Let's Encrypt 申請免費的 Https 證書

時間 2019-11-08

標籤 let's let encrypt 申請免費 https 證書简体版

原文原文鏈接

Let's Encrypt 證書不只是免費的，並且支持通配符證書，通配符證書指的是一個能夠被多個子域名使用的公鑰證書，多個子域名使用起來十分方便。申請和配置的流程都很是簡單，雖然每次的有效期爲 90 天，但能夠經過腳本去更新證書，只要配置好了，幾乎能夠一勞永逸。而市場上其餘的通配符證書都比較昂貴，我的開發者平時作個小東西玩玩，Let's Encrypt 應該是最好的選擇了。nginx

Certbot

certbot 能夠經過簡單的命令來生成證書，咱們須要先將 certbot 克隆到咱們的服務器中。git

$ git clone https://github.com/certbot/certbot
複製代碼

$ cd certbot
複製代碼

申請證書

須要提到的一點是，客戶在申請 Let’s Encrypt 證書的時候，須要校驗域名的全部權，證實操做者有權利爲該域名申請證書，目前支持三種驗證方式：github

dns-01：給域名添加一個 DNS TXT 記錄。
http-01：在域名對應的 Web 服務器下放置一個 HTTP well-known URL 資源文件。
tls-sni-01：在域名對應的 Web 服務器下放置一個 HTTPS well-known URL 資源文件。

而通配符域名只能經過 dns-01 的方式去申請，我是經過阿里雲購買的域名，須要登陸阿里雲在解析設置中添加解析記錄，後面會提到如何添加TXT解析記錄。使用下面的命令開始生成證書，注意將 *.example.com 和 example.com 替換成你本身的域名。shell

$ certbot-auto certonly --manual \
-d *.example.com \
-d example.com --agree-tos \
--manual-public-ip-logging-ok --preferred-challenges \
dns-01 --server https://acme-v02.api.letsencrypt.org/directory
複製代碼

輸入完上面的命令以後，會開始下載一大堆依賴庫，至因而什麼東西，我也不太清楚，耐心等待依賴文件下載完成便可。以後便會提示你輸入郵箱：api

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxxxxxx@email.com
複製代碼

當你輸入完正確的郵箱以後，須要驗證域名的全部權，以下：bash

Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

mhumL1xJOHPIZtFTEm4rotjJnR9TdkBVPuCS9YHvNjs

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
複製代碼

此時打開你的域名提供商去添加解析記錄，個人域名是阿里雲購買的。其餘域名提供商應該也是一致的。記錄類型選擇 TXT，主機記錄輸入上面的 _acme-challenge.example.com，記錄值輸入上面生成的隨機字符串 mhumL1xJOHPIZtFTEm4rotjJnR9TdkBVPuCS9YHvNjs 。服務器

安裝一個工具，用於驗證 TXT 解析是否生效：ide

$ yum install bind-utils
複製代碼

$ dig -t txt _acme-challenge.example.com @8.8.8.8

; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t txt _acme-challenge.example.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29355
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.example.com. IN  TXT

;; ANSWER SECTION:
_acme-challenge.example.com. 599 IN TXT   "1scXnCO43OgpWRkdaVpTb-_vd2NGHwdmJEmQhvRC6AA"

;; Query time: 317 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jan 01 12:30:15 CST 2019
;; MSG SIZE  rcvd: 118
複製代碼

有可能會提示須要再次驗證，以下所示：工具

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

1scXnCO43OgpWRkdaVpTb-_vd2NGHwdmJEmQhvRC6AA

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
複製代碼

不過不要緊，依照上面的步驟再作一次便可，若是不出意外，你能看到下面的輸出：ui

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-04-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
複製代碼

生成的的證書和祕鑰以及過時時間都已經打印出來了，妥善保管。

配置 Https 訪問

若是你使用的是 nginx，那麼配置起來很簡單：

# 設置 http 自動跳轉到 https
server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;                                      
}

# 監聽 443 端口，轉發請求到 3000 端口
server {
    listen 443;
    server_name example.com;
    location / {
        proxy_pass http://127.0.0.1:3000;
    }

    # 開啓 ssl 並指定證書文件和祕鑰的位置
    ssl on;
    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;        
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;          
}                                                                                     

複製代碼

原文連接: Let's Encrypt 申請免費的 Https 證書

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。