网站https
网站https化已是大势所趋,个人blog也都可以把https玩儿起来!
Let’s Encrypt
1
2
3
| 这个免费、自动化、开放的证书签发服务。它由 ISRG(Internet Security Research Group,互联网安全研究小组)提供服务,而 ISRG 是来自于美国加利福尼亚州的一个公益组织。Let's Encrypt 得到了 Mozilla、Cisco、Akamai、Electronic Frontier Foundation 和 Chrome 等众多公司和机构的支持,发展十分迅猛。
申请 Let's Encrypt 证书不但免费,还非常简单,虽然每次只有 90 天的有效期,但可以通过脚本定期更新,配好之后一劳永逸。经过一段时间的观望,我也正式启用 Let's Encrypt 证书了,本文记录本站申请过程和遇到的问题。
我没有使用 Let's Encrypt 官网提供的工具来申请证书,而是用了 [acme.sh](http://https://github.com/Neilpang/acme.sh "acme.sh") 这个更为小巧的开源工具。以下内容基本按照 acme的说明文档写的,省略了一些我不需要的步骤。
|
配置验证服务
1
| 传统 CA 的验证方式一般是往 admin@youremail.com 发验证邮件,而 Let's Encrypt 是在你的服务器上生成一个随机验证文件,再通过创建 CSR 时指定的域名访问,如果可以访问则表明你对这个域名有控制权。
|
配置前提
通过web访问check域名权限
步骤1(建立目录或者nginx访问规则)
CA认证
1
2
3
4
5
| location ^~ /.well-known/acme-challenge/ {
# 注:这里的$challenges_dir请替换成你自己的真实目录,如:/home/work/www/challenges/
alias $challenges_dir;
try_files $uri =404;
}
|
or
1
2
| 在项目根目录添加.well-known/acme-challenge
Let's Encrypt 用来校验网站权限
|
步骤二 生成证书
1
| ./acme.sh --issue -d diancan.xiaochengxu.phpblog.com.cn --webroot /home/www/xiaochengxu/diancan
|
步骤三 cp证书到指定位置
1
2
3
4
| acme.sh --installcert -d www.your-app.com \
--keypath /usr/local/nginx/ssl/diancan.xiaochengxu.phpblog.com.cn.key \
--fullchainpath /usr/local/nginx/ssl/diancan.xiaochengxu.phpblog.com.cn.key.pem \
--reloadcmd " /usr/local/nginx/sbin/nginx -s reload"
|
步骤四 配置nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| server {
listen 80;
server_name diancan.xiaochengxu.phpblog.com.cn;
location / {
rewrite ^/(.*)$ https://diancan.xiaochengxu.phpblog.com.cn;
}
}
server {
listen 443 ssl;
server_name diancan.xiaochengxu.phpblog.com.cn;
include /usr/local/nginx/ssl/ssl_params;
ssl_certificate /usr/local/nginx/ssl/diancan.xiaochengxu.phpblog.com.cn/diancan.xiaochengxu.phpblog.com.cn.cer;
ssl_certificate_key /usr/local/nginx/ssl/diancan.xiaochengxu.phpblog.com.cn/diancan.xiaochengxu.phpblog.com.cn.key;
root /home/www/diancan/xiaochengxu; # 该项要修改为你准备存放相关网页的路径
include /usr/local/nginx/ssl/ssl_headers;
location / {
try_files $uri $uri/ /index.php?$query_string;
index index.php index.html index.htm;
}
location ~ \.php$ {
include /usr/local/nginx/conf/fastcgi.conf;
fastcgi_intercept_errors on;
fastcgi_pass 127.0.0.1:9000;
}
}
|
1
2
3
4
5
6
7
8
9
10
11
12
| # out /usr/local/nginx/ssl/ssl_headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
# out /usr/local/nginx/ssl/ssl_params
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /usr/local/nginx/ssl/dhparam.pem; # See https://weakdh.org/sysadmin.html for more details
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
dhparam.pem这个文件是我之前就生成好的,生成命令
openssl dhparam -out /usr/local/nginx/ssl/dhparam.pem 2048
|
步骤五 重启nginx查看
证书自动更新
申请下来的证书有效期只有90天
1
2
3
| 在crontab 中添加一条命令
0 0 * * * /home/work/opbin/ssl/acme.sh-master/acme.sh --cron --home /home/work/opbin/ssl/acme.sh-master/acme.sh
此处就是每天凌晨检查证书 证书会在60天的时候更新 因为acme会记住之前执行的installcert,所以更新完证书之后他会自动重启一下nginx 如果之前运行installcert的时候没有输入reloadcmd,则需要更新之后自己手动重启(这样就没有自动更新的意义了)
|
通过dns配置check权限
手动配置
步骤1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| [work@iZ25ndyf9bxZ acme.sh-master]$ !1019
