网络信息安全|第7章:申请 Let's encrypt 免费 RSA/ECC 双证书 自动续期

  • 原创
  • Madman
  • /
  • /
  • 0
  • 1357 次阅读

网络信息安全-min.jpg

Synopsis: Let's Encrypt 是由 Internet Security Research Group(ISRG)维护的免费 CA,通过 ACME 协议实现自动化证书管理服务。Certbot 是官方推荐的用来申请证书的工具,它默认生成 RSA 证书,如果你还想给新客户端申请体积更小、速度更快的 ECC 证书的话,本文是非常不错的实践教程,并且双证书都会自己续期

1. Certbot 工具

Let's encrypt.png

Let's Encrypt - Free SSL/TLS Certificates 建议使用支持 Automatic Certificate Management Environment (ACME) 协议的客户端 - Certbot 来申请数字证书,然后选择你的操作系统版本和 Web 服务软件就会显示对应的操作手册。我使用 CentOS 7.3 和 Nginx

当然,你也可以使用任何已经实现了 ACME 协议的客户端,比如 acme.sh

1.1 添加 EPEL 源

[root@CentOS ~]# yum -y install epel-release
[root@CentOS ~]# yum repolist

或者:

[root@CentOS ~]# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
[root@CentOS ~]# yum -y install epel-release-latest-7.noarch.rpm

1.2 安装 Certbot

查看 EPEL 源中与 certbot 相关的 RPM 包有哪些:

[root@CentOS ~]# yum --disablerepo="*" --enablerepo="epel" list available | grep 'certbot'

安装 certbot 和依赖包(它是用 Python 开发的):

[root@CentOS ~]# yum -y install certbot python2-certbot-nginx

命令如何使用?

1. 查看版本号
[root@CentOS ~]# certbot --version
certbot 0.31.0

2. 查看有哪子命令和选项
[root@CentOS ~]# certbot --help

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  (the certbot apache plugin is not installed)
  --standalone      Run a standalone webserver for authentication
  --nginx           Use the Nginx plugin for authentication & installation
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-path or --cert-name)
    delete          Delete a certificate

manage your account with Let's Encrypt:
    register        Create a Let's Encrypt ACME account
    update_account  Update a Let's Encrypt ACME account
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

3. 查看子命令的帮助文档
[root@CentOS ~]# certbot --help run

2. 申请 RSA 和 ECC 双证书

在你申请证书时,Let's Encrypt 需要确保你拥有此域名,比如你不可能申请到包含 google.com 域名的证书。Certbot 支持如下 插件 来验证你是否拥有域名:

Plugin Authenticator Installer Notes Challenge types (and port)
apache Y Y Automates obtaining and installing a certificate with Apache. http-01 (80)
nginx Y Y Automates obtaining and installing a certificate with Nginx. http-01 (80)
webroot Y N Obtains a certificate by writing to the webroot directory of an already running webserver. http-01 (80)
standalone Y N Uses a “standalone” webserver to obtain a certificate. Requires port 80 to be available. This is useful on systems with no webserver, or when direct integration with the local webserver is not supported or not desired. http-01 (80)
DNS plugins Y N This category of plugins automates obtaining a certificate by modifying DNS records to prove you have control over a domain. Doing domain validation in this way is the only way to obtain wildcard certificates from Let’s Encrypt. dns-01 (53)
manual Y N Helps you obtain a certificate by giving you instructions to perform domain validation yourself. Additionally allows you to specify scripts to automate the validation task in a customized way. http-01 (80) or dns-01 (53)

💖1. apache/nginx: 这两个插件会根据你的 Apache 或 Nginx 配置文件中的 server_name 自动验证域名,然后签发证书,最后自动帮你启用证书。如果你不想让 Certbot 动你的配置文件,就不要使用这两个插件

💎2. standalone:Certbot 会额外启动一个临时的 Web Server 绑定到端口 80 上,所以如果你之前已经有网站应用运行在 80 端口上时需要先停止,否则会报错 Problem binding to port 80: Could not bind to IPv4 or IPv6.

