Let’s Encrypt是一个免费、自动化、开放的证书颁发机构,该项目得到了Mozilla基金会,Akamai以及思科等很多大型机构的支持。Let\’s Encrypt发布的免费SSL证书能被许多浏览器信任,虽然申请的SSL/TLS证书只有3个月有效期,但是可以通过官方提供的工具自动续期,从而达到永久免费使用的目的。 官网目前推荐的获取和安装方式是certbot,只需要简单运行一些命令并作一些配置即可。
1,安装Certbot
Certbot官网根据不同的操作系统,提供的详尽的安装方法,由于博主安装的是CentOS 6,这里是从官网Copy过来的安装方法,稍稍做了些修改。
$ yum install epel-release
$ wget -O /opt/letsencrypt/certbot-auto https://dl.eff.org/certbot-auto
$ chmod +x /opt/letsencrypt/certbot-auto
$ /opt/letsencrypt/certbot-auto #然后会自动安装所需的依赖包
开始使用Certbot
如果你用的是Apache:(以下英文来自certbot官网)
Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs
翻译: Certbot有一个相当坚实的测试质量的Apache插件, 它支持在很多平台上, 并自动两种获取和安装证书:
$ ./path/to/certbot-auto --apache
If you\’re feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand: 翻译: 如果你感觉更加保守, 想使手工更改您的Apache的配置, 你可以使用certonly子命令:
$ ./path/to/certbot-auto --apache certonly
自动renew证书
Let\’s Encrypt certificates last for 90 days, so it\’s highly advisable to renew them automatically! You can test automatic renewal for your certificates by running this command:
$ ./path/to/certbot-auto renew --dry-run
If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following
翻译: 如果如上命令看起来工作正常, 那么你就可以把如下的自动续期命令写到系统的定时计划任务里:
$ ./path/to/certbot-auto renew --quiet
2,为你自己的域名申请SSL证书
1,单域名生成证书:
./certbot-auto certonly --email [email protected] --agree-tos --webroot \
-w /home/wwwroot/zhukun.net -d zhukun.net
2,多域名单目录生成单证书:(即一个网站多个域名使用同一个证书)
./certbot-auto certonly --email [email protected] --agree-tos --webroot \
-w /home/wwwroot/zhukun.net -d www.zhukun.net -d img.zhukun.net
3,多域名多目录生成多个证书:(即一次生成多个域名的多个证书)
./certbot-auto certonly --email [email protected] --agree-tos --webroot \
-w /home/wwwroot/b.com -d www1.b.com -d www2.b.com \
-w /home/wwwroot/a.com -d www1.a.com -d www2.a.com
出现下面的提示就代表安装成功了,证书文件就在 /etc/letsencrypt/live/zhukun.net 目录下。
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/zhukun.net/fullchain.pem. Your cert will
expire on 2016-12-01. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
certbot-auto renew
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
3,手动为Apache配置SSL
这里不多说了,帖出来2个配置文件,大家自行修改吧。
$ cat /usr/local/apache2/conf/extra/httpd-vhosts.conf
<VirtualHost 8.8.8.8:80>
ServerAdmin [email protected]
DocumentRoot "/home/wwwroot/zhukun.net"
# ProxyRequests Off
# ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/home/wwwroot/zhukun.net/$1
ServerName zhukun.net
ServerAlias www.zhukun.net
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
ErrorLog "logs/zhukun-error_log"
CustomLog "logs/zhukun-access_log" common
</VirtualHost>
$ cat /usr/local/apache2/conf/extra/httpd-ssl.conf
Listen 443
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
Mutex "file:/usr/local/apache2/logs/ssl_mutex"
<VirtualHost 8.8.8.8:443>
ServerAdmin [email protected]
DocumentRoot "/home/wwwroot/zhukun.net"
ProxyRequests Off
ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/home/wwwroot/zhukun.net/$1
ServerName zhukun.net
ServerAlias www.zhukun.net
ErrorLog "logs/zhukun-error_log"
CustomLog "logs/zhukun-access_log" common
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/zhukun.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zhukun.net/privkey.pem
</VirtualHost>
参考文档:
轻松搞定 Let’s Encrypt 免费SSL证书
Let’s Encrypt,启用 HTTPS
=====================================================
2016.12.01补充
今天发现博客的证书竟然过期了,检查了一下,可能是crontab里的任务执行有问题,于是手动执行了
$ /opt/letsencrypt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
——————————————————————————-
Processing /etc/letsencrypt/renewal/zhukun.net.conf
——————————————————————————-
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/zhukun.net/fullchain.pem (skipped)
No renewals were attempted.
发现无效, 出现上面的提示,基本说明renew失败了。再次强制执行发现有效,记录一下。
$ /opt/letsencrypt/certbot-auto renew --force-renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
——————————————————————————-
Processing /etc/letsencrypt/renewal/zhukun.net.conf
——————————————————————————-
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.zhukun.net
http-01 challenge for zhukun.net
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0008_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0008_csr-certbot.pem
——————————————————————————-
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/zhukun.net/fullchain.pem
——————————————————————————-
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/zhukun.net/fullchain.pem (success)
$ /etc/init.d/httpd graceful
=====================================================
2017.03.02补充
今天发现博客的证书竟然再次过期了,手动调用crontab里的续期脚本,依旧出现如下内容:
$ /opt/letsencrypt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
——————————————————————————-
Processing /etc/letsencrypt/renewal/zhukun.net.conf
——————————————————————————-
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/zhukun.net/fullchain.pem (skipped)
No renewals were attempted.
查了了下日志文件(/var/log/letsencrypt/letsencrypt.log),在letsencrypt.log.7中发现了2月6号续期成功的提示,但为什么3月2号仍会过期呢?后来查了一下资料,貌似是需要reload一下HTTP服务,否则HTTP进程依旧使用的是旧的证书文件。因此建议把定时计划任务改成如下内容:
$ crontab -l
0 3 * * 1 /opt/letsencrypt/certbot-auto renew --quiet; /etc/init.d/httpd graceful