背景
之前网站使用的是阿里云的免费证书,但是免费证书(默认证书)的签发有效期由12个月缩短至3个月而且免费证书的数量还显示不足了,所以直接更换了证书的签发机构。 这篇文章主要讲的就是如何使用 Let’s Encrypt的证书让自己的网站免费从HTTP升级为HTTPS。 Let's Encrypt 是一个由非营利性组织 互联网安全研究小组(ISRG)提供的免费、自动化和开放的证书颁发机构(CA)。
Let's Encrypt 简介
简单的说,借助 Let's Encrypt 颁发的证书可以为我们的网站免费启用 HTTPS(SSL/TLS) 。 Let's Encrypt免费证书的签发/续签都是脚本自动化的,官方提供了几种证书的申请方式方法,点击此处 快速浏览。
Certbot 简介
Certbot 是Let’s Encrypt官方推荐的获取证书的客户端,可以帮我们获取免费的Let’s Encrypt 证书。
安装Certbot客户端
yum install certbot
获取证书
certbot certonly --webroot -w /home/www/example -d example.com -d www.example.com
这个命令会为 example.com
和 www.example.com
这两个域名生成一个证书,这里也可以使用*.examplecom通配符,不过不管是申请还是续期,只要是通配符证书,只能采用 dns-01 的方式校验申请者的域名,也就是说 certbot 操作者必须手动添加 DNS TXT 记录。使用 --webroot
模式会在 /home/www/example
中创建 .well-known
文件夹,这个文件夹里面包含了一些验证文件,certbot
会通过访问 example.com/.well-known/acme-challenge
来验证你的域名是否绑定的这个服务器。这个命令在大多数情况下都可以满足需求,
但是有些时候我们的一些服务并没有根目录,例如一些微服务,这时候使用 --webroot
就走不通了。certbot 还有另外一种模式 --standalone
, 这种模式不需要指定网站根目录,他会自动启用服务器的443端口,来验证域名的归属。我们有其他服务(例如nginx)占用了443端口,就必须先停止这些服务,在证书生成完毕后,再启用。
certbot certonly --standalone -d example.com -d www.example.com
这里有几个需交互的提示
是否同意 Let's Encrypt 协议要求=>需要同意 是否分享你的邮箱 询问是否对域名和机器(IP)进行绑定=>需要同意
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): 550407948@qq.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for zc0317.com
Performing the following challenges:
http-01 challenge for zc0317.com
Cleaning up challenges
证书生成完毕后,我们可以在 /etc/letsencrypt/live/ 目录下看到对应域名的文件夹,里面存放了指向证书的一些快捷方式。
证书续签 自动更新 SSL 证书
注: Let’s Encrypt 提供的证书只有90天的有效期,证书在到期前30天才会续签成功,我们必须在证书到期之前,重新获取这些证书,certbot 给我们提供了一个很方便的命令,那就是 certbot renew。 通过这个命令,他会自动检查系统内的证书,并且自动更新这些证书。 我们可以运行这个命令测试一下
certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/hbpaomoboli.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for hbpaomoboli.com and www.hbpaomoboli.com
Performing the following challenges:
http-01 challenge for hbpaomoboli.com
http-01 challenge for www.hbpaomoboli.com
Using the webroot path /home/www/pbhbpaomoboli for all unmatched domains.
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/hbpaomoboli.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/zc0317.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for zc0317.com and www.zc0317.com
Performing the following challenges:
http-01 challenge for www.zc0317.com
http-01 challenge for zc0317.com
Cleaning up challenges
Failed to renew certificate zc0317.com with error: Problem binding to port 80: Could not bind to IPv4 or IPv6.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following simulated renewals succeeded:
/etc/letsencrypt/live/hbpaomoboli.com/fullchain.pem (success)
The following simulated renewals failed:
/etc/letsencrypt/live/zc0317.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
这里可以看到我在运行的时候使用--standalone 模式的出现了报错,提示在绑定80端口的时候已经被占用了,使用--webroot模式的成功, 这时候我必须把nginx先关掉,才可以成功,所有的证书都刷新成功。
使用crontab自动续期
每隔 两个月的 凌晨 2:15 执行 更新操作。
15 2 * */2 * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
--pre-hook 这个参数表示执行更新操作之前要做的事情,因为我有 --standalone 模式的证书,所以需要 停止 nginx 服务,解除端口占用。 --post-hook 这个参数表示执行更新操作完成后要做的事情,这里就恢复 nginx 服务的启用。
nginx 开启 https
证书生成完成后可以到 /etc/letsencrypt/live/ 目录下查看对应域名的证书文件。编辑 nginx 配置文件监听 443 端口,启用 SSL,并配置 SSL 的公钥、私钥证书路径:
server {
listen 443 ssl;
server_name you.cn;
root /home/www/you;
index index.html index.htm index.php;
ssl_certificate /etc/letsencrypt/live/you.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/you.cn/privkey.pem;
...
}
添加 HTTP 自动跳转到 HTTPS:
server {
listen 80;
server_name you.cn;
location / {
rewrite ^(.*)$ https://$host$1 permanent;
}
}
配置好nginx后,重载nginx
可能遇到的问题
执行certbot命令,报错ImportError: cannot import name UnrewindableBodyError
解决办法
重新安装请求和urlib3
# sudo pip uninstall requests
# sudo pip uninstall urllib3
# sudo yum remove python-urllib3
# sudo yum remove python-requests
参考文章 https://diamondfsd.com/lets-encrytp-hand-https/ https://www.cnblogs.com/88223100/p/Generate-free-SSL-certificates-through-Let_s-Encrypt.html https://github.com/ansible/tower-cli/issues/603
评论列表,共 0 条评论
暂无评论