letsencrypt原理说明
申请过程中要验证绑定的域名是否属于申请人,其原理就是申请人在域名所在的服务器上申请证书,然后 Let’ s Encrypt 会访问绑定的域名与客户端通信成功即可通过。
- 需要停止当前的 web server 服务, 让出 80 端口, 由客户端内置的 web server 启动与 Let’ s Encrypt 通信。
- 不需要停止当前 web server , 但需要在域名根目录下创建一个临时目录, 并要保证外网通过域名可以访问这个目录,在申请证书的时候会向这个目录写数据,验证域名的权限。
证书安装
本文使用第二钟方式申请证书,整个安装过程需要root权限进行操作。
1、安装python依赖(如果是源码安装,需要安装setuptools和pip)
[root@centos7 ~]# yum install epel-release git bc python27 python27-devel python27-pip python27-setuptools python27-virtualenv
2、创建临时目录和网站根目录
[root@centos7 ~]# mkdir /tmp_ssl
[root@centos7 ~]# mkdir /data/
[root@centos7 ~]# cat /data/index.html
<h1> Test Page </h1>
3、配置nginx
[root@centos7 conf.d]# cat www.conf
server{
listen 80;
server_name ssl.niub.la;
root /data;
index index.html;
location /.well-known { #重要,此处是配置我们的临时目录,用于验证域名。
default_type text/plain;
alias /tmp_ssl/.well-known;
}
}
3、下载Let’ s Encrypt
[root@centos7 ~]# git clone https://github.com/letsencrypt/letsencrypt
[root@centos7 ~]# mv letsencrypt/ /usr/local/
4、申请证书
[root@centos7 ~]# /usr/local/letsencrypt/letsencrypt-auto certonly --no-self-upgrade --webroot -w /tmp_ssl --email mail0426@163.com -d ssl.niub.la
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ssl.niub.la
Using the webroot path /tmp_ssl for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ssl.niub.la/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ssl.niub.la/privkey.pem
Your cert will expire on 2017-11-17. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
5、查看申请的证书
[root@centos7 ~]# ls /etc/letsencrypt/live/ssl.niub.la/
cert.pem chain.pem fullchain.pem privkey.pem README
6、配置nginx支持ssl协议并安装证书
[root@centos7 ~]# cat /data/index.html
<h1> Test Page </h1>
[root@centos7 ~]# cat /etc/nginx/conf.d/www.conf
server{
listen 443 ssl;
server_name ssl.niub.la;
root /data;
index index.html;
ssl_certificate /etc/letsencrypt/live/ssl.niub.la/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ssl.niub.la/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
location /.well-known {
default_type text/plain;
alias /tmp_ssl/.well-known;
}
}
[root@centos7 ~]# systemctl restart nginx
7、测试访问
增加证书
因为我们现在已经有一个ssl证书正在使用证书了监听了443端口,所以此处还是应该,使用第二种方式--webroot的来申请证书,配置我们的临时目录。
1、配置网站根目录
[root@centos7 ~]# cat /data/openssl.html
<h1> OpenSSL </h1>
2、配置nginx
[root@centos7 conf.d]# cat www.conf
server{
listen 80;
server_name openssl.niub.la;
root /data;
index openssl.html;
location /.well-known { #重要,此处是配置我们的临时目录,用于验证域名。
default_type text/plain;
alias /tmp_ssl/.well-known;
}
}
3、执行新增证书(下面的命令的意思是在原有的ssl.niub.la申请的证书里面新增一个域名,两个域名使用同一个证书)
[root@centos7 ~]# /usr/local/letsencrypt/letsencrypt-auto certonly --no-self-upgrade --webroot -w /tmp_ssl --email mail0426@163.com -d ssl.niub.la -d openssl.niub.la
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/ssl.niub.la.conf)
It contains these names: ssl.niub.la
You requested these names for the new certificate: ssl.niub.la, openssl.niub.la.
Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ssl.niub.la
http-01 challenge for openssl.niub.la
Using the webroot path /tmp_ssl for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ssl.niub.la/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ssl.niub.la/privkey.pem
Your cert will expire on 2017-11-17. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
4、配置ssl
[root@centos7 ~]# cat /etc/nginx/conf.d/openssl_ssl.conf
server{
listen 443 ssl;
server_name openssl.niub.la;
root /data;
index openssl.html;
ssl_certificate /etc/letsencrypt/live/ssl.niub.la/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ssl.niub.la/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
location /.well-known {
default_type text/plain;
alias /tmp_ssl/.well-known;
}
}
[root@centos7 ~]# systemctl restart nginx
5、测试访问
更新证书
1、更新本地所有证书
泛解析
[root@hdw001 cce]# /usr/local/letsencrypt/letsencrypt-auto certonly --no-self-upgrade --email mail0426@163.com --preferred-challenges dns --manual -d *.huandianw.com -d huandianw.com --server https://acme-v02.api.letsencrypt.org/directory
子域名解析
[root@centos7 ~]# /usr/local/letsencrypt/letsencrypt-auto --no-self-upgrade renew
或者
[root@centos7 ~]# /usr/local/letsencrypt/letsencrypt-auto --no-self-upgrade --webroot -w /tmp renew
2、加载到任务计划
[root@centos7 ~]# echo '0 4 1 * * /usr/local/letsencrypt/letsencrypt-auto --no-self-upgrade renew >>/dev/null 2>&1' >/var/spool/cron/root
[root@centos7 ~]# crontab -l
0 4 1 * * /usr/local/letsencrypt/letsencrypt-auto renew >>/dev/null 2>&1
注意事项
--webroot 参数:指定使用临时目录的方式. -w 参数:指定后面-d 域名所在的根目录, 如果一次申请多个域的, 可以附加更多 -w...-d...
-w 必须为你要认证站点的根目录,letsencrypt验证时会在该目录县写入.well-known目录文件,并通过你的申请站点进行访问验证。-w的配置,会忽略nginx中的root或alias配置,路径以-w来验证。
