聽同事說,Let's Encrypt支持免費的通配符證書了,這是個好東西.之前弄免費證書,一直用阿里雲的,一年一次,只能一個域名.這個泛域名證書雖然90天,申請一次,但是好在可以自動申請,話不多說,開工
下載 certbot
mkdir /opt/certbot
cd /opt/certbot
wget https://dl.eff.org/certbot-auto
chmod 755 certbot-auto
申請泛域名證書
./certbot-auto certonly \
-d "*.cnrainbird.com" \
--manual \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for cnrainbird.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.cnrainbird.com with the following value:
J5FTanSZjRl3P63LVdQqZG5fZ2n6n8vMRPVq8xv0r7Q
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
注意,此處要去dns域名提供商添加txt記錄
各家大同小異吧,我用的dnspod
添加完成後,記得驗證一下
nslookup -type=txt _acme-challenge.cnrainbird.com
Server: 139.162.16.5
Address: 139.162.16.5#53
Non-authoritative answer:
_acme-challenge.cnrainbird.com text = "J5FTanSZjRl3P63LVdQqZG5fZ2n6n8vMRPVq8xv0r7Q"
Authoritative answers can be found from:
cnrainbird.com nameserver = f1g1ns1.dnspod.net.
cnrainbird.com nameserver = f1g1ns2.dnspod.net.
一般新加記錄,無需太長等待,一兩分鐘即可.如上面能得到text的返回說明添加成功. 可以去前面的窗口,Press Enter to Continue
回車繼續了
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/cnrainbird.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/cnrainbird.com/privkey.pem
Your cert will expire on 2020-06-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
如上,成功申請通配符證書,過期時間是90天后
證書文件存放
/etc/letsencrypt/live/cnrainbird.com/fullchain.pem
/etc/letsencrypt/live/cnrainbird.com/privkey.pem
有一個地方是需要注意的,*.cnrainbird.com這個證書並不包含主域cnrainbird.com.所以,我們還需要單獨申請一次cnrainbird.com的證書
申請主域名證書
申請泛域名證書,我們使用的是手動+dns的方式
申請主域證書, 我們使用自動認證的方式,此處要注意:/opt/certbot是,網站默認網站路徑,即,直接輸入ip,訪問到的目錄
./certbot-auto certonly \
--preferred-challenges http \
-d cnrainbird.com \
--webroot -w /opt/certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cnrainbird.com
Using the webroot path /opt/certbot for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/cnrainbird.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/cnrainbird.com-0001/privkey.pem
Your cert will expire on 2020-06-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
全程自動進行,無需參與,得到主域證書
/etc/letsencrypt/live/cnrainbird.com-0001/fullchain.pem
/etc/letsencrypt/live/cnrainbird.com-0001/privkey.pem
生成 dhparams
使用 openssl 工具生成 dhparams
openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
Nginx配置
blog.cnrainbird.com.conf配置:
server {
server_name blog.cnrainbird.com;
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/cnrainbird.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cnrainbird.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+CHACHA20 EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
}
然後重啓 nginx 服務就可以了
/etc/init.d/nginx reload
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
強制跳轉 https
既然證書都有了,對於默認http的訪問,我們進行一次301跳轉
server {
server_name blog.cnrainbird.com;
listen 80;
return 301 https://$server_name$request_uri;
}
證書更新
這個比較簡單
./certbot-auto renew
就可以更新全部域名
當然也可以更新指定域名
./certbot-auto renew -d cnrainbird.com
crontab添加計劃任務
#每兩個月更新一次
45 2 */2 * * cd /opt/certbot&& ./certbot-auto renew && /etc/init.d/nginx reload
Safair效果
that's all