👑3. webroot: 如果你不想让已经在运行的网站在申请证书期间停止运行,可以使用 webroot 插件,它会在你指定的 Web 根目录(比如 /usr/share/nginx/html)下创建 /.well-known/acme-challenge/xxxx 文件,然后 Certbot 如果能够访问 http://yourdomain.com/.well-known/acme-challenge/xxxx 则域名验证通过

但是,我的 Nginx 主要用于 反向代理,将 所有请求 都代理给后端的 Flask 应用,那么 Certbot 访问上述 URL 时会返回 404 错误,从而导致域名验证失败:

location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://127.0.0.1:5000;
}

解决的办法是,给 Nginx 配置文件中再添加一条针对 /.well-known/acme-challenge/ 的匹配规则:

location ^~ /.well-known/acme-challenge/ {
   default_type "text/plain";
   root         /usr/share/nginx/html;
}

表示匹配到以 /.well-known/acme-challenge/ 开关的 URI 请求将使用 /usr/share/nginx/html 作为它的 Web 根目录,那么 Certbot 为了验证域名会请求类似 http://yourdomain.com/.well-known/acme-challenge/xxxx 的地址,返回 /usr/share/nginx/html/.well-known/acme-challenge/ 目录下的 xxxx 文件

2.1 RSA 证书

RSA 证书包含 RSA 公钥,适用于那些用 RSA 进行 身份验证(签名算法)的密码套件,比如 ECDHE-RSA-AES256-GCM-SHA384ECDHE-ECDSA-AES256-GCM-SHA384

[root@CentOS ~]# certbot certonly \
  --non-interactive \
  --email wangy8961@163.com \
  --agree-tos \
  --rsa-key-size 4096 \
  --webroot --webroot-path /usr/share/nginx/html \
  -d madmalls.com -d www.madmalls.com \
  --server https://acme-v02.api.letsencrypt.org/directory

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for madmalls.com
http-01 challenge for www.madmalls.com
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.madmalls.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.madmalls.com/privkey.pem
   Your cert will expire on 2019-09-03. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

参数说明:

  • certonly: 只申请证书,不会自动帮你安装证书,因为我不想让 Certbot 动我的 Nginx 配置文件
  • --non-interactive: 非交互模式
  • --email: 指定邮箱地址,证书过期前一个月会收到提醒邮件(或安全提醒邮件)
  • --agree-tos: 同意服务条款
  • --webroot: 使用 webroot 插件来验证域名,--webroot-path 指定 Web 根目录的位置
  • -d: 证书用于哪些域名,如果不额外指定 -d madmalls.com,后续访问主域名 https://madmalls.com 时无法验证证书
  • --rsa-key-size: 默认生成 2048-bit 的 RSA 证书,可以指定 --rsa-key-size 4096 生成 4096-bit 的 RSA 证书
  • --server: 2018 年 3 月更新了 ACME 协议的 v2 版本,需要手动指定它的服务器地址 --server https://acme-v02.api.letsencrypt.org/directory如果要多次测试 Certbot 的功能,强烈建议指定测试环境 API:https://acme-staging-v02.api.letsencrypt.org/directory ,详情见本文的章节 6.1

Let's Encrypt 签名后的证书放在 /etc/letsencrypt/live/madmalls.com/fullchain.pem,我们还需要先检查证书内容有没有问题(输出信息中应该有 SAN 扩展信息):

[root@CentOS ~]# openssl x509 -text -in /etc/letsencrypt/live/madmalls.com/fullchain.pem -noout

Certificate:
    Data:
        Version: 3 (0x2)
                                
                            
未经允许不得转载: LIFE & SHARE - 王颜公子 » 网络信息安全|第7章:申请 Let's encrypt 免费 RSA/ECC 双证书 自动续期

分享

作者

作者头像

Madman

如需 Linux / Python 相关问题付费解答,请按如下方式联系我

0 条评论

暂时还没有评论.

专题系列