Let's Encrypt与Certbot
[toc]
1 Let's Encrypt
1.1 About Let's Encrypt
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.
The key principles behind Let’s Encrypt are:
Free
: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
Automatic
: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
Secure
: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
Transparent
: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
Open
: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
Cooperative
: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
We have a page with more detailed information about how the Let’s Encrypt CA works.
1.2 Getting Started
为了在网站上启用https
,我们需要从CA
(Certificate Authority)申请一个证书,Let’s Encrypt
是一个CA
。为了从Let's Encrypt获取我们网站域名的证书,我们必须证明对域名的控制权。使用Let's Encrypt,我们可以使用使用ACME协议的软件
来执行此操作,该协议通常在我们的Web主机上运行。
如果有用
shell
访问web主机的权限,推荐使用Certbot ACME客户端,它可以自动执行证书颁发和安装,无需停机。它还为不想要自动配置的人提供专家模式。它易于使用,适用于许多操作系统,并且具有出色的文档。
如果Certbot
不满足你的需求, 还有其他的ACME客户端 供选择。
2 Certbot
2.1 安装Certbot
2.1.1 使用certbot-auto方式安装
推荐使用certbot-auto
,使用它会自动创建python venv
虚拟环境,并在其中安装certbot
及其依赖
user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
user@webserver:~$ ./certbot-auto --help
Usage: certbot-auto [OPTIONS]
A self-updating wrapper script for the Certbot ACME client. When run, updates
to both this script and certbot will be downloaded and installed. After
ensuring you have the latest versions installed, certbot will be invoked with
all arguments you have provided.
Help for certbot itself cannot be provided until it is installed.
--debug attempt experimental installation
-h, --help print this help
-n, --non-interactive, --noninteractive run without asking for user input
--no-bootstrap do not install OS dependencies
--no-self-upgrade do not download updates
--os-packages-only install OS dependencies and exit
--install-only install certbot, upgrade if needed, and exit
-v, --verbose provide more output
-q, --quiet provide only update/error output;
implies --non-interactive
可以创建
certbot-auto
软链接到/usr/bin/
或者/usr/local/bin/
下,这样就可以直接执行命令
根据提示安装certbot和依赖,需要使用root用户
user@webserver:~# ./certbot-auto --install-only
查看certbot帮助
user@webserver:~# ./certbot-auto -h
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:
obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near
expiry
enhance Add security enhancements to your existing configuration
-d DOMAINS Comma-separated list of domains to obtain a certificate for
--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
--nginx Use the Nginx plugin for authentication & installation
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script
hooks
-n Run non-interactively
--test-cert Obtain a test certificate from a staging server
--dry-run Test "renew" or "certonly" without saving any certificates
to disk
manage certificates:
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-path or --cert-name)
delete Delete a certificate
manage your account with Let's Encrypt:
register Create a Let's Encrypt ACME account
--agree-tos Agree to the ACME server's Subscriber Agreement
-m EMAIL Email address for important account notifications
More detailed help:
-h, --help [TOPIC] print this message, or detailed help on a topic;
the available TOPICS are:
all, automation, commands, paths, security, testing, or any of the
subcommands or plugins (certonly, renew, install, register, nginx,
apache, standalone, webroot, etc.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
运行certbot命令查看现有证书
user@webserver:~# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - -
No certs found.
- - - - - - - - - - - - - - - - - - - - - -
文件certbot-auto
中有venv
的位置
if [ -z "$VENV_PATH" ]; then
# We export these values so they are preserved properly if this script is
# rerun with sudo/su where $HOME/$XDG_DATA_HOME may have a different value.
export OLD_VENV_PATH="$XDG_DATA_HOME/letsencrypt"
export VENV_PATH="/opt/eff.org/certbot/venv"
fi
我们可以尝试运行venv环境,检查安装的包
[root@journal certbot]# pwd
/opt/eff.org/certbot
[root@journal certbot]# ll
drwxr-xr-x 5 root root 4096 Dec 19 11:33 venv
[root@journal certbot]# source venv/bin/activate
(venv) [root@journal certbot]# pip list |grep certbot
certbot (0.29.1)
certbot-apache (0.29.1)
certbot-nginx (0.29.1)
(venv) [root@journal certbot]# deactivate
[root@journal certbot]#
2.1.2 使用Ansible批量安装
certbot-auto
是官方给出的使用vitrualenv
方式安装certbot
的方法,此方法简单易用,但是由于对脚本逻辑不太了解,可能会对管理上带来困难。
我们自己用vitrualenv
方式安装certbot
,下面是Ansible
批量安装的一个playbook
:
install-certbot.yml
---
- hosts: webpool-qa:webpool-live
become: yes
gather_facts: false
tasks:
- name: 1. Install certbot into virtualenv
pip:
name: certbot
state: present
virtualenv: /root/python-certbot
- name: 2. Ensure logger(util-linux) have been installed
yum:
name: util-linux
state: present
- name: 3. Install cert_renew.sh script
copy:
src: ./scripts/cert_renew.sh
dest: /root/cert_renew.sh
mode: 0755
- name: 4. Copy cert_posthook.sh if it not exists
copy:
src: ./scripts/cert_posthook.sh
dest: /root/cert_posthook.sh
mode: 0755
force: no
- name: 5. Create certbot job on root account
cron:
name: "certbot renew job"
state: present
minute: 45
hour: 14
job: "/root/cert_renew.sh 2>&1 | /usr/bin/logger -t certbot"
cert_renew.sh
#!/bin/bash
source /root/python-certbot/bin/activate
certbot renew --post-hook "/root/cert_posthook.sh"
cert_posthook.sh
#!/bin/bash
#Restart local httpd
/sbin/service httpd restart
执行下列命令进行安装
# ansible install-certbot.yml
2.1.3 其他方式安装
我们还可以使用git版本的Certbot Use git version certbot
2.2 申请证书
申请证书脚本
[root@journal ~]# mkdir certbot
[root@journal ~]# mv certbot-auto certbot/
[root@journal ~]# cd certbot/
[root@journal ~]# vim cert_apply.sh
#!/bin/bash
./certbot-auto certonly --webroot \
-w /data/web -d example.demo.com \
自动renew脚本
[root@journal ~]# vim cert_renew.sh
#!/bin/bash
./certbot-auto renew --post-hook "service httpd restart"
# certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
有效期在30天以上的证书,可使用
--force-renewal
强制更新;
注意:证书更新过一次之后,会在/etc/letsencrypt/renewal
目录下生成对应证书名称的配置文件,记录更新时使用的参数、配置等。
renew脚本定时任务
(需要logger命令),最好触发测试一下
[root@journal certbot]# crontab -l
# renew letsencrpyt SSL certificate
36 15 * * 1-5 /root/certbot/cert_renew.sh 2>&1 | /usr/bin/logger -t certbot
2.3 为网站添加证书流程
查看原证书信息
# ./certbot-auto certificates
编辑申请证书脚本,添加新网站
# vim cert_apply.sh
确认vhost配置文件内原证书位置
# cd /etc/httpd/conf.d/
# grep .pem . -R
或
# grep .pem domain.demo.com.conf
如果提示会生成新的证书,而不是扩展原有证书,则删除原有证书 ,在重启apache之短时间内原证书仍然生效
# ./certbot-auto delete
生成新证书 ,确保证书位置与原来的一致
# ./cert_apply.sh
检查apache配置文件语法
# apachectl -t
如果Syntax OK
,重启apache服务
# systemctl restart httpd