./acme.sh --issue --dns -d *.test.com -d test.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Tue Sep 11 21:24:56 CST 2018] Creating domain key
[Tue Sep 11 21:24:56 CST 2018] The domain key is here: /home/work/.acme.sh/*.test.com/*.test.com.key
[Tue Sep 11 21:24:56 CST 2018] Multi domain='DNS:*.test.com,test.com'
[Tue Sep 11 21:24:56 CST 2018] Getting domain auth token for each domain
[Tue Sep 11 21:24:59 CST 2018] Getting webroot for domain='*.test.com'
[Tue Sep 11 21:25:00 CST 2018] Getting webroot for domain='test.com'
[Tue Sep 11 21:25:00 CST 2018] Add the following TXT record:
[Tue Sep 11 21:25:00 CST 2018] Domain: '_acme-challenge.test.com'
[Tue Sep 11 21:25:00 CST 2018] TXT value: 'Oe0iBXj3QvUErZOpROldRLx5jpyXbazsX36lkI46C_Y'
[Tue Sep 11 21:25:00 CST 2018] Please be aware that you prepend _acme-challenge. before your domain
[Tue Sep 11 21:25:00 CST 2018] so the resulting subdomain will be: _acme-challenge.test.com
[Tue Sep 11 21:25:00 CST 2018] Add the following TXT record:
[Tue Sep 11 21:25:00 CST 2018] Domain: '_acme-challenge.test.com'
[Tue Sep 11 21:25:00 CST 2018] TXT value: 'qVFtVzCnBsj1omQcdU1m8180rUBO8V5AHDczFUHqsMY'
[Tue Sep 11 21:25:00 CST 2018] Please be aware that you prepend _acme-challenge. before your domain
[Tue Sep 11 21:25:00 CST 2018] so the resulting subdomain will be: _acme-challenge.test.com
[Tue Sep 11 21:25:00 CST 2018] Please add the TXT records to the domains, and re-run with --renew.
[Tue Sep 11 21:25:00 CST 2018] Please check log file for more details: /home/work/.acme.sh/acme.sh.log
[work@iZ25ndyf9bxZ acme.sh-master]$ ./acme.sh --renew --dns -d *.test.com -d test.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Tue Sep 11 21:31:18 CST 2018] Renew: '*.test.com'
[Tue Sep 11 21:31:19 CST 2018] Multi domain='DNS:*.test.com,test.com'
[Tue Sep 11 21:31:19 CST 2018] Getting domain auth token for each domain
[Tue Sep 11 21:31:19 CST 2018] Verifying:*.test.com
[Tue Sep 11 21:31:24 CST 2018] Success
[Tue Sep 11 21:31:24 CST 2018] Verifying:test.com
[Tue Sep 11 21:31:27 CST 2018] Success
[Tue Sep 11 21:31:27 CST 2018] Verify finished, start to sign.
[Tue Sep 11 21:31:30 CST 2018] Cert success.
这个上面说的是需要在dns中添加
Domain: '_acme-challenge.test.com'
TXT value: 'Oe0iBXj3QvUErZOpROldRLx5jpyXbazsX36lkI46C_Y'
与
Domain: '_acme-challenge.test.com'
TXT value: 'qVFtVzCnBsj1omQcdU1m8180rUBO8V5AHDczFUHqsMY'
|
生效后
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| [work@iZ25ndyf9bxZ acme.sh-master]$ ./acme.sh --renew --dns -d *.test.com -d test.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Tue Sep 11 21:31:18 CST 2018] Renew: '*.test.com'
[Tue Sep 11 21:31:19 CST 2018] Multi domain='DNS:*.test.com,DNS:test.com'
[Tue Sep 11 21:31:19 CST 2018] Getting domain auth token for each domain
[Tue Sep 11 21:31:19 CST 2018] Verifying:*.test.com
[Tue Sep 11 21:31:24 CST 2018] Success
[Tue Sep 11 21:31:24 CST 2018] Verifying:test.com
[Tue Sep 11 21:31:27 CST 2018] Success
[Tue Sep 11 21:31:27 CST 2018] Verify finished, start to sign.
[Tue Sep 11 21:31:30 CST 2018] Cert success.
