Let's Encrypt 配置泛域名通用证书

最近个人有10多个二级域名需要签发证书,而Let's encrypt 提供期限为三个月的免费SSL证书,到期之后需要renew,官方还提供自动renew的工具certbot。这里记录下使用Let's Encrypt生成泛域名的通用证书。

什么是 Let’s Encrypt?

部署 HTTPS 网站的时候需要证书,证书由 CA 机构签发,大部分传统 CA 机构签发证书是需要收费的,这不利于推动 HTTPS 协议的使用。

Let’s Encrypt 也是一个 CA 机构,但这个 CA 机构是免费的。也就是说签发证书不需要任何费用。Let’s Encrypt 由于是非盈利性的组织,需要控制开支,他们搞了一个非常有创意的事情,设计了一个 ACME 协议。

那为什么要创建 ACME 协议呢,传统的 CA 机构是人工受理证书申请、证书更新、证书撤销,完全是手动处理的。而 ACME 协议规范化了证书申请、更新、撤销等流程,只要一个客户端实现了该协议的功能,通过客户端就可以向 Let’s Encrypt 申请证书,也就是说 Let’s Encrypt CA 完全是自动化操作的。

任何人都可以基于 ACME 协议实现一个客户端,官方推荐的客户端是Certbot

什么是通配符证书

在没有出现通配符证书之前,Let’s Encrypt 支持两种证书。

1)单域名证书:证书仅仅包含一个主机。

2)SAN 证书:域名通配符证书类似 DNS 解析的泛域名概念,通配符证书就是证书中可以包含一个通配符(*.exmaple.com)。主域名签发的通配符证书可以在所有子域名中使用,比如 www.example.combbs.example.com

申请通配符证书

Let’s Encrypt 上的证书申请是通过 ACME 协议来完成的。ACME 协议规范化了证书申请、更新、撤销等流程,实现了 Let’s Encrypt CA 自动化操作。解决了传统的 CA 机构是人工手动处理证书申请、证书更新、证书撤销的效率和成本问题。

ACME v2 是 ACME 协议的更新版本,通配符证书只能通过 ACME v2 获得。要使用 ACME v2 协议申请通配符证书,只需一个支持该协议的客户端就可以了,官方推荐的客户端是 Certbot

客户在申请 Let’s Encrypt 证书的时候,需要校验域名的所有权,证明操作者有权利为该域名申请证书,目前支持三种验证方式:

  • dns01:给域名添加一个 DNS TXT 记录。
  • http01:在域名对应的 Web 服务器下放置一个 HTTP well-known URL 资源文件。
  • tls-sni01:在域名对应的 Web 服务器下放置一个 HTTPS well-known URL 资源文件。

申请通配符证书,只能使用 dns验证的方式,下面开始申请

获取certbot 客户端
# 下载 Certbot 客户端
$ wget -c https://dl.eff.org/certbot-auto -P /usr/local/bin/
# 设为可执行权限
$ chmod a+x /usr/local/bin/certbot-auto
$ certbot-auto --version
certbot 0.34.2

注: Certbot 0.22.0 以上版本支持ACME v2 协议.

开始申请证书
certbot-auto certonly  -d *.example.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory 
  • certonly,表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
  • -d 为那些主机申请证书,如果是通配符,输入 *.example.com
  • --manual 表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择
  • --preferred-challenges dns,使用 DNS 方式校验域名所有权
  • --server,Let's Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。

执行完以上命令之后,就是命令行的输出,根据提示输入相应内容:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): fate1028@163.com #用于安全以及续约通知的邮箱

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A #是否同意相关协议条款

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N #是否订阅相关的邮件
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y  #询问是否对域名和机器(IP)进行绑定

以上确认后继续,以下提示要求配置 DNS TXT 记录,从而校验域名所有权,也就是判断证书申请者是否有域名的所有权。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

OGWxK87UxvB5iMp2tn-tfnB7r_kICS3oSRHyo0ouwzU

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue  ## 这里切记自己验证生效后再回车执行

上面输出要求给 _acme-challenge.example.com 配置一条 TXT 记录,在没有确认 TXT 记录生效之前不要回车执行。请自行登录域名管理系统,比如我在namecheap买的域名,以下是我在域名解析里面配置的TXT记录.


image.png

然后输入下列命令确认 TXT 记录是否生效:

$ dig  -t txt  _acme-challenge.example.com @8.8.8.8 

; <<>> DiG 9.10.6 <<>> -t txt _acme-challenge.example.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20013
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.chat186.com.   IN  TXT

;; ANSWER SECTION:
_acme-challenge.example.com. 1798 IN    TXT "OGWxK87UxvB5iMp2tn-tfnB7r_kICS3oSRHyo0ouwzU"

;; Query time: 258 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri May 31 20:33:01 CST 2019
;; MSG SIZE  rcvd: 112

确认生效后,回车执行,输出如下信息

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-08-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

此时我们的证书已经申请成功了,证书都保存在如下目录中:

$ tree /etc/letsencrypt/live/example.com/
/etc/letsencrypt/live/example.com/
├── cert.pem -> ../../archive/example/cert1.pem
├── chain.pem -> ../../archive/example.com/chain1.pem
├── fullchain.pem -> ../../archive/example.com/fullchain1.pem
├── privkey.pem -> ../../archive/example.com/privkey1.pem
└── README

校验证书信息,输入如下命令:

$ openssl x509 -in  /etc/letsencrypt/live/example.com/cert.pem -noout -text 

# 可以看到证书包含了 SAN 扩展,该扩展的值就是 *.example.com
...
Authority Information Access: 
        OCSP - URI:http://ocsp.int-x3.letsencrypt.org
        CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

X509v3 Subject Alternative Name: 
    DNS:*.example.com
...

到此,我们就演示了如何在 Let’s Encrypt 申请免费的通配符证书。

证书续约

上个环节最后一步最重要事项中提示Let’s encrypt 的免费证书默认有效期为 90 天,到期后如果要非交互式续期所有证书,可以执行如下命令:

$ certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/example.com/fullchain.pem expires on 2019-08-29 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

由于还没到期所以被忽略掉了,以上的非交互式续约的前提是存在续期的账号凭证,默认第一次是保存在/etc/letsencrypt目录中,建议定期备份。

Nginx 配置

$ cp chain.pem example.com.chain.crt
$ cp privkey.pem example.com.key
$ more ssl.conf
ssl_certificate certs/example.com.chain.crt;
ssl_certificate_key certs/example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE
-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA
256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES
256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;

$ more example.com.conf
server {
    listen 80;
    listen 443 ssl;
    server_name  app.example.com;
    default_type text/html;
    return 200 "are you ok ?";

    include ssl.conf;
.....

reload nginx之后,浏览器访问:


image.png

参考文档

https://www.google.com
https://www.jianshu.com/p/c5c9d071e395

推荐阅读更多精彩内容