title: CentOS下申請let’s encrypt SSL證書
date: 2020-04-01 23:31:42
tags: [Hexo,建站]
categories: [建站]
包括單域名和泛域名通配符。
環境介紹
- centOS6系列
- git version 1.7.1(自帶默認的)
- Python 2.6.6(自帶默認的)
- let’s encrypt最新版V2接口(2020-05-08)
文檔更新說明
無
方式一:acme.sh
主要步驟:(引自官網)
1.安裝 acme.sh
2.生成證書
3.copy 證書到 nginx/apache 或者其他服務
4.更新證書
5.更新 acme.sh
6.出錯怎麼辦, 如何調試
1. 安裝 acme.sh
yum update
yum install curl -y
yum install cron -y
安裝很簡單, 一個命令:
curl https://get.acme.sh | sh
或者(推薦)
yum update wget
wget -O - https://get.acme.sh | sh
如果報錯curl: (35) SSL connect error
,移步:https://janeyork.blog.csdn.net/article/details/82700159
如果報錯curl: (7) couldn't connect to host
出站端口dport 443、80添加了或者防火牆關閉。
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22000 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
普通用戶和 root 用戶都可以安裝使用. 安裝過程進行了以下幾步:
- 把 acme.sh 安裝到你的 home 目錄下:
~/.acme.sh/ (這個是自動執行的安裝目錄)
並創建 一個 bash 的 alias, 方便你的使用: alias acme.sh=~/.acme.sh/acme.sh
這個是自動操作,如果沒有請手動。
出現install success即爲成功。
自動爲你創建了cronjob。
關閉shell重新打開。或者讓命令立即生效source ~/.bashrc
驗證方式一:DNS手動驗證。(個人推薦)
https://github.com/acmesh-official/acme.sh
acme.sh --issue -d example.com -d *.example.com --dns \
--yes-I-know-dns-manual-mode-enough-go-ahead-please
驗證TXT解析是否生效
dig -t txt _acme-challenge.xxoo.com @8.8.8.8
添加解析生效後,重新生成證書。
acme.sh --renew -d xxoo.com -d *.xxoo.com \
--yes-I-know-dns-manual-mode-enough-go-ahead-please
注意:
- 手動模式無法自動更新(就看中了這點,如果你想自動更新可以自己寫定時腳本)
- 證書有效期60天,需要手動解析、申請、複製、修改
- DNS API自動續期60天內,可調整時間
- DNS手動續期,需要在90天內
設置釘釘通知
export DINGTALK_WEBHOOK='https://oapi.dingtalk.com/robot/send?access_token=5241080f1e14f0d8af2fa6cef175934f0d9d636'
export DINGTALK_KEYWORD=acme
acme.sh --set-notify --notify-hook dingtalk \
--notify-level 2 \
--notify-mode 0
DNS API自動續期,個人使用
$ export Ali_Key="woshipogaizai"
$ export Ali_Secret="nishipogaizaima"
這兩個配置將永久保存在文件~/.acme.sh/account.conf中
# 申請
acme.sh --issue --dns dns_ali -d xxoo.com -d *.xxoo.com
# DP
# acme.sh --issue --dns dns_dp -d mydomain.com -d *.mydomain.com
證書申請成功後,保存在~/.acme.sh/www.example.com目錄下
查看證書
刪除證書
方式2、HTTP文件驗證:
$ acme.sh --issue -d congm.in -d *.congm.in -w /home/webroot
注意
:對於通配符證書需要加-d 域名 -d *.域名
兩個參數-w
即webroot,爲該域名
通過http所訪問到的本地目錄上面這段過程將會在/home/webroot
創建一個.well-known
的文件夾,同時 Let’s Encrypt 將會通過你要註冊的域名去訪問那個文件來確定權限,它可能會去訪問 http://xxoo.in/.well-known/ 這個路徑,驗證成功會自動清理。
DNS手動驗證實踐及截圖
acme.sh --issue -d nogit.top -d *.nogit.top --dns \
--yes-I-know-dns-manual-mode-enough-go-ahead-please
驗證TXT解析是否生效
dig -t txt _acme-challenge.nogit.top @8.8.8.8
添加解析生效後,重新生成證書。中間可能等待一小會兒
acme.sh --renew -d nogit.top -d *.nogit.top \
--yes-I-know-dns-manual-mode-enough-go-ahead-please
執行過程截圖:
生成結果:
[root@ebs-40617 home]# acme.sh --renew -d nogit.top -d *.nogit.top \
> --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Sat May 9 11:04:33 CST 2020] Renew: 'nogit.top'
[Sat May 9 11:04:38 CST 2020] Multi domain='DNS:nogit.top,DNS:*.nogit.top'
[Sat May 9 11:04:38 CST 2020] Getting domain auth token for each domain
[Sat May 9 11:04:38 CST 2020] Verifying: nogit.top
[Sat May 9 11:04:52 CST 2020] Pending
[Sat May 9 11:04:59 CST 2020] Pending
[Sat May 9 11:05:11 CST 2020] Success
[Sat May 9 11:05:11 CST 2020] Verifying: *.nogit.top
[Sat May 9 11:05:27 CST 2020] Pending
[Sat May 9 11:05:32 CST 2020] Pending
[Sat May 9 11:05:52 CST 2020] Success
[Sat May 9 11:05:52 CST 2020] Verify finished, start to sign.
