分類
网站

網站用上了letsencrypt的免費ssl證書

使用 certbot 獲取證書

請訪問 certbot instructions 安裝 cerbot。在 CentOS 7 和 8 中使用 certbot 搭配 Cloudflare 插件實現自動更新證書的安裝與配置流程是這樣的:

#安裝 snapd 參考:https://snapcraft.io/docs/installing-snap-on-centos
sudo yum install epel-release
sudo yum install snapd
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap
sudo snap install core
sudo snap refresh core

#刪除舊版 certbot
sudo yum remove certbot
#安裝 certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo snap set certbot trust-plugin-with-root=ok
#安裝 Cloudflare 插件
sudo snap install certbot-dns-cloudflare
#配置 Cloudflare api token
nano .cloudflare.ini
#配置文件內容爲

# Cloudflare API token used by Certbot
dns_cloudflare_api_token = QYuhPLUGSPvN30Yry0CXe3PSYJlkIjc_laJgUifd

#修改配置文件權限
chmod 600 .cloudflare.ini

#申請證書
sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.cloudflare.ini \
  --dns-cloudflare-propagation-seconds 60 \
  -d ft.shaman.eu.org\
  -d plausible.manchuria.eu.org

#測試自動更新
sudo certbot renew --dry-run --dns-cloudflare --dns-cloudflare-credentials ~/.cloudflare.ini --dns-cloudflare-propagation-seconds 60
# crontab 自動更新配置
52 2 * * 0 certbot renew --dns-cloudflare --dns-cloudflare-credentials /home/42/.cloudflare.ini --dns-cloudflare-propagation-seconds 60 --post-hook "nginx -s reload"

#查看當前已經申請的證書
sudo certbot certificates 

通過 DNS-01 challenge 方式獲取證書

由於有台服務器未打開 80 端口且用了 Cloudflare 的 CDN,所以採用 DNS 的方式來獲取證書。>

sudo certbot certonly --manual --preferred-challenges=dns -d ft.wupo.info
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.ft.wupo.info with the following value:

7G6Qad5U7z4u4036tk1e5DAPGZ2WSbaSDFhlYLBnjcQ

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
#此時去 Cloudflare 的 DNS 記錄中新增一條 TXT 類型,名稱是 _acme-challenge.ft,內容為 
# 7G6Qad5U7z4u4036tk1e5DAPGZ2WSbaSDFhlYLBnjcQ 
# 的記錄,保存後稍微等待一下下待 DNS 生效,然後回來繼續
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ft.wupo.info/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ft.wupo.info/privkey.pem

不使用 snap

有台 CentOS 8 安裝 snap 不成功,使用 pip 來申請 Let’s Encrypt 證書也是很方便的。

首先在 nginx 配置一個空網站,如

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /var/www/html;
    server_name ft.shaman.eu.org;
}

然後:



sudo dnf install python3 augeas-libs
sudo dnf remove certbot
sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot certbot-nginx
sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

#生成證書並自動配置 nginx
sudo certbot --nginx
#或僅生成證書
sudo certbot certonly --nginx


小撇步

雖然已經 2024 年底,但是客戶的 CentOS 7 還在運行。安裝的時候不要使用系統自帶的 python3.6,太舊啦。最好自己編譯一個新版 python3 。降級 urllib3 sudo /opt/certbot/bin/pip install urllib3==1.26.7 可以避免 ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+

--以下爲久遠內容不足爲看--

藉助於SSL For Free,可以快速申請Let's Encrypt的SSL證書,然後複製到Vesta Panel中就OK啦,非常方便。實在太簡單啦,所以沒什麼可寫的。證書有效期三個月,快過期時可再次免費更新。

nginx中將http重定向到https,可以在配置文件中這樣設置:

server {
    listen      80;   #listen for all the HTTP requests
    server_name example.com www.example.com;
    return      301         https://www.example.com$request_uri;
}

SSL For Free的證書直接用在nginx上

Certificate Successfully Generated後,下載生成的證書,合併certificate.crt和ca_bundle.crt

cat certificate.crt >> bundle.crt
printf "\n" >> bundle.crt
cat ca_bundle.crt >> bundle.crt

nginx的配置可以這樣寫

server {
    listen 192.111.111.111:443 ssl;
    server_name ft.wupo.info;

    ssl_certificate     /etc/letsencrypt/42/bundle.crt;
    ssl_certificate_key /etc/letsencrypt/42/private.key;
    ssl_protocols	TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}

本文更新於 2024/11/29。

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *