使用免費SSL證書讓網站支持HTTPS訪問

時間 2020-11-30

標籤 python linux nginx git github web npm api 服務器 app 欄目 SSL 简体版

原文原文鏈接

安裝Let’s Encrypt

安裝很是簡單直接克隆就能夠了python

# git clone https://github.com.cnpmjs.org/letsencrypt/letsencrypt
# cd letsencrypt/
# ll

生成通配符證書

期間須要根據提示設置DNS TXT記錄,用做你對判斷你是否擁有域名使用權linux

./certbot-auto certonly  -d   *.zisefeizhu.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

參數	說明
certonly	表示安裝模式，Certbot 有安裝模式和驗證模式兩種類型的插件
–manual	表示手動安裝插件，Certbot 有不少插件，不一樣的插件均可以申請證書，用戶能夠根據須要自行選擇
-d	爲那些主機申請證書，若是是通配符，輸入 *.leixf.cn（能夠替換爲你本身的一級域名）
–preferred-challenges dns	使用 DNS 方式校驗域名全部權
–server	Let’s Encrypt ACME v2 版本使用的服務器不一樣於 v1 版本，須要顯示指定

輸出結果nginx

做爲依賴被升級:
  cpp.x86_64 0:4.8.5-44.el7            e2fsprogs.x86_64 0:1.42.9-19.el7 e2fsprogs-libs.x86_64 0:1.42.9-19.el7 krb5-libs.x86_64 0:1.15.1-50.el7 libcom_err.x86_64 0:1.42.9-19.el7
  libffi.x86_64 0:3.0.13-19.el7        libgcc.x86_64 0:4.8.5-44.el7     libgomp.x86_64 0:4.8.5-44.el7         libselinux.x86_64 0:2.5-15.el7   libselinux-python.x86_64 0:2.5-15.el7
  libselinux-utils.x86_64 0:2.5-15.el7 libss.x86_64 0:1.42.9-19.el7     openssl-libs.x86_64 1:1.0.2k-19.el7   python.x86_64 0:2.7.5-90.el7     python-libs.x86_64 0:2.7.5-90.el7

完畢！
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)

接下來須要按要求輸入指令git

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): linkun@zisefeizhu.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for zisefeizhu.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.zisefeizhu.com with the following value:

JM-pzw0Cf7GKfqu_2tyIA-rmfWptxabEFPEP5gSlLEQ

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

這裏有幾個需交互的提示github

是否贊成 Let’s Encrypt 協議要求=>須要贊成

是否分享你的郵箱

詢問是否對域名和機器（IP）進行綁定=>須要贊成

須要注意的地方：web

Please deploy a DNS TXT record under the name
_acme-challenge.zisefeizhu.com with the following value:

JM-pzw0Cf7GKfqu_2tyIA-rmfWptxabEFPEP5gSlLEQ

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

要求配置 DNS TXT 記錄，從而校驗域名全部權，也就是判斷證書申請者是否有域名的全部權。npm

上面輸出要求給 _acme-challenge.leixf.cn 配置一條 TXT 記錄，在沒有確認 TXT 記錄生效以前不要回車執行。api

我用的是阿里雲的域名服務器，控制檯具體操做以下所示：服務器

雲解析DNS --> 域名解析 --> 解析設置 --> 記錄類型(TXT) --> 主機記錄(_acme-challenge) --> 解析線路(默認) --> 記錄值(JM-pzw0Cf7GKfqu_2tyIA-rmfWptxabEFPEP5gSlLEQ)app

確認生效

dig _acme-challenge.zisefeizhu.com

; <<>> DiG 9.10.6 <<>> _acme-challenge.zisefeizhu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4648
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.zisefeizhu.com.  IN      A

;; AUTHORITY SECTION:
zisefeizhu.com.           600     IN      SOA     dns25.hichina.com. hostmaster.hichina.com. 2019121120 3600 1200 86400 360

;; Query time: 265 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Mon Nov 23 10:51:21 CST 2020
;; MSG SIZE  rcvd: 118

回車執行，輸出以下

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/zisefeizhu.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/zisefeizhu.com/privkey.pem
   Your cert will expire on 2021-02-21. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

看到這個界面內容的話，證書安裝成功了。

查看證書過時時間

# ./certbot-auto certificates
Certificate Name: zisefeizhu.com
    Serial Number: 3041ed1be0505aaa20c9c192744c3ed28f3
    Domains: *.zisefeizhu.com
    Expiry Date: 2021-02-21 01:55:54+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/zisefeizhu.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/zisefeizhu.com/privkey.pem

驗證

# yum install nginx

取消證書

能夠使用一下命令取消剛剛生成的密匙，也就是以上的反操做：

certbot revoke --cert-path /etc/letsencrypt/live/leixf.cn/cert.pem
certbot delete --cert-name leixf.cn

證書路徑：

/etc/letsencrypt/live/zisefeizhu.com/

k8s使用

tls.crt --> /etc/letsencrypt/live/zisefeizhu.com/fullchain.pem

tls.key --> /etc/letsencrypt/live/zisefeizhu.com/privkey.pem

crt.sh

kubectl create secret tls zisefeizhu-cn-crt --key tls.key --cert tls.crt -n zisefeizhu

nginx-ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-test
  namespace: realihub
  annotations:
    kubernetes.io/ingress.class: "kong"
  labels:
    app: nginx-test
spec:
  tls:
    - hosts:
        - "*.zisefeizhu.com"
      secretName: hub-zisefeizhu-com-crt
  rules:
    - host: test.zisefeizhu.com
      http:
        paths:
          - path: /
            backend:
              serviceName: nginx-test
              servicePort: 80

參考文檔：

https://github.com/jaywcjlove/handbook/blob/master/CentOS/使用免費SSL證書讓網站支持HTTPS訪問.md

https://leixf.cn/archives/142