怎样签发Let’s Encrypt证书

2018年3月20日 | 分类: 【技术】

【思考】

A. 多域名证书:问题在于很少超过100个;弃用。
B. 泛域名证书 + 二级域名:从客户容量上能满足需求,但也要考虑自定义域名不受保护。
C. 单域名证书 + 二级目录:从客户容量上能满足需求,但也要考虑自定义域名不受保护。
D. 多个单域名证书:问题是WPMU如何对应多个证书?

1. 自动签发:当用户绑定成功时,自动签发和部署。
2. 定期续签:琢磨部署系统定期续签。
3. 证书部署:因为用户绑定的域名在服务器上并无实际目录对应,证书是否会正确生效?
4. 统一监控:考虑怎么实现letsmonitor.org的功能。
5. 批量为已存映像域名生成Let’sEncrypt证书 / 自动为新入映像域名生成Let’sEncrypt证书

参考:http://www.gossamer-threads.com/lists/gnupg/users/57476

【介绍】

Let’s Encrypt 2015年11月16日正式对外开放。2018年3月15日Let’s Encrypt发布的ACMEv2开始正式支持通配符证书。

参考:https://linux.cn/article-6565-1.html
参考:https://www.v2ex.com/t/437798#reply120
参考:https://www.zhihu.com/question/36710815?sort=created

【签发】

certbot方法:

实证适用于大部分VPS。

1. 安装certbot-auto

wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto

2. 申请证书

普通SSL证书:需要保护根域名 domainname.com,主域名 www.domainname.com ,或者其他二级域名 misc.domainname.com 。

./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d domainname.com -d www.domainname.com -d misc.domainname.com --manual --preferred-challenges dns-01 certonly

通配符SSL证书:需要保护根域名 domainname.com,所有子域名 *.domainname.com 。

./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d domainname.com -d "*.domainname.com" --manual --preferred-challenges dns-01 certonly

将安装一系列依赖包,然后设置,签发:

...
Dependency Installed:
...
Complete!
Upgrading certbot-auto 0.22.0 to 0.22.2...
...
Installation succeeded.
...
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): support@domainname.com
...
Please read the Terms of Service at
...
(A)gree/(C)ancel: A
...
Would you be willing to share your email address with the Electronic Frontier
...
(Y)es/(N)o: Y
...
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domainname.com
...
NOTE: The IP of this machine will be publicly logged as having requested this
...
(Y)es/(N)o: Y
...
Please deploy a DNS TXT record under the name
_acme-challenge.domainname.com with the following value:

fqVKGH-bbY87iqw2S5qYZ9IwFu1aOa82Wkqb5DAlwe0

Before continuing, verify the record is deployed.
...
Press Enter to Continue                                                                                                                                                                                                                      Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domainname.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domainname.com/privkey.pem
   Your cert will expire on 2018-06-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

证书路径:

/etc/letsencrypt/live/domainname.com/fullchain.pem
/etc/letsencrypt/live/domainname.com/privkey.pem

注意备份整个目录:

/etc/letsencrypt

3. 证书续展

./certbot-auto renew

4. 证书重签

如果需要重签,请先在如下各目录删除对应配置文件:

/etc/letsencrypt/archive
/etc/letsencrypt/csr
/etc/letsencrypt/keys
/etc/letsencrypt/live
/etc/letsencrypt/renewal

参考:https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
参考:https://www.oschina.net/news/94188/acme-v2-and-wildcard-certificate-support-is-live
参考:https://www.coderecord.cn/lets-encrypt-wildcard-certificates.html
参考:https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
参考:https://my.oschina.net/kimver/blog/1634575
参考:https://my.oschina.net/u/1021968/blog/1604461
参考:https://www.chinassl.net/faq/n583.html

参考:https://www.v2ex.com/t/165930
参考:https://www.v2ex.com/t/437798#reply120

【部署】

1. 服务器设置

打开 httpd-vhosts.conf ,编辑:

<virtualhost *:443>
	ServerName domainname.com
	ServerAlias www.domainname.com
	DocumentRoot /usr/local/apache2/htdocs/domainname.com/portal/
	ErrorLog /usr/local/apache2/htdocs/logs/domainname.com_error.log
	CustomLog /usr/local/apache2/htdocs/logs/domainname.com_access.log combined
	GnuTLSEnable on
	GnuTLSPriorities NORMAL
	GnuTLSCertificateFile /usr/local/apache2/htdocs/ssl/domainname.com/chained.pem
	GnuTLSKeyFile /usr/local/apache2/htdocs/ssl/domainname.com/domain.key
	<Directory /usr/local/apache2/htdocs/domainname.com/portal>
		Options Indexes FollowSymLinks
		AllowOverride All
		Require all granted
	</Directory>
</virtualhost>

<virtualhost *:80>
	ServerName domainname.com
	ServerAlias www.domainname.com
	DocumentRoot /usr/local/apache2/htdocs/domainname.com/portal/
	Alias /.well-known/acme-challenge/ /usr/local/apache2/htdocs/challenges/
	ErrorLog /usr/local/apache2/htdocs/logs/domainname.com_error.log
	CustomLog /usr/local/apache2/htdocs/logs/domainname.com_access.log combined
	<Directory /usr/local/apache2/htdocs/domainname.com/portal>
		Options Indexes FollowSymLinks
		AllowOverride All
		Require all granted
	</Directory>
</VirtualHost>

【验证】

部署后重启服务器,在浏览器中打开无误。

查看证书详情,在“证书用者可选名称”中显示:

非关键
DNS 名称: *.domainname.com
DNS 名称: domainname.com

【排障】

报错:Another instance of Certbot is already running

如果配置到一半,服务器退出,这时如果再重新生成此域名,会报错:

Another instance of Certbot is already running

查看已添加到一半的域名所占用的进程号:

ps -ef | grep certb

然后通过kill进程号命令删除:

kill 1105

清除相关进程号之后,重新执行签发命令。

报错:Certbot has problem setting up the virtual environment

可能是 pip 版本太低:

参考:https://community.letsencrypt.org/t/ssl-renewal-error-certbot-has-problem-setting-up-the-virtual-environment/26018/2

pip install --upgrade pip

如果仍不奏效,可能是因为pip源没有更新。

参考:https://www.cnblogs.com/ProgramLayman/p/8528568.html
参考:https://www.v2ex.com/t/347335

mv ~/.pip/pip.conf ~/.pip/pip.conf.backup

错误消失。

或者直接修改源:

参考:http://ju.outofmemory.cn/entry/287356
参考:http://www.cnblogs.com/ityunv/p/5909434.html

mkdir ~/.pip
cat > ~/.pip/pip.conf < < EOF

编辑 pip.conf :

[global]
trusted-host=mirrors.aliyun.com
index-url=http://mirrors.aliyun.com/pypi/simple/
EOF