Let’s Encrypt证书生成及配置

Let’s Encrypt 提供免费的SSL证书,证书有效期最长90天,可以多次连续申请,申请方便。基于ACME协议验证用户对域名有使用权。可以使用FTP、WEB、DNS三种方式来验证域名的有效性。在线手动申请可参考https://www.sslforfree.com/

现在可以申请通配符域名证书 http://www.infoq.com/cn/news/2018/03/lets-encrypt-wildcard-https

官方入门 https://letsencrypt.org/getting-started/

以下是通过WEB方式验证域名有效性,以nginx为例,如果是tomcat,生成的证书文件还需要进行格式转换(方法见 https://blog.kyletang.work/2018/05/10/pem2jks/

 

准备条件:

  1.  有一个域名,比如 9px.in
  2.  解析到ip,比如 9px.in  -> 45.32.53.16
  3.  配置一个web服务,需要80端口(WEB验证必须为80端口),比如nginx,注意,国内申请的域名和ip,需要先进行ICP备案后才能访问80端口
server
    {
        listen 80;
        server_name 9px.in;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/9px.in;

        #include none.conf;
        #error_page   404   /404.html;
        #include enable-php.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        #location ~ /\.
        #{
        #    deny all;
        #}

        access_log off;
    }

开始操作:

  1. 安装Let’s Encrypt工具,从这里下载 https://certbot.eff.org/
  2. 执行letsencrypt-auto命令生成证书(certbot提供了更方便的方式,比如nginx on RHEL6 https://certbot.eff.org/lets-encrypt/centosrhel6-nginx,这里使用基础的命令)
    cd /root/letsencrypt && ./letsencrypt-auto certonly --webroot -w /home/wwwroot/9px.in --renew-by-default --email homects@qq.com -d 9px.in

    命令执行的日志如下:提示Congratulations表示成功了。

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Renewing an existing certificate
    Performing the following challenges:
    http-01 challenge for 9px.in
    Using the webroot path /home/wwwroot/9px.in for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/9px.in/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/9px.in/privkey.pem
       Your cert will expire on 2018-08-07. To obtain a new or tweaked
       version of this certificate in the future, simply run
       letsencrypt-auto again. To non-interactively renew *all* of your
       certificates, run "letsencrypt-auto renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
  3. 修改配置,增加SSL配置信息
    server
        {
            listen 8000;
            listen 80;
            server_name 9px.in;
            index index.html index.htm index.php default.html default.htm default.php;
            root  /home/wwwroot/9px.in;
            
            ##--SSL配置-start------------------------
            ssl on;
            ssl_certificate /etc/letsencrypt/live/9px.in/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/9px.in/privkey.pem;
            
            ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
            ssl_prefer_server_ciphers on; 
            ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
            ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
            ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
            ssl_session_timeout  10m;
            ssl_session_cache shared:SSL:10m;
            ssl_session_tickets off; # Requires nginx >= 1.5.9
            ssl_stapling on; # Requires nginx >= 1.3.7
            ssl_stapling_verify on; # Requires nginx => 1.3.7
            resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
            resolver_timeout 5s; 
            add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
            add_header X-Frame-Options DENY;
            add_header X-Content-Type-Options nosniff;
            add_header X-XSS-Protection "1; mode=block";
            add_header X-Robots-Tag none;
            ##--SSL配置-end-------------------------
    
            #include none.conf;
            #error_page   404   /404.html;
            include enable-php.conf;
    
            location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
            {
                expires      30d;
            }
    
            location ~ .*\.(js|css)?$
            {
                expires      12h;
            }
    
            #location ~ /\.
            #{
            #    deny all;
            #}
    
            access_log off;
        }
    
  4. 重载nginx配置
    #lnmp服务
    lnmp nginx reload
  5. 大功告成

配置定时任务每月自动生成:

  1. 设置定时任务,新建脚本renew-certs.sh,生成证书并重载nginx配置
    #!/bin/bash
    
    cd /root/letsencrypt && ./letsencrypt-auto certonly --webroot -w /home/wwwroot/9px.in --renew-by-default --email homects@qq.com -d 9px.in
    lnmp nginx reload

    增加crontab每月1日凌晨3点执行renew-certs.sh脚本,crontab -e

    0 3 1 * * /root/renew-certs.sh > /root/renew-certs.log 2>&1
  2. 执行脚本进行测试
     /root/renew-certs.sh > /root/renew-certs.log 2>&1

免费证书Let’s Encrypt官网:https://letsencrypt.org/

Let’s Encrypt官方的certbot工具:https://certbot.eff.org/

强壮的SSL配置推荐:https://cipherli.st/

发表评论

电子邮件地址不会被公开。 必填项已用*标注