SSL证书-Let's Encrypt

  • 2024-03-14 11:30:59
  • 分类: 运维

官网地址:https://letsencrypt.org/

获取证书

  1. 安装Certbot客户端

     sudo apt install cerbot

如果无法安装-官方推荐如下:

     sudo apt-get update
    sudo apt-get install software-properties-common
    sudo add-apt-repository universe
    sudo add-apt-repository ppa:certbot/certbot
    sudo apt-get update

     sudo apt-get install certbot python-certbot-nginx

  1. 获取证书

     cerbot certonly --webroot --agree-tos -v -t --email 邮箱地址 -w 网站根目录 -d 网站域名

 eg:

 certbot certonly --webroot --agree-tos -v -t --email casontan@hotmail.com -w /usr/share/nginx/competition/public -d competition.gzchuncan.com

     # OR(可用)
     certbot certonly --webroot -w /usr/share/nginx/ifolder4u/public -d www.casontan.com

     certbot certonly --webroot -w /usr/share/nginx/mini/public -d guardianoflife.ctflife.com

操作 LOG

     $ certbot certonly --webroot -w /usr/share/nginx/

     ifolder4u/public -d www.casontan.com
     Saving debug log to /var/log/letsencrypt/letsencrypt.log
     Plugins selected: Authenticator webroot, Installer None
     Enter email address (used for urgent renewal and security notices) (Enter 'c' to
     cancel): cason@ifolder4u.net

     -------------------------------------------------------------------------------
     Please read the Terms of Service at
     https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
     agree in order to register with the ACME server at
     https://acme-v01.api.letsencrypt.org/directory
     -------------------------------------------------------------------------------
     (A)gree/(C)ancel: A

     -------------------------------------------------------------------------------
     Would you be willing to share your email address with the Electronic Frontier
     Foundation, a founding partner of the Let's Encrypt project and the non-profit
     organization that develops Certbot? We'd like to send you email about EFF and
     our work to encrypt the web, protect its users and defend digital rights.
     -------------------------------------------------------------------------------
     (Y)es/(N)o: N
     Obtaining a new certificate
     Performing the following challenges:
     http-01 challenge for www.casontan.com
     Using the webroot path /usr/share/nginx/ifolder4u/public for all unmatched domains.
     Waiting for verification...
     Cleaning up challenges

     IMPORTANT NOTES:
      - Congratulations! Your certificate and chain have been saved at:
        /etc/letsencrypt/live/ www.casontan.com/fullchain.pem
        Your key file has been saved at:
        /etc/letsencrypt/live/ www.casontan.com/privkey.pem
        Your cert will expire on 2020-01-27. To obtain a new or tweaked
        version of this certificate in the future, simply run certbot
        again. To non-interactively renew *all* of your certificates, run
        "certbot renew"
      - Your account credentials have been saved in your Certbot
        configuration directory at /etc/letsencrypt. You should make a
        secure backup of this folder now. This configuration directory will
        also contain certificates and private keys obtained by Certbot so
        making regular backups of this folder is ideal.
      - If you like Certbot, please consider supporting our work by:

        Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
        Donating to EFF:                    https://eff.org/donate-le
  1. 配置nginx 配置文件 www.ifolder4u.com

配置 ssl,原先的配置加上这段

    #强制重定向
    return 301 https://$server_name$request_uri;

完整如下

    server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        root /usr/share/nginx/ifolder4u/public;
        index index.php index.html index.htm;

        # Make site accessible from http://localhost/
        server_name www.casontan.com;

        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }

        #强制重定向
        return 301 https://$server_name$request_uri;

        location ~ \.php$ {              
                fastcgi_split_path_info ^(.+\.php)(/.+)$;     
                fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
                fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        } 

    }

添加配置 ssl 证书配置

 server {
    listen 443;

    # 设定网站根目录
    root /usr/share/nginx/ifolder4u/public;

    # 网站默认首页
    index index.php index.html index.htm;

    # 服务器名称,server_domain_or_IP 请替换为自己设置的名称或者 IP 地址
    server_name  www.casontan.com;

     ssl on;
     #证书存放地址
     ssl_certificate   /etc/letsencrypt/live/ www.casontan.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/ www.casontan.com/privkey.pem;
     ssl_session_timeout 5m;
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_prefer_server_ciphers on;

    # 修改为 Laravel 转发规则,否则PHP无法获取$_GET信息,提示404错误
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # PHP 支持
    location ~ \.php$ {
        try_files $uri /index.php =404;
         fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}


自动更新 

$ certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ www.casontan.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.casontan.com
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/ www.casontan.com/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/ www.casontan.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
root@iZj6c4n7co1x8xsgid2c62Z:~# certbot renew --dry-run
s below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/ www.casontan.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ www.casontan.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.casontan.com
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/ www.casontan.com/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/ www.casontan.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------


创建定时任务。

创建文件: certbot-auto-renew-cron 

15 2 * */2 * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

开启

crontab certbot-auto-renew-cron


查看是否已写入 

crontab -l

补充:生成多个证书的别名设置

ssh-keygen -t rsa -f ~/.ssh/证书名 -C "carsontan@hotmail.com"

eg

 ssh-keygen -t rsa -f ~/.ssh/id_rsa.yunli -C "carsontan@hotmail.com"

 or

 ssh-keygen -t rsa -f ~/.ssh/id_rsa_yunli -C "carsontan@hotmail.com"

重要命令:

  1. 强制更新

     certbot  renew --force-renewal #全部强制更新
 certbot  renew --cert-name xxx.com --force-renewal #指定名字强制更新

  2. 查看证书信息

     certbot certificates

未经允许不得转载