最新公告
  • 欢迎您光临,本站秉承服务宗旨 履行“站长”责任,销售只是起点 服务永无止境!立即加入我们
  • 申请 Let's Encrypt 通配符 HTTPS 证书

    一、背景知识

    1.1、什么是通配符证书

    通配符证书,又叫泛域名证书,一张通配符的证书可以保护一个域名下同级子域名,使他们都变成 https 加密链接,不需要配置一个子域名再申请一个新证书了,而且不限制子域名数量,这也使得随时增加子域名的同时并不需要额外的付费,对于有多个子域名尤其是子域名数量很多的用户,性价比很高,大大的节约了大量的时间和金钱成本。

    1.2、什么是 Let’s Encrypt

    部署 HTTPS 网站的时候需要证书,证书由 CA 机构签发,大部分传统 CA 机构签发证书是需要收费的,这不利于推动 HTTPS 协议的使用。

    Let’s Encrypt 也是一个 CA 机构,但这个 CA 机构是免费的!!!也就是说签发证书不需要任何费用。

    Let’s Encrypt 由于是非盈利性的组织,需要控制开支,他们搞了一个非常有创意的事情,设计了一个 ACME 协议,目前该协议的版本是 v1。

    那为什么要创建 ACME 协议呢,传统的 CA 机构是人工受理证书申请、证书更新、证书撤销,完全是手动处理的。而 ACME 协议规范化了证书申请、更新、撤销等流程,只要一个客户端实现了该协议的功能,通过客户端就可以向 Let’s Encrypt 申请证书,也就是说 Let’s Encrypt CA 完全是自动化操作的。

    任何人都可以基于 ACME 协议实现一个客户端,官方推荐的客户端是 Certbot 。

    官方客户端列表请查看 https://letsencrypt.org/docs/client-options/ 。

    二、证书申请(certbot)

    2.1、系统确定

    我们使用的是 aws 的 lightsail 服务创建的系统,系统是 CentOS 7。

    2.2、工具安装

    首先给系统添加 epel 源。

    curl -o /etc/yum.repos.d/epel-7.repo https://mirrors.aliyun.com/repo/epel-7.repo

    安装证书申请工具 Certbot。

    yum install -y certbot

    2.3、证书申请

    certbot certonly  -d *.wzlinux.com --manual \
    --preferred-challenges dns \
    --server https://acme-v02.api.letsencrypt.org/directory
    • --manual交互式获取,
    • --preferred-challenges dns使用DNS验证的方式(泛域名只能使用DNS验证),如果取消此选项,将会默认使用 http 形式认证(.well-known),
    • --server指明支持acme-v02的Server地址,默认是acme-v01的地址。

    申请过程如下,为了确保域名是在你的管理权限之内,我们中间需要做一条 TXT 的 DNS 解析。

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator manual, Installer None
    Enter email address (used for urgent renewal and security notices) (Enter 'c' to
    cancel): wangzan18@126.com
    Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Please read the Terms of Service at
    https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
    agree in order to register with the ACME server at
    https://acme-v02.api.letsencrypt.org/directory
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (A)gree/(C)ancel: A
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Would you be willing to share your email address with the Electronic Frontier
    Foundation, a founding partner of the Let's Encrypt project and the non-profit
    organization that develops Certbot? We'd like to send you email about our work
    encrypting the web, EFF news, campaigns, and ways to support digital freedom.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (Y)es/(N)o: N
    Obtaining a new certificate
    Performing the following challenges:
    dns-01 challenge for wzlinux.com
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.
    
