申請 Let's Encrypt 通配符 HTTPS 證書

目錄

• 一、背景知識
  • 1.1、什么是通配符證書
  • 1.2、什么是 Let’s Encrypt
• 二、證書申請(certbot)
  • 2.1、系統確定
  • 2.2、工具安裝
  • 2.3、證書申請
  • 2.4、證書查看
  • 2.5、證書使用
  • 2.6、證書更新
  • 2.7、證書申請(Docker)
  • 2.8、申請多域名
• 三、證書申請（acme.sh）
  • 3.1、Install online
  • 3.2、Just issue a cert
  • 3.3、Install the cert to Apache/Nginx etc.
  • 3.4、Automatic DNS API integration

一、背景知識

1.1、什么是通配符證書

通配符證書，又叫泛域名證書，一張通配符的證書可以保護一個域名下同級子域名，使他們都變成 https 加密鏈接，不需要配置一個子域名再申請一個新證書了，而且不限制子域名數量，這也使得隨時增加子域名的同時並不需要額外的付費，對於有多個子域名尤其是子域名數量很多的用戶，性價比很高，大大的節約了大量的時間和金錢成本。

1.2、什么是 Let’s Encrypt

部署 HTTPS 網站的時候需要證書，證書由 CA 機構簽發，大部分傳統 CA 機構簽發證書是需要收費的，這不利於推動 HTTPS 協議的使用。

Let’s Encrypt 也是一個 CA 機構，但這個 CA 機構是免費的！！！也就是說簽發證書不需要任何費用。

Let’s Encrypt 由於是非盈利性的組織，需要控制開支，他們搞了一個非常有創意的事情，設計了一個 ACME 協議，目前該協議的版本是 v1。

那為什么要創建 ACME 協議呢，傳統的 CA 機構是人工受理證書申請、證書更新、證書撤銷，完全是手動處理的。而 ACME 協議規范化了證書申請、更新、撤銷等流程，只要一個客戶端實現了該協議的功能，通過客戶端就可以向 Let’s Encrypt 申請證書，也就是說 Let’s Encrypt CA 完全是自動化操作的。

任何人都可以基於 ACME 協議實現一個客戶端，官方推薦的客戶端是 Certbot 。

官方客戶端列表請查看 https://letsencrypt.org/docs/client-options/ 。

二、證書申請(certbot)

2.1、系統確定

我們使用的是 aws 的 lightsail 服務創建的系統，系統是 CentOS 7。

2.2、工具安裝

首先給系統添加 epel 源。

curl -o /etc/yum.repos.d/epel-7.repo https://mirrors.aliyun.com/repo/epel-7.repo

安裝證書申請工具 Certbot。

yum install -y certbot

2.3、證書申請

certbot certonly  -d *.wzlinux.com --manual \
--preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory

• --manual交互式獲取，
• --preferred-challenges dns使用DNS驗證的方式（泛域名只能使用DNS驗證），如果取消此選項，將會默認使用 http 形式認證(.well-known)，
• --server指明支持acme-v02的Server地址，默認是acme-v01的地址。

申請過程如下，為了確保域名是在你的管理權限之內，我們中間需要做一條 TXT 的 DNS 解析。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): wangzan18@126.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for wzlinux.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.wzlinux.com with the following value:

Fd-T8Q_R_9k4UqerXohPkTWu-aZOaU0mxxozERPRU5M

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/wzlinux.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/wzlinux.com/privkey.pem
   Your cert will expire on 2019-09-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

我們看到上面有一條 DNS 解析需求，我這里是在阿里雲進行設定的。

解析好之后，我們在服務器上面驗證一下解析記錄。

[root@ip-172-26-5-120 ~]# dig -t txt _acme-challenge.wzlinux.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -t txt _acme-challenge.wzlinux.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47252
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.wzlinux.com.INTXT

