Kyle Tang's blog

# Let’s Encrypt证书生成及配置

# 简介

Let’s Encrypt 提供免费的SSL证书,证书有效期最长90天,可以多次连续申请,申请方便。基于ACME协议验证用户对域名有使用权。可以使用FTP、WEB、DNS三种方式来验证域名的有效性。在线手动申请可参考 (https://www.sslforfree.com/)

现在可以申请通配符域名证书 (http://www.infoq.com/cn/news/2018/03/lets-encrypt-wildcard-https)

官方入门 (https://letsencrypt.org/getting-started/)

以下是通过WEB方式验证域名有效性,以nginx为例,如果是tomcat,生成的证书文件还需要进行格式转换(方法见 (https://blog.kyletang.work/2018/05/10/pem2jks/) )

# 准备条件

  1. 有一个域名,比如 9px.in
  2. 解析到ip,比如 9px.in -> 45.32.53.16
  3. 配置一个web服务,需要80端口(WEB验证必须为80端口),比如nginx,注意,国内申请的域名和ip,需要先进行ICP备案后才能访问80端口
server
    {
        listen 80;
        server_name 9px.in;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/9px.in;

        #include none.conf;
        #error_page   404   /404.html;
        #include enable-php.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        #location ~ /\.
        #{
        #    deny all;
        #}

        access_log off;
    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

# 开始操作

  1. 安装Let’s Encrypt工具,从这里下载 https://certbot.eff.org/
  2. 执行letsencrypt-auto命令生成证书(certbot提供了更方便的方式,比如nginx on RHEL6 https://certbot.eff.org/lets-encrypt/centosrhel6-nginx,这里使用基础的命令)
cd /root/letsencrypt && ./letsencrypt-auto certonly --webroot -w /home/wwwroot/9px.in --renew-by-default --email homects@qq.com -d 9px.in
1

命令执行的日志如下:提示Congratulations表示成功了。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for 9px.in
Using the webroot path /home/wwwroot/9px.in for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/9px.in/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/9px.in/privkey.pem
   Your cert will expire on 2018-08-07. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
  1. 修改配置,增加SSL配置信息
server
    {
        listen 8000;
        listen 80;
        server_name 9px.in;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/9px.in;
        
        ##--SSL配置-start------------------------
        ssl on;
        ssl_certificate /etc/letsencrypt/live/9px.in/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/9px.in/privkey.pem;
        
        ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
        ssl_prefer_server_ciphers on; 
        ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
        ssl_session_timeout  10m;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
        resolver_timeout 5s; 
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        ##--SSL配置-end-------------------------

        #include none.conf;
        #error_page   404   /404.html;
        include enable-php.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        #location ~ /\.
        #{
        #    deny all;
        #}

        access_log off;
    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
  1. 重载nginx配置
#lnmp服务
lnmp nginx reload
1
2
  1. 大功告成

# 配置定时任务每月自动生成

  1. 设置定时任务,新建脚本renew-certs.sh,生成证书并重载nginx配置
#!/bin/bash

cd /root/letsencrypt && ./letsencrypt-auto certonly --webroot -w /home/wwwroot/9px.in --renew-by-default --email homects@qq.com -d 9px.in
lnmp nginx reload
1
2
3
4

增加crontab每月1日凌晨3点执行renew-certs.sh脚本,crontab -e

0 3 1 * * /root/renew-certs.sh > /root/renew-certs.log 2>&1
1
  1. 执行脚本进行测试
 /root/renew-certs.sh > /root/renew-certs.log 2>&1
1

# 参考链接

免费证书Let’s Encrypt官网: (https://letsencrypt.org/)

Let’s Encrypt官方的certbot工具: (https://certbot.eff.org/)

强壮的SSL配置推荐: (https://cipherli.st/)