启用Let’s Encrypt的免费SSL证书

Let’s Encrypt是一个免费、自动化、开放的证书颁发机构,该项目得到了Mozilla基金会,Akamai以及思科等很多大型机构的支持。Let’s Encrypt发布的免费SSL证书能被许多浏览器信任,虽然申请的SSL/TLS证书只有3个月有效期,但是可以通过官方提供的工具自动续期,从而达到永久免费使用的目的。

官网目前推荐的获取和安装方式是certbot,只需要简单运行一些命令并作一些配置即可。

1,安装Certbot
Certbot官网根据不同的操作系统,提供的详尽的安装方法,由于博主安装的是CentOS 6,这里是从官网Copy过来的安装方法,稍稍做了些修改。

$ yum install epel-release

$ wget -O /opt/letsencrypt/certbot-auto https://dl.eff.org/certbot-auto
$ chmod +x /opt/letsencrypt/certbot-auto
$ /opt/letsencrypt/certbot-auto    #然后会自动安装所需的依赖包

开始使用Certbot
如果你用的是Apache:(以下英文来自certbot官网)

Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs:
翻译: Certbot有一个相当坚实的测试质量的Apache插件, 它支持在很多平台上, 并自动两种获取和安装证书:

$ ./path/to/certbot-auto --apache

If you’re feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand:
翻译: 如果你感觉更加保守, 想使手工更改您的Apache的配置, 你可以使用certonly子命令:

$ ./path/to/certbot-auto --apache certonly

自动renew证书

Let’s Encrypt certificates last for 90 days, so it’s highly advisable to renew them automatically! You can test automatic renewal for your certificates by running this command:

$ ./path/to/certbot-auto renew --dry-run

If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following:
翻译: 如果如上命令看起来工作正常, 那么你就可以把如下的自动续期命令写到系统的定时计划任务里:

$ ./path/to/certbot-auto renew --quiet 

2,为你自己的域名申请SSL证书

1,单域名生成证书:

./certbot-auto certonly --email i@zhukun.net --agree-tos --webroot \
-w /home/wwwroot/zhukun.net -d zhukun.net

2,多域名单目录生成单证书:(即一个网站多个域名使用同一个证书)

./certbot-auto certonly --email i@zhukun.net --agree-tos --webroot \
-w /home/wwwroot/zhukun.net -d www.zhukun.net -d img.zhukun.net

3,多域名多目录生成多个证书:(即一次生成多个域名的多个证书)

./certbot-auto certonly --email i@zhukun.net --agree-tos --webroot \
-w /home/wwwroot/b.com -d www1.b.com -d www2.b.com \
-w /home/wwwroot/a.com -d www1.a.com -d www2.a.com

出现下面的提示就代表安装成功了,证书文件就在 /etc/letsencrypt/live/zhukun.net 目录下。

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/zhukun.net/fullchain.pem. Your cert will
   expire on 2016-12-01. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

3,手动为Apache配置SSL
这里不多说了,帖出来2个配置文件,大家自行修改吧。

$ cat /usr/local/apache2/conf/extra/httpd-vhosts.conf 
<VirtualHost 45.79.80.99:80>
    ServerAdmin i@zhukun.net
    DocumentRoot "/home/wwwroot/zhukun.net"
#    ProxyRequests Off
#    ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/home/wwwroot/zhukun.net/$1
    ServerName zhukun.net
    ServerAlias www.zhukun.net
    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
    ErrorLog "logs/zhukun-error_log"
    CustomLog "logs/zhukun-access_log" common
</VirtualHost>
$ cat /usr/local/apache2/conf/extra/httpd-ssl.conf
Listen 443

#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on

SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLPassPhraseDialog  builtin

SSLSessionCache        "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

Mutex "file:/usr/local/apache2/logs/ssl_mutex"

<VirtualHost 45.79.80.99:443>
    ServerAdmin i@zhukun.net
    DocumentRoot "/home/wwwroot/zhukun.net"
    ProxyRequests Off
    ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/home/wwwroot/zhukun.net/$1
    ServerName zhukun.net
    ServerAlias www.zhukun.net
    ErrorLog "logs/zhukun-error_log"
    CustomLog "logs/zhukun-access_log" common
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/zhukun.net/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/zhukun.net/privkey.pem
</VirtualHost>

参考文档:
轻松搞定 Let’s Encrypt 免费SSL证书
Let’s Encrypt,启用 HTTPS

=====================================================

2016.12.01补充
今天发现博客的证书竟然过期了,检查了一下,可能是crontab里的任务执行有问题,于是手动执行了

$ /opt/letsencrypt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/zhukun.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/zhukun.net/fullchain.pem (skipped)
No renewals were attempted.

发现无效, 出现上面的提示,基本说明renew失败了。再次强制执行发现有效,记录一下。

$ /opt/letsencrypt/certbot-auto renew --force-renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/zhukun.net.conf
-------------------------------------------------------------------------------
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.zhukun.net
http-01 challenge for zhukun.net
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0008_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0008_csr-certbot.pem

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/zhukun.net/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/zhukun.net/fullchain.pem (success)


$ /etc/init.d/httpd graceful

=====================================================

2017.03.02补充
今天发现博客的证书竟然再次过期了,手动调用crontab里的续期脚本,依旧出现如下内容:

$ /opt/letsencrypt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/zhukun.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/zhukun.net/fullchain.pem (skipped)
No renewals were attempted.

查了了下日志文件(/var/log/letsencrypt/letsencrypt.log),在letsencrypt.log.7中发现了2月6号续期成功的提示,但为什么3月2号仍会过期呢?后来查了一下资料,貌似是需要reload一下HTTP服务,否则HTTP进程依旧使用的是旧的证书文件。因此建议把定时计划任务改成如下内容:

$ crontab -l
0 3 * * 1 /opt/letsencrypt/certbot-auto renew --quiet; /etc/init.d/httpd graceful

发表评论

电子邮件地址不会被公开。