Press "Enter" to skip to content

启用Let’s Encrypt的免费SSL证书

Let’s Encrypt是一个免费、自动化、开放的证书颁发机构,该项目得到了Mozilla基金会,Akamai以及思科等很多大型机构的支持。Let\’s Encrypt发布的免费SSL证书能被许多浏览器信任,虽然申请的SSL/TLS证书只有3个月有效期,但是可以通过官方提供的工具自动续期,从而达到永久免费使用的目的。 官网目前推荐的获取和安装方式是certbot,只需要简单运行一些命令并作一些配置即可。

1,安装Certbot

Certbot官网根据不同的操作系统,提供的详尽的安装方法,由于博主安装的是CentOS 6,这里是从官网Copy过来的安装方法,稍稍做了些修改。

$ yum install epel-release

$ wget -O /opt/letsencrypt/certbot-auto https://dl.eff.org/certbot-auto
$ chmod +x /opt/letsencrypt/certbot-auto
$ /opt/letsencrypt/certbot-auto    #然后会自动安装所需的依赖包

开始使用Certbot

如果你用的是Apache:(以下英文来自certbot官网)

Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs

翻译: Certbot有一个相当坚实的测试质量的Apache插件, 它支持在很多平台上, 并自动两种获取和安装证书:

$ ./path/to/certbot-auto --apache

If you\’re feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand: 翻译: 如果你感觉更加保守, 想使手工更改您的Apache的配置, 你可以使用certonly子命令:

$ ./path/to/certbot-auto --apache certonly

自动renew证书

Let\’s Encrypt certificates last for 90 days, so it\’s highly advisable to renew them automatically! You can test automatic renewal for your certificates by running this command:

$ ./path/to/certbot-auto renew --dry-run

If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following

翻译: 如果如上命令看起来工作正常, 那么你就可以把如下的自动续期命令写到系统的定时计划任务里:

$ ./path/to/certbot-auto renew --quiet

2,为你自己的域名申请SSL证书

1,单域名生成证书:

./certbot-auto certonly --email [email protected] --agree-tos --webroot \
-w /home/wwwroot/zhukun.net -d zhukun.net

2,多域名单目录生成单证书:(即一个网站多个域名使用同一个证书)

./certbot-auto certonly --email [email protected] --agree-tos --webroot \
-w /home/wwwroot/zhukun.net -d www.zhukun.net -d img.zhukun.net

3,多域名多目录生成多个证书:(即一次生成多个域名的多个证书)

./certbot-auto certonly --email [email protected] --agree-tos --webroot \
-w /home/wwwroot/b.com -d www1.b.com -d www2.b.com \
-w /home/wwwroot/a.com -d www1.a.com -d www2.a.com

出现下面的提示就代表安装成功了,证书文件就在 /etc/letsencrypt/live/zhukun.net 目录下。

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/zhukun.net/fullchain.pem. Your cert will
   expire on 2016-12-01. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   certbot-auto renew
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

3,手动为Apache配置SSL

这里不多说了,帖出来2个配置文件,大家自行修改吧。

$ cat /usr/local/apache2/conf/extra/httpd-vhosts.conf
<VirtualHost 8.8.8.8:80>
ServerAdmin [email protected]
DocumentRoot "/home/wwwroot/zhukun.net"
# ProxyRequests Off
# ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/home/wwwroot/zhukun.net/$1
ServerName zhukun.net
ServerAlias www.zhukun.net
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
ErrorLog "logs/zhukun-error_log"
CustomLog "logs/zhukun-access_log" common
</VirtualHost>
$ cat /usr/local/apache2/conf/extra/httpd-ssl.conf
Listen 443

#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on

SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLPassPhraseDialog builtin

SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300

Mutex "file:/usr/local/apache2/logs/ssl_mutex"

<VirtualHost 8.8.8.8:443>
ServerAdmin [email protected]
DocumentRoot "/home/wwwroot/zhukun.net"
ProxyRequests Off
ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/home/wwwroot/zhukun.net/$1
ServerName zhukun.net
ServerAlias www.zhukun.net
ErrorLog "logs/zhukun-error_log"
CustomLog "logs/zhukun-access_log" common
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/zhukun.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zhukun.net/privkey.pem
</VirtualHost>

参考文档:
轻松搞定 Let’s Encrypt 免费SSL证书
Let’s Encrypt,启用 HTTPS

=====================================================

2016.12.01补充

今天发现博客的证书竟然过期了,检查了一下,可能是crontab里的任务执行有问题,于是手动执行了

$ /opt/letsencrypt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

——————————————————————————-
Processing /etc/letsencrypt/renewal/zhukun.net.conf
——————————————————————————-
Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/zhukun.net/fullchain.pem (skipped)
No renewals were attempted.

发现无效, 出现上面的提示,基本说明renew失败了。再次强制执行发现有效,记录一下。

$ /opt/letsencrypt/certbot-auto renew --force-renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

——————————————————————————-
Processing /etc/letsencrypt/renewal/zhukun.net.conf
——————————————————————————-
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.zhukun.net
http-01 challenge for zhukun.net
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0008_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0008_csr-certbot.pem

——————————————————————————-
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/zhukun.net/fullchain.pem
——————————————————————————-

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/zhukun.net/fullchain.pem (success)

$ /etc/init.d/httpd graceful

=====================================================

2017.03.02补充

今天发现博客的证书竟然再次过期了,手动调用crontab里的续期脚本,依旧出现如下内容:

$ /opt/letsencrypt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

——————————————————————————-
Processing /etc/letsencrypt/renewal/zhukun.net.conf
——————————————————————————-
Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/zhukun.net/fullchain.pem (skipped)
No renewals were attempted.

查了了下日志文件(/var/log/letsencrypt/letsencrypt.log),在letsencrypt.log.7中发现了2月6号续期成功的提示,但为什么3月2号仍会过期呢?后来查了一下资料,貌似是需要reload一下HTTP服务,否则HTTP进程依旧使用的是旧的证书文件。因此建议把定时计划任务改成如下内容:

$ crontab -l
0 3 * * 1 /opt/letsencrypt/certbot-auto renew --quiet; /etc/init.d/httpd graceful
发表评论

您的电子邮箱地址不会被公开。