HTTPS-使用Certbot自动配置Let’s Encrypt证书

1. HTTPS基本介绍

现在各大厂商都在推行HTTPS，比如谷歌要求多个顶级域名要用HTTPS来加密，苹果要求开发者全部采用HTTPS等等。那什么是HTTPS呢？其实HTTPS只是HTTP的一个拓展，是在HTTP的基础上利用SSL/TLS来加密数据包的。工作流程如下：

An overview of the SSL or TLS handshake

图片来自IBM Knowledge Center: An overview of the SSL or TLS handshake
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660_.htm

注意第(2)步Server给Client发送了一个Server certificates，这个里面包含有Server的一些信息，如域名、公司信息、序列号和签名信息组成等，这个证书可以个人生成，也可以由权威机构签发，当然个人的就不受大众信任，而权威机构签发的证书则会被信任。

具体的可以参考：细说 CA 和证书
https://www.barretlee.com/blog/2016/04/24/detail-about-ca-and-certs/

2. Let’s Encrypt

CA的证书提供商有许多个，有收费的有免费的，而Let’s Encrypt就是其中之一的免费提供商。
https://letsencrypt.org/

2.1 如何获取Let’s Encript的证书呢？

要从Let’s Encript获取某个域名的证书，需要证明那你对该域名拥有控制权，对于该证明你可以使用某个使用ACME协议的软件来实现，而Certbot就是官方出的一个ACME客户端。

3. Certbot介绍

先介绍一些Certbot相关概念。

3.1 Authenticators和Installers

Certbot支持两种类型的plugin，一种是用来获取和安装证书的，成为称为Authenticators；另外一种是用来安装证书的，称为Installers。有的plugin支持一种，有的两种都支持，如nginx。

安装证书：自动修改配置文件，如修改nginx的某个.conf文件

Authenticators plugin使用certonly命令来获取证书，而Installers plugin使用install命令来安装证书。

3.2 plugin说明

下面列举几个常用的plugin作简要说明：

Webroot：本地有运行webserver并且有能力修改其配置，就可以用该种方式（创建隐藏文件.well-known），获取证书时无需暂停webserver的运行。

Standalone：服务器未运行webserver可以使用该方式，要保持80或443端口开放。

Nginx：自动获取和安装证书（自动修改配置文件）。

3.3 Certbot使用流程

Certbot的使用包含以下几个部分：

安装Certbot

生成证书

配置Web Server

更新证书

3.4 Certbot安装

安装Certbot参考：Certbot，直接选择软件和操作系统即可。

https://certbot.eff.org/lets-encrypt/centosrhel7-apache

centos 6

wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto   /usr/local/bin/certbot
sudo chown root /usr/local/bin/certbot
sudo chmod 0755 /usr/local/bin/certbot

centos 7

1	yum install python2-certbot-nginx

3.4 获取证书

对于nginx可以使用certbot –nginx来获取和安装证书。

1	certbot --nginx certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 278202253@qq.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n

Which names would you like to activate HTTPS for?
选择你需要证书的站点

自己编译安装的nginx 需要增加软连接
报错

1	The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.",)

解决

1	ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx

报错

1	nginx: [emerg] open() "/etc/nginx/nginx.conf" failed (2: No such file or directory)

解决

1	ln -s /usr/local/nginx/conf /etc/nginx

报错

certbot --nginx certonly
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.24.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 378, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2566, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
    entry = __import__(self.module_name, globals(),globals(), ['__name__'])
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 17, in <module>
    from certbot import account
  File "/usr/lib/python2.7/site-packages/certbot/account.py", line 17, in <module>
    from acme import messages
  File "/usr/lib/python2.7/site-packages/acme/messages.py", line 7, in <module>
    from acme import challenges
  File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 11, in <module>
    import requests
  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in <module>
    from . import utils
  File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in <module>
    from .exceptions import InvalidURL
  File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in <module>
    from .packages.urllib3.exceptions import HTTPError as BaseHTTPError
  File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 95, in load_module
    raise ImportError("No module named '%s'" % (name,))
ImportError: No module named 'requests.packages.urllib3'

解决

1	pip2.7 install --upgrade --force-reinstall 'requests==2.6.0' urllib3

获取完之后可以通过certbot certificates命令查看证书：

root@node01:~# certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log——————————————————————————-
Found the following certs:
Certificate Name: www.youdomain.com
Domains: www.youdomain.com
Expiry Date: 2018-09-03 02:08:54+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.youdomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.youdomain.com/privkey.pem

3.5 配置Web Server

不同Web Server的配置方式不同，这里以Nginx为例，在配置文件youdomain.conf中添加：

server {
    listen [::]:80;

    root /var/www/youdomain;
    index index.html index.htm;

    server_name www.yourdomain.com;

    charset utf-8;    
    #.................

    listen 443 ssl; 
ssl_certificate /etc/letsencrypt/live/www.yourdomain.com/fullchain.pem; 
ssl_certificate_key /etc/letsencrypt/live/www.yourdomain.com/privkey.pem; 

}