-----BEGIN CERTIFICATE-----
MIIGGDCCBQCgAwIBAgISA/ZIZ/p9WiVXaWSVytreKZWhMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA5MTExMjMxMjNaFw0x
ODEyMTAxMjMxMjNaMBoxGDAWBgNVBAMMDyoueG1hbmxlZ2FsLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANnH033ObKrmxX9eLIKqt3kKxcIrcfab
qnLJ0nGnjLRaOXco7B3q865OHx4PTKNT89RSAzfJQ5ZSXBY8QqbZAKv8kAzPA7yE
0wliJ3rYCesVfAR1CgnOc+jQkTjlZp0q138/GDthgplvaziJUTaGL31Dj338oFU3
xmyMxp2JmzUUjD4KkoHPZql5xkQ3pLzxRInWGMfal7f4oHaZQJr1Xwyu5BR/m9G1
+PBlmqGsTka75n5i8uchjIFPAuH48c9fEJXLB0TSUfvAdi9HDpVxXsglmiw4eL5J
F5ORYIKajAXObt/vl2uNbUHYV5Mr74jr7U/YqAA48X/x9jeHaVNSS/sCAwEAAaOC
AyYwggMiMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUhLPM1+fVbGsgfc1CFAsRyu96
DUMwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzApBgNVHREEIjAggg8qLnhtYW5sZWdhbC5jb22CDXhtYW5sZWdhbC5jb20w
gf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsG
AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIw
gZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5
IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhl
IENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0
Lm9yZy9yZXBvc2l0b3J5LzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AMEWSuCn
ctLUOS3ICsEHcNTwxJvemRpIQMH6B1Fk9jNgAAABZcjUVQgAAAQDAEcwRQIhALEw
fEJJ6OS6IiWZNXZEO/ymIAgZGpD812KCt484URUHAiAW6FCC+6rYa1AFUdT/vFcC
3nc4MC9IGHLPOKyiyC8pEAB2AKRQEmkFWhVUXmIRqze8ED9irlV2pF5LFxRFPhsi
EGolAAABZcjUVQoAAAQDAEcwRQIgETcbXZ/E5QEB/oRR3xr4B3dZELF4TfnTJJgH
7J8YF9gCIQCKq4jXNwJjCAJDz0K81MaoAZ23CImUYJIHCVJTitzphzANBgkqhkiG
9w0BAQsFAAOCAQEAPWWEp4v4cvU3c+fgt2a0mQXI5q0gmYQAYaxyXubs3HfxFsFX
zroAPH6wvLk/Cw1EciBInnXtvQ+DDfi4FsyhWn598czJ/YEIGiV7ZCi1Ah8NVniS
T+R3nVIBqhSDCGOpmHdvtfCRCoZErAVFvv0ABsQUSQHkEYmiPwEddhU5srOENzcV
4qel/9/bzK3hGlPWB8jLvWQ8uHtSHibGAJsnEG0rMYkFs6pqnzM2EFdRNfm3axDK
D8Gai7V5Ezu31iwvgZXjLmhl6xtH3CzkqmPaDarxJtnZLet8SLaEY0inmbhvupOG
LUuO+EnAXlxk40z8V1/GtWuyYMz38OwCWcB5fA==
-----END CERTIFICATE-----
[Tue Sep 11 21:31:30 CST 2018] Your cert is in /home/work/.acme.sh/*.test.com/*.test.com.cer
[Tue Sep 11 21:31:30 CST 2018] Your cert key is in /home/work/.acme.sh/*.test.com/*.test.com.key
[Tue Sep 11 21:31:30 CST 2018] The intermediate CA cert is in /home/work/.acme.sh/*.test.com/ca.cer
[Tue Sep 11 21:31:30 CST 2018] And the full chain certs is there: /home/work/.acme.sh/*.test.com/fullchain.cer
[Tue Sep 11 21:31:30 CST 2018] It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
[Tue Sep 11 21:31:30 CST 2018] Call hook error.
|
生成成功后配置
1
2
3
4
5
6
7
8
9
| [work@iZ25ndyf9bxZ acme.sh-master]$ ./acme.sh --installcert -d *.xmanlegal.com \
> --key-file /mnt/usr/ssl/xmanlegal.com/xmanlegal.com.key \
> --fullchain-file /mnt/usr/ssl/xmanlegal.com/xmanlegal.com.key.cer \
> --reloadcmd "echo "Asdf1234" sudo -S /mnt/usr/sbin/nginx -s reload"
[Tue Sep 11 21:36:31 CST 2018] Installing key to:/mnt/usr/ssl/xmanlegal.com/xmanlegal.com.key
[Tue Sep 11 21:36:31 CST 2018] Installing full chain to:/mnt/usr/ssl/xmanlegal.com/xmanlegal.com.key.cer
[Tue Sep 11 21:36:31 CST 2018] Run reload cmd: echo Asdf1234 sudo -S /mnt/usr/sbin/nginx -s reload
Asdf1234 sudo -S /mnt/usr/sbin/nginx -s reload
[Tue Sep 11 21:36:31 CST 2018] Reload success
|
末文
证书级别测试
相关技术博客
