Let's Encrypt与Certbot

Let's Encrypt与Certbot

[toc]

1 Let's Encrypt

1.1 About Let's Encrypt

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.

The key principles behind Let’s Encrypt are:
Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

We have a page with more detailed information about how the Let’s Encrypt CA works.

1.2 Getting Started

为了在网站上启用https,我们需要从CA(Certificate Authority)申请一个证书,Let’s Encrypt是一个CA 。为了从Let's Encrypt获取我们网站域名的证书,我们必须证明对域名的控制权。使用Let's Encrypt,我们可以使用使用ACME协议的软件来执行此操作,该协议通常在我们的Web主机上运行。

如果有用shell访问web主机的权限,推荐使用Certbot ACME客户端,它可以自动执行证书颁发和安装,无需停机。它还为不想要自动配置的人提供专家模式。它易于使用,适用于许多操作系统,并且具有出色的文档。
如果Certbot不满足你的需求, 还有其他的ACME客户端 供选择。

2 Certbot

Certbot 官网

2.1 安装Certbot

Get Certbot

2.1.1 使用certbot-auto方式安装

推荐使用certbot-auto,使用它会自动创建python venv虚拟环境,并在其中安装certbot及其依赖

user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
user@webserver:~$ ./certbot-auto --help
Usage: certbot-auto [OPTIONS]
A self-updating wrapper script for the Certbot ACME client. When run, updates
to both this script and certbot will be downloaded and installed. After
ensuring you have the latest versions installed, certbot will be invoked with
all arguments you have provided.

Help for certbot itself cannot be provided until it is installed.

  --debug                                   attempt experimental installation
  -h, --help                                print this help
  -n, --non-interactive, --noninteractive   run without asking for user input
  --no-bootstrap                            do not install OS dependencies
  --no-self-upgrade                         do not download updates
  --os-packages-only                        install OS dependencies and exit
  --install-only                            install certbot, upgrade if needed, and exit
  -v, --verbose                             provide more output
  -q, --quiet                               provide only update/error output;
                                            implies --non-interactive

可以创建 certbot-auto 软链接到 /usr/bin/ 或者 /usr/local/bin/ 下,这样就可以直接执行命令

根据提示安装certbot和依赖,需要使用root用户

user@webserver:~# ./certbot-auto --install-only

查看certbot帮助

user@webserver:~# ./certbot-auto -h

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  --nginx           Use the Nginx plugin for authentication & installation
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-path or --cert-name)
    delete          Delete a certificate

manage your account with Let's Encrypt:
    register        Create a Let's Encrypt ACME account
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

运行certbot命令查看现有证书

user@webserver:~# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - 
No certs found.
- - - - - - - - - - - - - - - - - - - - - - 

文件certbot-auto中有venv的位置

 if [ -z "$VENV_PATH" ]; then
   # We export these values so they are preserved properly if this script is
   # rerun with sudo/su where $HOME/$XDG_DATA_HOME may have a different value.
   export OLD_VENV_PATH="$XDG_DATA_HOME/letsencrypt"
   export VENV_PATH="/opt/eff.org/certbot/venv"
 fi

我们可以尝试运行venv环境,检查安装的包

[root@journal certbot]# pwd
/opt/eff.org/certbot
[root@journal certbot]# ll
drwxr-xr-x 5 root root 4096 Dec 19 11:33 venv
[root@journal certbot]# source venv/bin/activate
(venv) [root@journal certbot]# pip list |grep certbot
certbot (0.29.1)
certbot-apache (0.29.1)
certbot-nginx (0.29.1)
(venv) [root@journal certbot]# deactivate
[root@journal certbot]# 

2.1.2 使用Ansible批量安装

certbot-auto是官方给出的使用vitrualenv方式安装certbot的方法,此方法简单易用,但是由于对脚本逻辑不太了解,可能会对管理上带来困难。
我们自己用vitrualenv方式安装certbot,下面是Ansible批量安装的一个playbook

install-certbot.yml

---
- hosts: webpool-qa:webpool-live
  become: yes 
  gather_facts: false
  tasks:
    - name: 1. Install certbot into virtualenv
      pip: 
        name: certbot
        state: present
        virtualenv: /root/python-certbot
    - name: 2. Ensure logger(util-linux) have been installed
      yum: 
         name: util-linux
         state: present
    - name: 3. Install cert_renew.sh script
      copy: 
        src: ./scripts/cert_renew.sh
        dest: /root/cert_renew.sh
        mode: 0755
    - name: 4. Copy cert_posthook.sh if it not exists
      copy:
        src: ./scripts/cert_posthook.sh
        dest: /root/cert_posthook.sh
        mode: 0755
        force: no
    - name: 5. Create certbot job on root account
      cron: 
        name: "certbot renew job"
        state: present
        minute: 45
        hour: 14
        job: "/root/cert_renew.sh 2>&1 | /usr/bin/logger -t certbot"

cert_renew.sh

#!/bin/bash

source /root/python-certbot/bin/activate
certbot renew --post-hook "/root/cert_posthook.sh"

cert_posthook.sh

#!/bin/bash

#Restart local httpd
/sbin/service httpd restart

执行下列命令进行安装

# ansible install-certbot.yml

2.1.3 其他方式安装

我们还可以使用git版本的Certbot Use git version certbot

2.2 申请证书

Certbot User Guide

申请证书脚本

[root@journal ~]# mkdir certbot
[root@journal ~]# mv certbot-auto certbot/
[root@journal ~]# cd certbot/
[root@journal ~]# vim cert_apply.sh 
#!/bin/bash
./certbot-auto certonly --webroot \
    -w /data/web -d example.demo.com \

自动renew脚本

[root@journal ~]# vim cert_renew.sh
#!/bin/bash
./certbot-auto renew --post-hook "service httpd restart"
# certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

有效期在30天以上的证书,可使用--force-renewal强制更新;
注意:证书更新过一次之后,会在/etc/letsencrypt/renewal目录下生成对应证书名称的配置文件,记录更新时使用的参数、配置等。

renew脚本定时任务

(需要logger命令),最好触发测试一下

[root@journal certbot]# crontab -l

# renew letsencrpyt SSL certificate 
36 15 * * 1-5 /root/certbot/cert_renew.sh 2>&1 | /usr/bin/logger -t certbot

2.3 为网站添加证书流程

查看原证书信息

# ./certbot-auto certificates

编辑申请证书脚本,添加新网站

# vim cert_apply.sh

确认vhost配置文件内原证书位置

# cd /etc/httpd/conf.d/
# grep .pem . -R 
或
# grep .pem domain.demo.com.conf

如果提示会生成新的证书,而不是扩展原有证书,则删除原有证书 ,在重启apache之短时间内原证书仍然生效

# ./certbot-auto delete

生成新证书 ,确保证书位置与原来的一致

# ./cert_apply.sh

检查apache配置文件语法

# apachectl -t

如果Syntax OK,重启apache服务

# systemctl restart httpd
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 151,511评论 1 330
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 64,495评论 1 273
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 101,595评论 0 225
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 42,558评论 0 190
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 50,715评论 3 270
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 39,672评论 1 192
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 31,112评论 2 291
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 29,837评论 0 181
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 33,417评论 0 228
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 29,928评论 2 232
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 31,316评论 1 242
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 27,773评论 2 234
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 32,253评论 3 220
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 25,827评论 0 8
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 26,440评论 0 180
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 34,523评论 2 249
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 34,583评论 2 249

推荐阅读更多精彩内容