一、Let's Encrypt 简介
Let's Encrypt 是一个由非营利性组织 互联网安全研究小组(ISRG)提供的免费、自动化和开放的证书颁发机构(CA)。
简单的说,借助 Let's Encrypt 颁发的证书可以为我们的网站免费启用 HTTPS(SSL/TLS) 。
Let's Encrypt免费证书的签发/续签都是脚本自动化的,官方提供了几种证书的申请方式方法,点击此处 快速浏览。
官方推荐使用 Certbot 客户端来签发证书,这种方式可参考文档自行尝试,不做评价。
我这里直接使用第三方客户端 acme.sh 申请,据了解这种方式可能是目前 Let's Encrypt 免费证书客户端最简单、最智能的 shell 脚本,可以自动发布和续订 Let's Encrypt 中的免费证书。
二、安装 Let's Encrypt
安装非常简单直接克隆就可以了
git clone https://github.com/letsencrypt/letsencrypt
生成通配符证书
期间需要根据提示设置DNS TXT记录,用作你对判断你是否拥有域名使用权
cd letsencrypt
./certbot-auto certonly -d *.you.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
其中"you.cn"换成你的一级域名即可
参数 | 说明 |
---|---|
certonly | 表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。 |
--manual | 表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择 |
-d | 为那些主机申请证书,如果是通配符,输入 *.you.cn(可以替换为你自己的一级域名) |
--preferred-challenges dns | 使用 DNS 方式校验域名所有权 |
--server | Let's Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。 |
接着可以看到下面界面结果:
Dependency Installed:
dwz.x86_64 0:0.11-3.el7 perl-srpm-macros.noarch 0:1-8.el7 tcl.x86_64 1:8.5.13-8.el7 tix.x86_64 1:8.4.3-12.el7 tk.x86_64 1:8.5.13-6.el7 tkinter.x86_64 0:2.7.5-69.el7_5
Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
接下来需要输入些指令
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for kuaichuangkeji.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
这里有几个需交互的提示
- 是否同意 Let's Encrypt 协议要求=>需要同意
- 是否分享你的邮箱
- 询问是否对域名和机器(IP)进行绑定=>需要同意
需要注意的地方:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.you.cn with the following value:
RYtObhDvEcXewZckknNQkBKIkvwIlbb4PNRel74LNwU
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
要求配置 DNS TXT 记录,从而校验域名所有权,也就是判断证书申请者是否有域名的所有权。
上面输出要求给 _acme-challenge.you.cn 配置一条 TXT 记录,在没有确认 TXT 记录生效之前不要回车执行。
我用的是阿里云的域名服务器,控制台具体操作如下图所示:
服务器域名dns配置确认生效后,回车执行,输出如下
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/you.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/you.cn/privkey.pem
Your cert will expire on 2019-02-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
看到这个界面内容的话,恭喜你,证书安装成功了。
证书续签
注:证书在到期前30天才会续签成功,但为了确保证书在运行过程中不过期,官方建议每天自动执行续签两次;
使用crontab自动续期
crontab -e // 编辑定时任务
0 */12 * * * certbot renew --quiet --renew-hook "/etc/init.d/nginx reload"
- 需要注意"/etc/init.d/nginx reload"为nginx重启命令,需要根据自己服务器的重启命令重启即可;这里建议使用reload,不推荐使用restart,因为这样万一配错了,也不会影响服务器其他项目的运行
证书保存的路径[配置nginx需要用到的]
/etc/letsencrypt/live/you.cn/fullchain.pem
/etc/letsencrypt/live/you.cn/privkey.pem
nginx 开启 https
证书生成完成后可以到 /etc/letsencrypt/live/ 目录下查看对应域名的证书文件。编辑 nginx 配置文件监听 443 端口,启用 SSL,并配置 SSL 的公钥、私钥证书路径:
server {
listen 443 ssl;
server_name you.cn;
root /home/www/you;
index index.html index.htm index.php;
ssl on;
ssl_certificate /etc/letsencrypt/live/you.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/you.cn/privkey.pem;
...
}
添加 HTTP 自动跳转到 HTTPS:
server {
listen 80;
server_name you.cn;
location / {
rewrite ^(.*)$ https://$host$1 permanent;
}
}
配置好nginx后,重启nginx
证书安装成功后,该域名下的所有二级域名都可以使用噢
取消证书
可以使用一下命令取消刚刚生成的密匙,也就是以上的反操作:
certbot revoke --cert-path /etc/letsencrypt/live/you.cn/cert.pem
certbot delete --cert-name you.cn
参考的网址有
- https://sanonz.github.io/2017/let's-encrypt-free-ssl-https/
- https://www.jianshu.com/p/c5c9d071e395
- https://segmentfault.com/a/1190000005142228
- https://www.jianshu.com/p/e321cc362e5d
- https://segmentfault.com/a/1190000017095044
- https://segmentfault.com/a/1190000005142228
- https://wp.wt629.com/archives/338
- https://www.yiichina.com/tutorial/1219
- https://github.com/fszlin/certes