网络信息安全|第7章:申请 Let's encrypt 免费 RSA/ECC 双证书 自动续期
Synopsis: Let's Encrypt 是由 Internet Security Research Group(ISRG)维护的免费 CA,通过 ACME 协议实现自动化证书管理服务。Certbot 是官方推荐的用来申请证书的工具,它默认生成 RSA 证书,如果你还想给新客户端申请体积更小、速度更快的 ECC 证书的话,本文是非常不错的实践教程,并且双证书都会自己续期
1. Certbot 工具
Let's Encrypt - Free SSL/TLS Certificates
建议使用支持 Automatic Certificate Management Environment (ACME)
协议的客户端 - Certbot
来申请数字证书,然后选择你的操作系统版本和 Web 服务软件就会显示对应的操作手册。我使用 CentOS 7.3 和 Nginx
当然,你也可以使用任何已经实现了 ACME 协议的客户端,比如 acme.sh
1.1 添加 EPEL 源
或者:
[root@CentOS ~]# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm [root@CentOS ~]# yum -y install epel-release-latest-7.noarch.rpm
1.2 安装 Certbot
查看 EPEL
源中与 certbot 相关的 RPM 包有哪些:
安装 certbot
和依赖包(它是用 Python 开发的):
命令如何使用?
1. 查看版本号 [root@CentOS ~]# certbot --version certbot 0.31.0 2. 查看有哪子命令和选项 [root@CentOS ~]# certbot --help - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. The most common SUBCOMMANDS and flags are: obtain, install, and renew certificates: (default) run Obtain & install a certificate in your current webserver certonly Obtain or renew a certificate, but do not install it renew Renew all previously obtained certificates that are near expiry enhance Add security enhancements to your existing configuration -d DOMAINS Comma-separated list of domains to obtain a certificate for (the certbot apache plugin is not installed) --standalone Run a standalone webserver for authentication --nginx Use the Nginx plugin for authentication & installation --webroot Place files in a server's webroot folder for authentication --manual Obtain certificates interactively, or using shell script hooks -n Run non-interactively --test-cert Obtain a test certificate from a staging server --dry-run Test "renew" or "certonly" without saving any certificates to disk manage certificates: certificates Display information about certificates you have from Certbot revoke Revoke a certificate (supply --cert-path or --cert-name) delete Delete a certificate manage your account with Let's Encrypt: register Create a Let's Encrypt ACME account update_account Update a Let's Encrypt ACME account --agree-tos Agree to the ACME server's Subscriber Agreement -m EMAIL Email address for important account notifications More detailed help: -h, --help [TOPIC] print this message, or detailed help on a topic; the available TOPICS are: all, automation, commands, paths, security, testing, or any of the subcommands or plugins (certonly, renew, install, register, nginx, apache, standalone, webroot, etc.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3. 查看子命令的帮助文档 [root@CentOS ~]# certbot --help run
2. 申请 RSA 和 ECC 双证书
在你申请证书时,Let's Encrypt 需要确保你拥有此域名,比如你不可能申请到包含 google.com 域名的证书。Certbot 支持如下 插件 来验证你是否拥有域名:
Plugin | Authenticator | Installer | Notes | Challenge types (and port) |
---|---|---|---|---|
apache | Y | Y | Automates obtaining and installing a certificate with Apache. | http-01 (80) |
nginx | Y | Y | Automates obtaining and installing a certificate with Nginx. | http-01 (80) |
webroot | Y | N | Obtains a certificate by writing to the webroot directory of an already running webserver. | http-01 (80) |
standalone | Y | N | Uses a “standalone” webserver to obtain a certificate. Requires port 80 to be available. This is useful on systems with no webserver, or when direct integration with the local webserver is not supported or not desired. | http-01 (80) |
DNS plugins | Y | N | This category of plugins automates obtaining a certificate by modifying DNS records to prove you have control over a domain. Doing domain validation in this way is the only way to obtain wildcard certificates from Let’s Encrypt. | dns-01 (53) |
manual | Y | N | Helps you obtain a certificate by giving you instructions to perform domain validation yourself. Additionally allows you to specify scripts to automate the validation task in a customized way. | http-01 (80) or dns-01 (53) |
💖1. apache/nginx
: 这两个插件会根据你的 Apache 或 Nginx 配置文件中的 server_name
自动验证域名,然后签发证书,最后自动帮你启用证书。如果你不想让 Certbot 动你的配置文件,就不要使用这两个插件
💎2. standalone
:Certbot 会额外启动一个临时的 Web Server 绑定到端口 80 上,所以如果你之前已经有网站应用运行在 80 端口上时需要先停止,否则会报错 Problem binding to port 80: Could not bind to IPv4 or IPv6.
