Let’s Encrypt证书生成及配置

Let’s Encrypt 提供免费的SSL证书，证书有效期最长90天，可以多次连续申请，申请方便。基于ACME协议验证用户对域名有使用权。可以使用FTP、WEB、DNS三种方式来验证域名的有效性。在线手动申请可参考https://www.sslforfree.com/

现在可以申请通配符域名证书 http://www.infoq.com/cn/news/2018/03/lets-encrypt-wildcard-https

官方入门 https://letsencrypt.org/getting-started/

以下是通过WEB方式验证域名有效性，以nginx为例，如果是tomcat，生成的证书文件还需要进行格式转换（方法见 https://blog.kyletang.work/2018/05/10/pem2jks/）

准备条件：

1.  有一个域名，比如 9px.in
2.  解析到ip，比如 9px.in  -> 45.32.53.16
3.  配置一个web服务，需要80端口（WEB验证必须为80端口），比如nginx，注意，国内申请的域名和ip，需要先进行ICP备案后才能访问80端口

server
    {
        listen 80;
        server_name 9px.in;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/9px.in;

        #include none.conf;
        #error_page   404   /404.html;
        #include enable-php.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        #location ~ /\.
        #{
        #    deny all;
        #}

        access_log off;
    }

开始操作:

1. 安装Let’s Encrypt工具，从这里下载 https://certbot.eff.org/
2. 执行letsencrypt-auto命令生成证书(certbot提供了更方便的方式，比如nginx on RHEL6 https://certbot.eff.org/lets-encrypt/centosrhel6-nginx，这里使用基础的命令)

   cd /root/letsencrypt && ./letsencrypt-auto certonly --webroot -w /home/wwwroot/9px.in --renew-by-default --email homects@qq.com -d 9px.in

   命令执行的日志如下：提示Congratulations表示成功了。

   Saving debug log to /var/log/letsencrypt/letsencrypt.log
   Plugins selected: Authenticator webroot, Installer None
   Renewing an existing certificate
   Performing the following challenges:
   http-01 challenge for 9px.in
   Using the webroot path /home/wwwroot/9px.in for all unmatched domains.
   Waiting for verification...
   Cleaning up challenges
   
   IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at:
      /etc/letsencrypt/live/9px.in/fullchain.pem
      Your key file has been saved at:
      /etc/letsencrypt/live/9px.in/privkey.pem
      Your cert will expire on 2018-08-07. To obtain a new or tweaked
      version of this certificate in the future, simply run
      letsencrypt-auto again. To non-interactively renew *all* of your
      certificates, run "letsencrypt-auto renew"
    - If you like Certbot, please consider supporting our work by:
   
      Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
      Donating to EFF:                    https://eff.org/donate-le

3. 修改配置，增加SSL配置信息

   server
       {
           listen 8000;
           listen 80;
           server_name 9px.in;
           index index.html index.htm index.php default.html default.htm default.php;
           root  /home/wwwroot/9px.in;
           
           ##--SSL配置-start------------------------
           ssl on;
           ssl_certificate /etc/letsencrypt/live/9px.in/fullchain.pem;
           ssl_certificate_key /etc/letsencrypt/live/9px.in/privkey.pem;
           
           ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
           ssl_prefer_server_ciphers on; 
           ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
           ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
           ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
           ssl_session_timeout  10m;
           ssl_session_cache shared:SSL:10m;
           ssl_session_tickets off; # Requires nginx >= 1.5.9
           ssl_stapling on; # Requires nginx >= 1.3.7
           ssl_stapling_verify on; # Requires nginx => 1.3.7
           resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
           resolver_timeout 5s; 
           add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
           add_header X-Frame-Options DENY;
           add_header X-Content-Type-Options nosniff;
           add_header X-XSS-Protection "1; mode=block";
           add_header X-Robots-Tag none;
           ##--SSL配置-end-------------------------
   
           #include none.conf;
           #error_page   404   /404.html;
           include enable-php.conf;
   
           location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
           {
               expires      30d;
           }
   
           location ~ .*\.(js|css)?$
           {
               expires      12h;
           }
   
           #location ~ /\.
           #{
           #    deny all;
           #}
   
           access_log off;
       }
   

4. 重载nginx配置

   #lnmp服务
   lnmp nginx reload

5. 大功告成

配置定时任务每月自动生成:

1. 设置定时任务，新建脚本renew-certs.sh，生成证书并重载nginx配置

   #!/bin/bash
   
   cd /root/letsencrypt && ./letsencrypt-auto certonly --webroot -w /home/wwwroot/9px.in --renew-by-default --email homects@qq.com -d 9px.in
   lnmp nginx reload

   增加crontab每月1日凌晨3点执行renew-certs.sh脚本，crontab -e

   0 3 1 * * /root/renew-certs.sh > /root/renew-certs.log 2>&1

2. 执行脚本进行测试

    /root/renew-certs.sh > /root/renew-certs.log 2>&1

免费证书Let’s Encrypt官网：https://letsencrypt.org/

Let’s Encrypt官方的certbot工具：https://certbot.eff.org/

强壮的SSL配置推荐：https://cipherli.st/