    Are you OK with your IP being logged?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (Y)es/(N)o: Y
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Please deploy a DNS TXT record under the name
    _acme-challenge.wzlinux.com with the following value:
    
    Fd-T8Q_R_9k4UqerXohPkTWu-aZOaU0mxxozERPRU5M
    
    Before continuing, verify the record is deployed.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Press Enter to Continue
    Waiting for verification...
    Cleaning up challenges
    Resetting dropped connection: acme-v02.api.letsencrypt.org
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/wzlinux.com/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/wzlinux.com/privkey.pem
       Your cert will expire on 2019-09-04. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot
       again. To non-interactively renew *all* of your certificates, run
       "certbot renew"
     - Your account credentials have been saved in your Certbot
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Certbot so
       making regular backups of this folder is ideal.
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le

    我们看到上面有一条 DNS 解析需求,我这里是在阿里云进行设定的。

    申请 Let's Encrypt 通配符 HTTPS 证书

    解析好之后,我们在服务器上面验证一下解析记录。

    [root@ip-172-26-5-120 ~]# dig -t txt _acme-challenge.wzlinux.com
    
    ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -t txt _acme-challenge.wzlinux.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47252
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;_acme-challenge.wzlinux.com.INTXT
    
    ;; ANSWER SECTION:
    _acme-challenge.wzlinux.com. 58INTXT"Fd-T8Q_R_9k4UqerXohPkTWu-aZOaU0mxxozERPRU5M"
    
    ;; Query time: 0 msec
    ;; SERVER: 172.26.0.2#53(172.26.0.2)
    ;; WHEN: Thu Jun 06 07:04:07 UTC 2019
    ;; MSG SIZE  rcvd: 112

    2.4、证书查看

    [root@ip-172-26-5-120 ~]# ll /etc/letsencrypt/live/wzlinux.com/
    total 4
    lrwxrwxrwx. 1 root root  35 Jun  6 06:53 cert.pem -> ../../archive/wzlinux.com/cert1.pem
    lrwxrwxrwx. 1 root root  36 Jun  6 06:53 chain.pem -> ../../archive/wzlinux.com/chain1.pem
    lrwxrwxrwx. 1 root root  40 Jun  6 06:53 fullchain.pem -> ../../archive/wzlinux.com/fullchain1.pem
    lrwxrwxrwx. 1 root root  38 Jun  6 06:53 privkey.pem -> ../../archive/wzlinux.com/privkey1.pem
    -rw-r--r--. 1 root root 692 Jun  6 06:53 README

    2.5、证书使用

    我们这里以 nginx 服务为例,配置证书,nginx 的配置文件为下:

    server
            {
            listen 443 ssl http2;
            #listen [::]:443 ssl http2;
            server_name  bbs.wzlinux.com bbs1.wzlinux.com;
            index index.html index.htm index.php default.html default.htm default.php;
            root  /usr/share/nginx/html/;
            ssl on;
            ssl_certificate /etc/letsencrypt/live/wzlinux.com/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/wzlinux.com/privkey.pem;
            ssl_session_timeout 5m;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_prefer_server_ciphers on;
            ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES
    256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
            ssl_session_cache builtin:1000 shared:SSL:10m;
            # openssl dhparam -out /usr/local/nginx/ssl/dhparam.pem 2048
            #ssl_dhparam /usr/local/nginx/ssl/dhparam.pem;
    
            #error_page   404   /404.html;
    
            # Deny access to PHP files in specific directory
            #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
    
            location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
            {
                expires      30d;
            }
    
            location ~ .*\.(js|css)?$
            {
                expires      12h;
            }
    
            location ~ /.well-known {
                allow all;
            }
    
            location ~ /\.
            {
                deny all;
            }
    
            access_log  off;
    }
    
    server
            {
            listen          80;
            server_name bbs.wzlinux.com;
            return 301 https://$server_name$request_uri;
    }

    查看访问结果如下:

    申请 Let's Encrypt 通配符 HTTPS 证书

    2.6、证书更新

    可以使用指令certbot renew进行更新,添加一个定时任务。

    [root@ip-172-26-5-120 ~]# certbot renew
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/wzlinux.com.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Cert not yet due for renewal
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
    The following certs are not due for renewal yet:
      /etc/letsencrypt/live/wzlinux.com/fullchain.pem expires on 2019-09-04 (skipped)
    No renewals were attempted.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    定时任务。

    30 1 10 * * /usr/bin/certbot renew && systemctl reload nginx

    2.7、证书申请(Docker)

