Let’s Encrypt 憑證 – CentOS 7 – Nginx 環境安裝 (Certbot工具)


先前因為 SSL 憑證需要付費問題,後來找到了 Let’s Encrypt 憑證頒發機構 (Certificate Authority, CA) (https://letsencrypt.org/zh-tw/getting-started/),讓用戶可自行申請免費憑證,因為免費所以有些限制,相關限制可參考官網說明(https://letsencrypt.org/zh-tw/docs/rate-limits/)

月前收到Email Let’s Encrypt 寄來的通知「Let’s Encrypt certificate expiration notice for domain」,主要是說明你的網址要過期了,請記得要進行更新(如下圖)

整理了一下新的更新方式,這次找到 Certbot 工具,可以利用 Let’s Encrypt 進行申請免費的 HTTPS 憑證。

以下為操作流程

一、安裝工具

需安裝 mod_ssl 及 certbot 工具

yum -y install epel-release mod_ssl certbot

[root@localhost ~]$ yum -y install epel-release mod_ssl certbot
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                     | 5.5 kB  00:00:00     
 * base: ftp.tc.edu.tw
 * epel: ftp.riken.jp
 * extras: ftp.tc.edu.tw
 * remi-php74: ftp.riken.jp
 * remi-safe: ftp.riken.jp
 * updates: ftp.tc.edu.tw
 * webtatic: us-east.repo.webtatic.com
base                                                     | 3.6 kB  00:00:00     
epel                                                     | 4.7 kB  00:00:00     
extras                                                   | 2.9 kB  00:00:00     
remi-php74                                               | 3.0 kB  00:00:00     
remi-safe                                                | 3.0 kB  00:00:00     
updates                                                  | 2.9 kB  00:00:00     
webtatic                                                 | 3.6 kB  00:00:00     
(1/5): epel/x86_64/updateinfo                            | 1.0 MB  00:00:01     
(2/5): remi-php74/primary_db                             | 246 kB  00:00:00     
(3/5): remi-safe/primary_db                              | 2.0 MB  00:00:01     
(4/5): updates/7/x86_64/primary_db                       | 9.6 MB  00:00:03     
(5/5): epel/x86_64/primary_db                            | 6.9 MB  00:00:03     
Package epel-release-7-13.noarch already installed and latest version
Package 1:mod_ssl-2.4.6-97.el7.centos.x86_64 already installed and latest version
Package certbot-1.11.0-1.el7.noarch already installed and latest version
Nothing to do

二、使用 certbot 進行認證

認證前需要先修改 nginx.conf 加入 .well-known/acme-challenge/ 這個流程很重要,因為當你執行 certbot 指令時,letsencrypt 會在你設定的 root /var/www/html 下,建立 .well-known 資料,來確認是否為請求方發起的認證請求。

[root@localhost ~]$ vim /etc/nginx/nginx.conf

server {
    listen 80 default_server;
    root /var/www/html;

    #=======省略=======

    location ^~ /.well-known/acme-challenge/ {
       default_type    "text/plain";
       root /var/www/html;
    }
}

輸入 certbot 指令,進行 letsencrypt 服務認證,完成後會在 /etc/letsencrypt/live/demo.domain.com/下產生SSL憑證

certbot certonly --webroot -w /var/www/html -d demo.domain.com --email user@example.com --agree-tos

[root@localhost ~]$ certbot certonly --webroot -w /var/www/html -d demo.domain.com --email user@example.com --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for demo.domain.com
Performing the following challenges:
http-01 challenge for demo.domain.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/demo.domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/demo.domain.com/privkey.pem
   Your certificate will expire on 2021-11-15. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

三、設定 Nginx 的 ssl.conf 檔

  • 將 certbot 生成的 *.pem 檔,更新至 /etc/nginx/conf.d/ssl.conf 的 SSLCertificateFile、SSLCertificateKeyFile及SSLCACertificateFile 進行替換。
  • 修改完成後,進行 Apache 重啟服務。
[root@localhost ~]$ vi /etc/nginx/conf.d/ssl.conf

    SSLCertificateFile /etc/letsencrypt/live/demo.domain.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/demo.domain.com/privkey.pem
    SSLCACertificateFile /etc/letsencrypt/live/demo.domain.com/fullchain.pem

:wq

[root@localhost ~]$ nginx -s reload
  • 開啟瀏覽器,輸入網址 https://demo.domain.com/ 你就可以看到加密的鎖頭了!
  • 點擊鎖頭查看相關憑證及加密資訊

四、設定排程更新

  • 建立一個更新憑證的程式 renew_certbot.sh,使用 shell script 語言
  • 修改 renew_certbot.sh 的執行權限,使用 755
  • 將 renew_certbot.sh 加入到 crontab 每周執行一次
[root@localhost ~]$ vi /root/renew_certbot.sh

#!/bin/sh
/usr/bin/certbot renew --quiet --agree-tos --post-hook "systemctl reload httpd"

:wq

[root@localhost ~]$ chmod 755 /root/renew_certbot.sh
[root@localhost ~]$ crontab -e
0 4 * * 1 /root/renew_certbot.sh > /dev/null 2>&1

,

留言功能已關閉。