[Sat May 9 11:05:52 CST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/85615348/3294031693
[Sat May 9 11:05:59 CST 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/04b84bbcd3d822e1b6a0dfae29e11a03d08a
[Sat May 9 11:06:03 CST 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIFVzCCBD+gAwIBAgISBLhLvNPYIuG2oN+uKeEaA9CKMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA1MDkwMjA1NTlaFw0y
MDA4MDcwMjA1NTlaMBQxEjAQBgNVBAMTCW5vZ2l0LnRvcDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAL7xXjfreYkDKybtLpvSVOgPyciqCLKoD30ziQC4
7JfAD4+tpCu6gkvEE9ViLk7BqSE/uDdip2TSR0OIrREpNl5a/55TpDJMbKXlc8SE
asRuTfnPN5JAi9BMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMu
bGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAXqdz+d9W
wOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFx92WLjAAABAMARzBFAiAjwvyx
3kgWcNNeAZxqJ5qjc0gfDAESq613uICtG41pHgIhAIzPzCJVovK6dbz+MyJ3eG6L
5hhdhPdukikP8bOeOkyjAHYAB7dcG+V9aP/x
-----END CERTIFICATE-----
[Sat May 9 11:06:03 CST 2020] Your cert is in /root/.acme.sh/nogit.top/nogit.top.cer
[Sat May 9 11:06:03 CST 2020] Your cert key is in /root/.acme.sh/nogit.top/nogit.top.key
[Sat May 9 11:06:03 CST 2020] The intermediate CA cert is in /root/.acme.sh/nogit.top/ca.cer
[Sat May 9 11:06:03 CST 2020] And the full chain certs is there: /root/.acme.sh/nogit.top/fullchain.cer
[root@ebs-40617 home]#
導出Tomcat pfx格式證書:
acme.sh --toPkcs -d nogit.top --password 1234
導出Nginx:
key.pem和pri.key,可以直接更改後綴pem或者key
fullchain同理,兩者內容一樣,可以直接更改後綴
mkdir -p /home/mycert
acme.sh --installcert -d nogit.top \
--key-file /home/mycert/privateKey.pem \
--fullchain-file /home/mycert/fullchain.pem \
--ca-file /home/mycert/ca.cer \
--cert-file /home/mycert/nogit.top.cer
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.pem -in nogit.top.cer -certfile ca.cer -password "pass:Rookie123"
或者:(兩個一樣的,只是我把文件名重命名而已)
openssl pkcs12 -export -out certificate.pfx -inkey nogit.top.key -in nogit.top.cer -certfile ca.cer -password "pass:Rookie123"
第三方網站轉換:https://www.sslshopper.com/ssl-converter.html
然後配置到Tomcat裏
-------------------------------------雜七雜八 start--------------------------------------------------
OpenSSL Convert PEM
Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
OpenSSL Convert DER
**Convert DER to PEM
**
openssl x509 -inform der -in certificate.cer -out certificate.pem
OpenSSL Convert P7B
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert P7B to PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
OpenSSL Convert PFX
Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
----------------------------------------------雜七雜八 end----------------------------------------------
未過期的老證書
現在新證書哦:
未來更新
- 改爲後臺web操作
- 支持郵件、短信推送通知
額外
acme.sh github:https://github.com/acmesh-official/acme.sh
let’s encrypt官網:https://letsencrypt.org/zh-cn/docs/client-options/