    如果装有 docker 环境的话,也可以用 docker 镜像来获取证书,只需一行命令即可。

    docker run -it --rm --name certbot \
    -v "/etc/letsencrypt:/etc/letsencrypt" \
    -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
    certbot/certbot certonly --manual -d  '*.wzlinux.com'

    具体步骤和上面一致。

    2.8、申请多域名

    使用此方法,我们也可以申请多域名的证书,比如我申请的这个:

    certbot certonly  -d bbs1.wzlinux.com,bbs2.wzlinux.com,bbs.coffeedst.top \
    --manual --preferred-challenges dns \
    --server https://acme-v02.api.letsencrypt.org/directory

    如果不想做DNS解析,可以去掉选项--preferred-challenges dns,直接使用 http 认证。

    申请 Let's Encrypt 通配符 HTTPS 证书

    三、证书申请(acme.sh)

    参考地址,也非常简单
    https://github.com/Neilpang/acme.sh

    3.1,在线安装

    curl https://get.acme.sh | sh

    3.2,只需颁发证书

    申请单域名:

    acme.sh --issue -d example.com -w /home/wwwroot/example.com

    申请多域名在一个证书:

    acme.sh --issue -d example.com -d www.example.com -d cp.example.com -w /home/wwwroot/example.com

    3.3,将证书安装到Apache / Nginx等

    Apache示例:

    acme.sh --install-cert -d example.com \
    --cert-file      /path/to/certfile/in/apache/cert.pem  \
    --key-file       /path/to/keyfile/in/apache/key.pem  \
    --fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
    --reloadcmd     "service apache2 force-reload"

    Nginx示例:

    acme.sh --install-cert -d example.com \
    --key-file       /path/to/keyfile/in/nginx/key.pem  \
    --fullchain-file /path/to/fullchain/nginx/cert.pem \
    --reloadcmd     "service nginx force-reload"

    3.4,自动DNS API集成

    如果您的DNS提供商支持API访问,我们可以使用该API自动颁发证书。

    您无需手动执行任何操作!

    https://github.com/Neilpang/acme.sh/wiki/dnsapi

    文章转载自https://letsencrypt.org/zh-cn/docs/client-options/

    请在后台主题设置-主题授权-激活RiPro主题的正版授权,授权购买:RiTheme官网
    1. 本站所有资源来源于用户上传和网络,因此不包含技术服务请大家谅解!
    2.如有侵权请邮件联系客服!l联系邮箱:***@qq.com
    3. 本站不保证所提供下载的资源的准确性、安全性和完整性
    4.资源仅供下载学习之用!如有链接无法下载、失效或广告,请联系客服处理!
    5. 如用于商业或者非法用途,与本站无关,一切后果请用户自负!
    6. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解!
    7. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需!
    8. 如遇到加密压缩包,默认解压密码为"www。loveu8.cn",如遇到无法解压的请联系客服!
    9. 如果您也有好的资源或教程,您可以投稿发布,成功分享后有站币奖励和额外收入!
    幻梦资源网 » 申请 Let's Encrypt 通配符 HTTPS 证书

    常见问题FAQ

    免费下载或者VIP会员专享资源能否直接商用?
    本站所有资源版权均属于原作者所有,这里所提供资源均只能用于参考学习用,请勿直接商用。若由于商用引起版权纠纷,一切责任均由使用者承担。更多说明请参考 VIP介绍。
    提示下载完但解压或打开不了?
    最常见的情况是下载不完整: 可对比下载完压缩包的与网盘上的容量,若小于网盘提示的容量则是这个原因。这是浏览器下载的bug,建议用百度网盘软件或迅雷下载。若排除这种情况,可在对应资源底部留言,或 联络我们.。
    找不到素材资源介绍文章里的示例图片?
    对于PPT,KEY,Mockups,APP,网页模版等类型的素材,文章内用于介绍的图片通常并不包含在对应可供下载素材包内。这些相关商业图片需另外购买,且本站不负责(也没有办法)找到出处。 同样地一些字体文件也是这种情况,但部分素材会在素材包内有一份字体下载链接清单。
    幻梦资源网
    一个高级程序员模板开发平台