👑3. webroot
: 如果你不想让已经在运行的网站在申请证书期间停止运行,可以使用 webroot 插件,它会在你指定的 Web 根目录(比如 /usr/share/nginx/html
)下创建 /.well-known/acme-challenge/xxxx
文件,然后 Certbot 如果能够访问 http://yourdomain.com/.well-known/acme-challenge/xxxx
则域名验证通过
但是,我的 Nginx 主要用于 反向代理
,将 所有请求 都代理给后端的 Flask 应用,那么 Certbot 访问上述 URL 时会返回 404
错误,从而导致域名验证失败:
location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:5000; }
解决的办法是,给 Nginx 配置文件中再添加一条针对 /.well-known/acme-challenge/
的匹配规则:
表示匹配到以 /.well-known/acme-challenge/
开关的 URI 请求将使用 /usr/share/nginx/html
作为它的 Web 根目录,那么 Certbot 为了验证域名会请求类似 http://yourdomain.com/.well-known/acme-challenge/xxxx
的地址,返回 /usr/share/nginx/html/.well-known/acme-challenge/
目录下的 xxxx
文件
2.1 RSA 证书
RSA 证书包含 RSA 公钥,适用于那些用 RSA
进行 身份验证
(签名算法)的密码套件,比如 ECDHE-RSA-AES256-GCM-SHA384
和 ECDHE-ECDSA-AES256-GCM-SHA384
[root@CentOS ~]# certbot certonly \ --non-interactive \ --email wangy8961@163.com \ --agree-tos \ --rsa-key-size 4096 \ --webroot --webroot-path /usr/share/nginx/html \ -d madmalls.com -d www.madmalls.com \ --server https://acme-v02.api.letsencrypt.org/directory Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for madmalls.com http-01 challenge for www.madmalls.com Using the webroot path /usr/share/nginx/html for all unmatched domains. Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-v02.api.letsencrypt.org IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.madmalls.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.madmalls.com/privkey.pem Your cert will expire on 2019-09-03. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
参数说明:
certonly
: 只申请证书,不会自动帮你安装证书,因为我不想让 Certbot 动我的 Nginx 配置文件--non-interactive
: 非交互模式--email
: 指定邮箱地址,证书过期前一个月会收到提醒邮件(或安全提醒邮件)--agree-tos
: 同意服务条款--webroot
: 使用 webroot 插件来验证域名,--webroot-path
指定 Web 根目录的位置-d
: 证书用于哪些域名,如果不额外指定-d madmalls.com
,后续访问主域名https://madmalls.com
时无法验证证书--rsa-key-size
: 默认生成 2048-bit 的 RSA 证书,可以指定--rsa-key-size 4096
生成 4096-bit 的 RSA 证书--server
: 2018 年 3 月更新了 ACME 协议的 v2 版本,需要手动指定它的服务器地址--server https://acme-v02.api.letsencrypt.org/directory
。如果要多次测试 Certbot 的功能,强烈建议指定测试环境 API:https://acme-staging-v02.api.letsencrypt.org/directory ,详情见本文的章节 6.1
Let's Encrypt 签名后的证书放在 /etc/letsencrypt/live/madmalls.com/fullchain.pem
,我们还需要先检查证书内容有没有问题(输出信息中应该有 SAN
扩展信息):
1 条评论
评论者的用户名
评论时间lpchg1992
2020-03-16T13:24:34Z看着几篇博文确实增长了见识,但是这个过程中由于python2.7用这个工具会报错,所以如果是centos,不管是7还是8,都请用certbot官网最新方法(centos 8的推荐方法。)