172173.com

HTTPS-使用Certbot自动配置Let’s Encrypt证书

1. HTTPS基本介绍

现在各大厂商都在推行HTTPS,比如谷歌要求多个顶级域名要用HTTPS来加密,苹果要求开发者全部采用HTTPS等等。那什么是HTTPS呢?其实HTTPS只是HTTP的一个拓展,是在HTTP的基础上利用SSL/TLS来加密数据包的。工作流程如下:

image

An overview of the SSL or TLS handshake

图片来自IBM Knowledge Center: An overview of the SSL or TLS handshake
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660_.htm

注意第(2)步Server给Client发送了一个Server certificates,这个里面包含有Server的一些信息,如域名、公司信息、序列号和签名信息组成等,这个证书可以个人生成,也可以由权威机构签发,当然个人的就不受大众信任,而权威机构签发的证书则会被信任。

具体的可以参考:细说 CA 和证书
https://www.barretlee.com/blog/2016/04/24/detail-about-ca-and-certs/

2. Let’s Encrypt

CA的证书提供商有许多个,有收费的有免费的,而Let’s Encrypt就是其中之一的免费提供商。
https://letsencrypt.org/

2.1 如何获取Let’s Encript的证书呢?

要从Let’s Encript获取某个域名的证书,需要证明那你对该域名拥有控制权,对于该证明你可以使用某个使用ACME协议的软件来实现,而Certbot就是官方出的一个ACME客户端。

3. Certbot介绍

先介绍一些Certbot相关概念。

3.1 Authenticators和Installers

Certbot支持两种类型的plugin,一种是用来获取和安装证书的,成为称为Authenticators;另外一种是用来安装证书的,称为Installers。有的plugin支持一种,有的两种都支持,如nginx。

安装证书:自动修改配置文件,如修改nginx的某个.conf文件

Authenticators plugin使用certonly命令来获取证书,而Installers plugin使用install命令来安装证书。

3.2 plugin说明

下面列举几个常用的plugin作简要说明:

Webroot:本地有运行webserver并且有能力修改其配置,就可以用该种方式(创建隐藏文件.well-known),获取证书时无需暂停webserver的运行。

Standalone:服务器未运行webserver可以使用该方式,要保持80或443端口开放。

Nginx:自动获取和安装证书(自动修改配置文件)。

3.3 Certbot使用流程

Certbot的使用包含以下几个部分:

安装Certbot

生成证书

配置Web Server

更新证书

3.4 Certbot安装

安装Certbot参考:Certbot,直接选择软件和操作系统即可。

https://certbot.eff.org/lets-encrypt/centosrhel7-apache

centos 6

1
2
3
4
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot
sudo chown root /usr/local/bin/certbot
sudo chmod 0755 /usr/local/bin/certbot

centos 7

1
yum install python2-certbot-nginx

3.4 获取证书

对于nginx可以使用certbot –nginx来获取和安装证书。

1
certbot --nginx certonly

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n

Which names would you like to activate HTTPS for?
选择你需要证书的站点

自己编译安装的nginx 需要增加软连接
报错

1
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.",)

解决

1
ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx

报错

1
nginx: [emerg] open() "/etc/nginx/nginx.conf" failed (2: No such file or directory)

解决

1
ln -s /usr/local/nginx/conf /etc/nginx

报错

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
certbot --nginx certonly
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in <module>
load_entry_point('certbot==0.24.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 378, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2566, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
entry = __import__(self.module_name, globals(),globals(), ['__name__'])
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 17, in <module>
from certbot import account
File "/usr/lib/python2.7/site-packages/certbot/account.py", line 17, in <module>
from acme import messages
File "/usr/lib/python2.7/site-packages/acme/messages.py", line 7, in <module>
from acme import challenges
File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 11, in <module>
import requests
File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in <module>
from . import utils
File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in <module>
from .exceptions import InvalidURL
File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in <module>
from .packages.urllib3.exceptions import HTTPError as BaseHTTPError
File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 95, in load_module
raise ImportError("No module named '%s'" % (name,))
ImportError: No module named 'requests.packages.urllib3'

解决

1
pip2.7 install --upgrade --force-reinstall 'requests==2.6.0' urllib3

获取完之后可以通过certbot certificates命令查看证书:

[email protected]:~# certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log——————————————————————————-
Found the following certs:
Certificate Name: www.youdomain.com
Domains: www.youdomain.com
Expiry Date: 2018-09-03 02:08:54+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.youdomain.com/fullchain.pem

Private Key Path: /etc/letsencrypt/live/www.youdomain.com/privkey.pem

3.5 配置Web Server

不同Web Server的配置方式不同,这里以Nginx为例,在配置文件youdomain.conf中添加:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
server {
listen [::]:80;

root /var/www/youdomain;
index index.html index.htm;

server_name www.yourdomain.com;

charset utf-8;
#.................

listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/www.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.yourdomain.com/privkey.pem;

}

需要了解Nginx的使用

配置完之后更新配置即可(nginx -s reload),到这里证书配置就完成了,正常情况下该域名HTTPS就可以访问了。

3.7 更新证书

由于Let’s Encrypt颁发的证书的有效期只有90天,这就需要更新证书。

Renewing certificates
https://certbot.eff.org/docs/using.html#renewing-certificates

更新命令

1
certbot renew

计划任务自动更新

1
2
crontab -e
15 2 20 */2 * certbot renew

如果使用了nginx plugin,则更新时需要使用certbot renew –quiet –installer node,否则会自动安装证书导致错误。

 评论