;; ANSWER SECTION:
_acme-challenge.wzlinux.com. 58INTXT"Fd-T8Q_R_9k4UqerXohPkTWu-aZOaU0mxxozERPRU5M"

;; Query time: 0 msec
;; SERVER: 172.26.0.2#53(172.26.0.2)
;; WHEN: Thu Jun 06 07:04:07 UTC 2019
;; MSG SIZE  rcvd: 112

2.4、證書查看

[root@ip-172-26-5-120 ~]# ll /etc/letsencrypt/live/wzlinux.com/
total 4
lrwxrwxrwx. 1 root root  35 Jun  6 06:53 cert.pem -> ../../archive/wzlinux.com/cert1.pem
lrwxrwxrwx. 1 root root  36 Jun  6 06:53 chain.pem -> ../../archive/wzlinux.com/chain1.pem
lrwxrwxrwx. 1 root root  40 Jun  6 06:53 fullchain.pem -> ../../archive/wzlinux.com/fullchain1.pem
lrwxrwxrwx. 1 root root  38 Jun  6 06:53 privkey.pem -> ../../archive/wzlinux.com/privkey1.pem
-rw-r--r--. 1 root root 692 Jun  6 06:53 README

2.5、證書使用

我們這里以 nginx 服務為例，配置證書，nginx 的配置文件為下：

server
        {
        listen 443 ssl http2;
        #listen [::]:443 ssl http2;
        server_name  bbs.wzlinux.com bbs1.wzlinux.com;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /usr/share/nginx/html/;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/wzlinux.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/wzlinux.com/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES
256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        # openssl dhparam -out /usr/local/nginx/ssl/dhparam.pem 2048
        #ssl_dhparam /usr/local/nginx/ssl/dhparam.pem;

        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }


        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  off;
}

server
        {
        listen          80;
        server_name bbs.wzlinux.com;
        return 301 https://$server_name$request_uri;
}

查看訪問結果如下：

2.6、證書更新

可以使用指令certbot renew進行更新，添加一個定時任務。

[root@ip-172-26-5-120 ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wzlinux.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/wzlinux.com/fullchain.pem expires on 2019-09-04 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

定時任務。

30 1 10 * * /usr/bin/certbot renew && systemctl reload nginx

2.7、證書申請(Docker)

如果裝有 docker 環境的話，也可以用 docker 鏡像來獲取證書，只需一行命令即可。

docker run -it --rm --name certbot \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/certbot certonly --manual -d  '*.wzlinux.com'

具體步驟和上面一致。

2.8、申請多域名

使用此方法，我們也可以申請多域名的證書，比如我申請的這個：

certbot certonly  -d bbs1.wzlinux.com,bbs2.wzlinux.com,bbs.coffeedst.top \
--manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory

如果不想做DNS解析，可以去掉選項--preferred-challenges dns，直接使用 http 認證。

三、證書申請（acme.sh）

參考地址，也非常簡單
https://github.com/Neilpang/acme.sh

3.1、Install online

curl https://get.acme.sh | sh

3.2、Just issue a cert

申請單域名：

acme.sh --issue -d example.com -w /home/wwwroot/example.com

申請多域名在一個證書：

acme.sh --issue -d example.com -d www.example.com -d cp.example.com -w /home/wwwroot/example.com

3.3、Install the cert to Apache/Nginx etc.

Apache example:

acme.sh --install-cert -d example.com \
--cert-file      /path/to/certfile/in/apache/cert.pem  \
--key-file       /path/to/keyfile/in/apache/key.pem  \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd     "service apache2 force-reload"

Nginx example:

acme.sh --install-cert -d example.com \
--key-file       /path/to/keyfile/in/nginx/key.pem  \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd     "service nginx force-reload"

3.4、Automatic DNS API integration

If your DNS provider supports API access, we can use that API to automatically issue the certs.

You don't have to do anything manually!

https://github.com/Neilpang/acme.sh/wiki/dnsapi