Certbot-auto 实现 HTTPS

缘起

最近几个月很忙,一再没有更新博客。今天通过openssl看到SSL安全证书已经过期,那就花几分钟更新一下数字证书吧。Let‘s Encrypt的免费证书认可度比较高,就是有效期比较短,只有90天,不像收费的那些安装好了一年不用管它。看来以后有空要设置一下自动更新了。

Let’s Encrypt 是一个于2015年三季度推出的数字证书认证机构,将通过旨在消除当前手动创建和安装证书的复杂过程的自动化流程,为安全网站提供免费的SSL/TLS证书。

在2018年9月,我是通过Certbot-auto工具申请管理Let’s Encrypt的SSL证书的,以下步骤以Certbot-auto为例,估计certbot也一样。当时没有记录申请的全过程,借着这次从头记录一下:

目前存在的问题

1
2
3
4
# openssl x509 -in /etc/letsencrypt/live/beaverlog.net/fullchain.pem -noout -dates
WARNING: can't open config file: /etc/pki/tls/openssl.cnf
notBefore=Sep 5 06:33:40 2018 GMT
notAfter=Dec 4 06:33:40 2018 GMT

申请

下载 certbot-auto

1
2
wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto

生成证书

1
2
$ ./certbot-auto certonly --email 619939368@qq.com -d *.beaverlog.net \
--manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

生成的过程中会有类似的提示

1
2
3
4
5
6
7
8
9
10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A => Agree
1
2
3
4
5
6
7
8
9
10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y => Yes
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for beaverlog.net
1
2
3
4
5
6
7
8
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y => Yes

无论你是自己的bind、GoDaddy,还是和我一样阿里云的解析服务,要去新增一条query_type: txt的解析记录并通过dig验证一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.beaverlog.net with the following value:

-VzMeOpimmIJKsugx0ouMViIRE05pvExx7-pP3B_Iik

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/beaverlog.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/beaverlog.net/privkey.pem
Your cert will expire on 2018-12-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

至此,申请成功

确认

它会在 /etc/letsencrypt/live/{domain_name}/ 下面生成4个文件:

Name -
cert.pem 服务器端证书
chain.pem 根证书和中继证书
fullchain.pem Nginx网站证书
privkey.pem 私钥

看一下更新后的有效期

1
2
3
4
# openssl x509 -in /etc/letsencrypt/live/beaverlog.net/fullchain.pem -noout -dates
WARNING: can't open config file: /etc/pki/tls/openssl.cnf
notBefore=Feb 27 10:10:01 2019 GMT
notAfter=May 28 10:10:01 2019 GMT

或者

1
2
3
4
5
6
7
8
9
10
11
# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: beaverlog.net
Domains: *.beaverlog.net
Expiry Date: 2019-05-28 10:10:01+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/beaverlog.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/beaverlog.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

续期

通配证书只能通过 dns 的方式验证域名归属,我们需要通过脚本自动完成验证 –manual-auth-hook 设定验证脚本,否则无法自动更新。

1
./certbot-auto renew --cert-name beaverlog.net --manual-auth-hook /home/chaoran.han/au.sh --dry-run

重要提示:为避免遇到操作次数的限制,加入 dry-run 参数,可以避免操作限制,等执行无误后,再进行 renew 操作。

阿里云API文档
https://help.aliyun.com/document_detail/29739.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/bash

# PHP 脚本位置
PHPPROGRAM="/home/certbot-sh"

# 要配置的域名
DOMAIN="xxxx.com"
# 脚本路径
PATH="/home/certbot-sh"

# 要为那个 DNS RR 添加 TXT 记录
CREATE_DOMAIN="_acme-challenge"

# $CERTBOT_VALIDATION 是 Certbot 的内置变量,代表需要为 DNS TXT 记录设置的值
echo $PATH"/alydns.php"

# 调用 PHP 脚本,自动设置 DNS TXT 记录。
/usr/bin/php $PATH"/alydns.php" $DOMAIN $CREATE_DOMAIN $CERTBOT_VALIDATION >/var/log/certdebug.log

# DNS TXT 记录刷新时间
/usr/bin/sleep 30

参考

https://www.vpser.net/build/letsencrypt-certbot.html
https://hacpai.com/article/1531709298417
https://blog.csdn.net/jzjxsxw/article/details/79403487

https://hacpai.com/article/1531709298417
https://segmentfault.com/a/1190000002866627

参考
https://liudonghua.net/free-ssl-certificate-usage-lets-encrypt/

其他
很多人都写过这个
https://sanonz.github.io/2017/let's-encrypt-free-ssl-https/

https://sanonz.github.io/2017/let's-encrypt-free-ssl-https/#webroot-%E6%A8%A1%E5%BC%8F
https://liudonghua.net/free-ssl-certificate-usage-lets-encrypt/

【链接】HTTPS简介及使用官方工具Certbot配置Let’sEncry
https://linuxstory.org/deploy-lets-encrypt-ssl-certificate-with-certbot/

最后的最后,感谢 Let’s Encrypt!

推荐

Enabling HTTPS for Gitlab pages using Certbot
https://mkkhedawat.github.io/Enabling-HTTPS-for-Gitlab-pages-using-Certbot/