申请Let‘s Encrypt 永久免费ssl,证书,配置nginx,跟Tomcat,及续期
Let’s Encrypt介绍
Let’s Encrypt
众所周知从某些公司购买HTTPS证书,一个域名每年都要几千个大洋(不是一般的黑)。那么有没有免费,答案是有。现隆重推荐(Let’s Encrypt 免费证书)
EEF 电子前哨基金会、 Mozilla 基金会和美国密歇根大学成立了一个公益组织叫 ISRG ( Internet Security Research Group ),这个组织从 2015 年开始推出了 Let’s Encrypt 免费证书。这个免费证书不仅免费,而且还相当好用,所以我们就可以利用 Let’s Encrypt 提供的免费证书部署 https 了。
Let’s Encrypt 证书除了免费,还支持域名通配符或泛域名。
命令介绍
Certbot可以获取和安装HTTPS/TLS/SSL证书。默认情况下,它将尝试同时使用一个web服务器来获取和安装证书。最常见的子命令和标志是:获取、安装和更新证书:(默认)运行获取并在您当前的web服务器上安装证书
具体可以
./certbot-auto --help
或者查看所有
./certbot-auto --help all
certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:
obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near
expiry
enhance Add security enhancements to your existing configuration
-d DOMAINS Comma-separated list of domains to obtain a certificate for
--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
--nginx Use the Nginx plugin for authentication & installation
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script
hooks
-n Run non-interactively
--test-cert Obtain a test certificate from a staging server
--dry-run Test "renew" or "certonly" without saving any certificates
to disk
manage certificates:
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-path or --cert-name)
delete Delete a certificate
manage your account with Let's Encrypt:
register Create a Let's Encrypt ACME account
--agree-tos Agree to the ACME server's Subscriber Agreement
-m EMAIL Email address for important account notifications
More detailed help:
-h, --help [TOPIC] print this message, or detailed help on a topic;
the available TOPICS are:
all, automation, commands, paths, security, testing, or any of the
subcommands or plugins (certonly, renew, install, register, nginx,
apache, standalone, webroot, etc.)
重点
run:获取并安装证书到当前的Web服务器
certonly:获取或续期证书,但是不安装
renew:在证书快过期时,续期之前获取的所有证书
-d DOMAINS:一个证书支持多个域名,用逗号分隔
–apache:使用 Apache 插件来认证和安装证书
–standalone:运行独立的 web server 来验证
–nginx:使用 Nginx 插件来认证和安装证书
–webroot:如果目标服务器已经有 web server 运行且不能关闭,可以通过往服务器的网站根目录放置文件的方式来验证
–manual:通过交互式方式,或 Shell 脚本手动获取证书
运行环境
Red Hat 4.4.7-18
安装步骤
- 下载证书生成工具,我们利用证书生成工具直接生成
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
- 使用生成工具生成证书
此处使用certonly 只是生成证书
-d 跟域名
–no-eff-email 不需要邮箱
–preferred-challenges dns 引用渠道dns
–server https://acme-v02.api.letsencrypt.org/directory
./certbot-auto certonly -d *.printhome.com --no-eff-email --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
如果没有安装需要的package会一直下载安装包,一路yes直到出现,这时不要做任何操作
这时去你的域名服务器下增加一条txt记录
名字为第一个红线
值为第二个红线
增加完毕后回到当前命令窗口回车,等待生成结果
创建成功 /etc/letsencrypt/live/printhome.com/下会生成4个文件,请勿更改ssl文件位置,这样可以减少自动续期时的操作
内容如下
cert.pem - Apache服务器端证书
chain.pem - Apache根证书和中继证书
fullchain.pem - Nginx所需要ssl_certificate文件
privkey.pem - 安全证书KEY文件
Nginx环境,就只需要用到fullchain.pem和privkey.pem两个证书文件
- 验证证书
dig -t txt _acme-challenge.printhome.com @8.8.8.8
出现
证明成功
测试证书
openssl x509 -in /etc/letsencrypt/live/printhome.com/fullchain.pem -noout -text
结果中出现
X509v3 Subject Alternative Name:
DNS:*.printhome.com
证明申请成功
nginx增加ssl的配置
- 增加443 ssl端口
server {
listen 443 ssl;
server_name devwx.printhome.com;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_session_cache builtin:1000 shared:SSL:10m;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/printhome.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/printhome.com/privkey.pem;
ssl_session_timeout 5m;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
#前端页面 配置地址
location / {
root /usr/local/mallwx_html/;
index html/1_index/index.html;
}
#后台配置地址
location /mall-web/ {
client_max_body_size 16m;
client_body_buffer_size 128k;
proxy_pass http://devwx.printhome.com:8095/mall-web/; #都是相同的节点,此示例代码我就不写upstream了
proxy_redirect off;
proxy_set_header Host $host; #这里就是关键性作用,传递b域名给后端IIS
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_connect_timeout 30;
proxy_read_timeout 300;
proxy_send_timeout 300;
}
}
- 转发设置 http 重定向成https 无需此 可以不用设置
server {
listen 80 ;
server_name devwx.printhome.com;
location / {
rewrite ^(.*)$ https://$host$1 permanent;#如果是http://devwx.printhome.com访问那么直接跳转 https://devwx.printhome.com
}
}
- ip访问配置
server {
listen 443 ssl;
server_name 192.168.1.211;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_session_cache builtin:1000 shared:SSL:10m;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/printhome.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/printhome.com/privkey.pem;
ssl_session_timeout 5m;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
location / {
root /usr/local/mallwx_html/;
index html/1_index/index.html;
}
location /mall-web/ {
client_max_body_size 16m;
client_body_buffer_size 128k;
proxy_pass http://192.168.1.211:8095/mall-web/; #都是相同的节点,此示例代码我就不写upstream了
proxy_redirect off;
proxy_set_header Host $host; #这里就是关键性作用,传递b域名给后端IIS
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_connect_timeout 30;
proxy_read_timeout 300;
proxy_send_timeout 300;
}
}
server {
listen 80 ;
server_name 192.168.1.211;
location / {
rewrite ^(.*)$ https://$host$1 permanent;#如果是http://192.168.1.211访问那么直接跳转 https://192.168.1.211
}
}
遇见nginx问题
1.the “ssl” parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:37
原因是nginx缺少http_ssl_module模块,编译安装时带上–with-http_ssl_module配置就可以了
2.如果已经安装过nginx,想要添加模块看下面
1)切换到nginx源码包cd /backup/nginx-1.7.4
2)查看ngixn原有的模块/usr/local/nginx/sbin/nginx -V
显示configure arguments: 后边是空证明有问题
3)重新配置./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
4)重新编译,不需要make install安装。否则会覆盖
make
5)备份原有已经安装好的nginxcp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
6)将刚刚编译好的nginx覆盖掉原来的nginx(ngixn必须停止)cp ./objs/nginx /usr/local/nginx/sbin/
这时,会提示是否覆盖,请输入yes,直接回车默认不覆盖
7)启动nginx,查看nginx模块,发现已经添加/usr/local/nginx/sbin/nginx -V
证书续期
因为有效期只有3个月我们需要自动续期来延长有效期。
通配证书只能通过dns的方式验证域名归属,我们需要通过脚本自动完成验证 –manual-auth-hook 设定验证脚本,否则无法自动更新
./certbot-auto renew --cert-name printhome.com --manual-auth-hook /home/certbot-sh/au.sh --dry-run
创建 alydns.php
alydns是通过阿里云的接口动态修改dns设置的接口请求文件
文件地址https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au修改得到