先前因為 SSL 憑證需要付費問題,後來找到了 Let’s Encrypt 憑證頒發機構 (Certificate Authority, CA) (https://letsencrypt.org/zh-tw/getting-started/),讓用戶可自行申請免費憑證,因為免費所以有些限制,相關限制可參考官網說明(https://letsencrypt.org/zh-tw/docs/rate-limits/)
月前收到Email Let’s Encrypt 寄來的通知「Let’s Encrypt certificate expiration notice for domain」,主要是說明你的網址要過期了,請記得要進行更新(如下圖)
整理了一下新的更新方式,這次找到 Certbot 工具,可以利用 Let’s Encrypt 進行申請免費的 HTTPS 憑證。
以下為操作流程
一、安裝工具
需安裝 mod_ssl 及 certbot 工具
yum -y install epel-release mod_ssl certbot
[root@localhost ~]$ yum -y install epel-release mod_ssl certbot Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile epel/x86_64/metalink | 5.5 kB 00:00:00 * base: ftp.tc.edu.tw * epel: ftp.riken.jp * extras: ftp.tc.edu.tw * remi-php74: ftp.riken.jp * remi-safe: ftp.riken.jp * updates: ftp.tc.edu.tw * webtatic: us-east.repo.webtatic.com base | 3.6 kB 00:00:00 epel | 4.7 kB 00:00:00 extras | 2.9 kB 00:00:00 remi-php74 | 3.0 kB 00:00:00 remi-safe | 3.0 kB 00:00:00 updates | 2.9 kB 00:00:00 webtatic | 3.6 kB 00:00:00 (1/5): epel/x86_64/updateinfo | 1.0 MB 00:00:01 (2/5): remi-php74/primary_db | 246 kB 00:00:00 (3/5): remi-safe/primary_db | 2.0 MB 00:00:01 (4/5): updates/7/x86_64/primary_db | 9.6 MB 00:00:03 (5/5): epel/x86_64/primary_db | 6.9 MB 00:00:03 Package epel-release-7-13.noarch already installed and latest version Package 1:mod_ssl-2.4.6-97.el7.centos.x86_64 already installed and latest version Package certbot-1.11.0-1.el7.noarch already installed and latest version Nothing to do
二、使用 certbot 進行認證
認證前需要先修改 nginx.conf
加入 .well-known/acme-challenge/
這個流程很重要,因為當你執行 certbot 指令時,letsencrypt 會在你設定的 root /var/www/html
下,建立 .well-known
資料,來確認是否為請求方發起的認證請求。
[root@localhost ~]$ vim /etc/nginx/nginx.conf server { listen 80 default_server; root /var/www/html; #=======省略======= location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/www/html; } }
輸入 certbot 指令,進行 letsencrypt 服務認證,完成後會在 /etc/letsencrypt/live/demo.domain.com/
下產生SSL憑證
certbot certonly --webroot -w /var/www/html -d demo.domain.com --email user@example.com --agree-tos
[root@localhost ~]$ certbot certonly --webroot -w /var/www/html -d demo.domain.com --email user@example.com --agree-tos Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Requesting a certificate for demo.domain.com Performing the following challenges: http-01 challenge for demo.domain.com Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/demo.domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/demo.domain.com/privkey.pem Your certificate will expire on 2021-11-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
三、設定 Nginx 的 ssl.conf 檔
- 將 certbot 生成的
*.pem
檔,更新至/etc/nginx/conf.d/ssl.conf
的 SSLCertificateFile、SSLCertificateKeyFile及SSLCACertificateFile 進行替換。 - 修改完成後,進行 Apache 重啟服務。
[root@localhost ~]$ vi /etc/nginx/conf.d/ssl.conf SSLCertificateFile /etc/letsencrypt/live/demo.domain.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/demo.domain.com/privkey.pem SSLCACertificateFile /etc/letsencrypt/live/demo.domain.com/fullchain.pem :wq [root@localhost ~]$ nginx -s reload
- 開啟瀏覽器,輸入網址 https://demo.domain.com/ 你就可以看到加密的鎖頭了!
- 點擊鎖頭查看相關憑證及加密資訊
四、設定排程更新
- 建立一個更新憑證的程式 renew_certbot.sh,使用 shell script 語言
- 修改 renew_certbot.sh 的執行權限,使用 755
- 將 renew_certbot.sh 加入到 crontab 每周執行一次
[root@localhost ~]$ vi /root/renew_certbot.sh #!/bin/sh /usr/bin/certbot renew --quiet --agree-tos --post-hook "systemctl reload httpd" :wq [root@localhost ~]$ chmod 755 /root/renew_certbot.sh [root@localhost ~]$ crontab -e 0 4 * * 1 /root/renew_certbot.sh > /dev/null 2>&1