certbot-auto免費申請Let’s Encrypt的https證書

聽同事說,Let's Encrypt支持免費的通配符證書了,這是個好東西.之前弄免費證書,一直用阿里雲的,一年一次,只能一個域名.這個泛域名證書雖然90天,申請一次,但是好在可以自動申請,話不多說,開工

下載 certbot

mkdir /opt/certbot
cd /opt/certbot
wget https://dl.eff.org/certbot-auto
chmod 755 certbot-auto

申請泛域名證書

./certbot-auto certonly  \
-d "*.cnrainbird.com" \
--manual \
--preferred-challenges dns-01  \
--server https://acme-v02.api.letsencrypt.org/directory

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for cnrainbird.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.cnrainbird.com with the following value:

J5FTanSZjRl3P63LVdQqZG5fZ2n6n8vMRPVq8xv0r7Q

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

注意,此處要去dns域名提供商添加txt記錄

各家大同小異吧,我用的dnspod

添加完成後,記得驗證一下

nslookup -type=txt _acme-challenge.cnrainbird.com
Server:         139.162.16.5
Address:        139.162.16.5#53

Non-authoritative answer:
_acme-challenge.cnrainbird.com  text = "J5FTanSZjRl3P63LVdQqZG5fZ2n6n8vMRPVq8xv0r7Q"

Authoritative answers can be found from:
cnrainbird.com  nameserver = f1g1ns1.dnspod.net.
cnrainbird.com  nameserver = f1g1ns2.dnspod.net.

一般新加記錄,無需太長等待,一兩分鐘即可.如上面能得到text的返回說明添加成功. 可以去前面的窗口,Press Enter to Continue回車繼續了

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cnrainbird.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cnrainbird.com/privkey.pem
   Your cert will expire on 2020-06-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

如上,成功申請通配符證書,過期時間是90天后

證書文件存放

/etc/letsencrypt/live/cnrainbird.com/fullchain.pem
/etc/letsencrypt/live/cnrainbird.com/privkey.pem

有一個地方是需要注意的,*.cnrainbird.com這個證書並不包含主域cnrainbird.com.所以,我們還需要單獨申請一次cnrainbird.com的證書

申請主域名證書

申請泛域名證書,我們使用的是手動+dns的方式

申請主域證書, 我們使用自動認證的方式,此處要注意:/opt/certbot是,網站默認網站路徑,即,直接輸入ip,訪問到的目錄

./certbot-auto certonly \
--preferred-challenges http \
-d cnrainbird.com \
--webroot -w /opt/certbot

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cnrainbird.com
Using the webroot path /opt/certbot for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cnrainbird.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cnrainbird.com-0001/privkey.pem
   Your cert will expire on 2020-06-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

全程自動進行,無需參與,得到主域證書

/etc/letsencrypt/live/cnrainbird.com-0001/fullchain.pem
/etc/letsencrypt/live/cnrainbird.com-0001/privkey.pem

生成 dhparams

使用 openssl 工具生成 dhparams

openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048

Nginx配置

blog.cnrainbird.com.conf配置：

server {
    server_name blog.cnrainbird.com;
    listen 443;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/cnrainbird.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cnrainbird.com/privkey.pem;
    ssl_dhparam /etc/ssl/certs/dhparams.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+CHACHA20 EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
}

然後重啓 nginx 服務就可以了

/etc/init.d/nginx reload
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.

強制跳轉 https

既然證書都有了,對於默認http的訪問,我們進行一次301跳轉

server {
    server_name blog.cnrainbird.com;
    listen 80;
    return 301 https://$server_name$request_uri;
}

證書更新

這個比較簡單

./certbot-auto renew

就可以更新全部域名

當然也可以更新指定域名

./certbot-auto renew -d cnrainbird.com

crontab添加計劃任務

#每兩個月更新一次
45 2 */2 * * cd /opt/certbot&& ./certbot-auto renew && /etc/init.d/nginx reload

Safair效果

that's all