge/ywW58S4P-ADB1CEQo73boijrYZpjEEkHcZCZ2GizvFA: " 500 Internal Server Error

500 Internal Server Error

ngnix conf加上listen 80;就可以了。多谢

网友 2017-06-11

certbot renew --dry-run 的时候出错了。提示 Cleaning up challenges Unable to clean up challenge directory /var/www/html/huis-api/.well-known/acme-challenge Attempting to renew cert from /etc/letsencrypt/renewal/api.hui***.com.conf produced an unexpected error: Failed authorization procedure. api.huishima.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://api.****.com/.well-known/acme-challenge/ywW58S4P-ADB1CEQo73boijrYZpjEEkHcZCZ2GizvFA: " 500 Internal Server Error

500 Internal Server Error

网友 2017-03-22

赞一下

网友 2017-03-04

非常不错,mark

网友 2017-02-28

支持

网友 2017-02-28

赞一下

UBOCK 2017-02-26

引用来之于网友的内容

写得非常好,很清楚,赞一下

谢谢支持

网友 2017-02-26

写得非常好,很清楚,赞一下

UBOCK

找方法不找借口