碼上快樂

相關內容    簡體    繁體

使用免費SSL證書讓網站支持HTTPS訪問

本文轉載自   查看原文   2020-11-27 14:31   425    我的容器之旅

安裝Let’s Encrypt

安裝非常簡單直接克隆就可以了

# git clone https://github.com.cnpmjs.org/letsencrypt/letsencrypt
# cd letsencrypt/
# ll

生成通配符證書

期間需要根據提示設置DNS TXT記錄,用作你對判斷你是否擁有域名使用權

./certbot-auto certonly  -d   *.zisefeizhu.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
參數 說明
certonly 表示安裝模式,Certbot 有安裝模式和驗證模式兩種類型的插件
–manual 表示手動安裝插件,Certbot 有很多插件,不同的插件都可以申請證書,用戶可以根據需要自行選擇
-d 為那些主機申請證書,如果是通配符,輸入 *.leixf.cn(可以替換為你自己的一級域名)
–preferred-challenges dns 使用 DNS 方式校驗域名所有權
–server Let’s Encrypt ACME v2 版本使用的服務器不同於 v1 版本,需要顯示指定

輸出結果

作為依賴被升級:
  cpp.x86_64 0:4.8.5-44.el7            e2fsprogs.x86_64 0:1.42.9-19.el7 e2fsprogs-libs.x86_64 0:1.42.9-19.el7 krb5-libs.x86_64 0:1.15.1-50.el7 libcom_err.x86_64 0:1.42.9-19.el7
  libffi.x86_64 0:3.0.13-19.el7        libgcc.x86_64 0:4.8.5-44.el7     libgomp.x86_64 0:4.8.5-44.el7         libselinux.x86_64 0:2.5-15.el7   libselinux-python.x86_64 0:2.5-15.el7
  libselinux-utils.x86_64 0:2.5-15.el7 libss.x86_64 0:1.42.9-19.el7     openssl-libs.x86_64 1:1.0.2k-19.el7   python.x86_64 0:2.7.5-90.el7     python-libs.x86_64 0:2.7.5-90.el7

完畢!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)

接下來需要按要求輸入指令

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): linkun@zisefeizhu.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for zisefeizhu.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.zisefeizhu.com with the following value:

JM-xxxxxxxxxxxxxxxEQ

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

這里有幾個需交互的提示

  • 是否同意 Let’s Encrypt 協議要求=>需要同意
  • 是否分享你的郵箱
  • 詢問是否對域名和機器(IP)進行綁定=>需要同意

需要注意的地方:

Please deploy a DNS TXT record under the name
_acme-challenge.zisefeizhu.com with the following value:

JM-xxxxxxxxxxxxxxxEQ

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

要求配置 DNS TXT 記錄,從而校驗域名所有權,也就是判斷證書申請者是否有域名的所有權。

上面輸出要求給 _acme-challenge.leixf.cn 配置一條 TXT 記錄,在沒有確認 TXT 記錄生效之前不要回車執行。

我用的是阿里雲的域名服務器,控制台具體操作如下所示:

雲解析DNS --> 域名解析 --> 解析設置 --> 記錄類型(TXT) --> 主機記錄(_acme-challenge) --> 解析線路(默認) --> 記錄值(JM-pzw0Cf7GKfqu_2tyIA-rmfWptxabEFPEP5gSlLEQ)

確認生效

 dig _acme-challenge.zisefeizhu.com

; <<>> DiG 9.10.6 <<>> _acme-challenge.zisefeizhu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4648
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.zisefeizhu.com.  IN      A

;; AUTHORITY SECTION:
zisefeizhu.com.           600     IN      SOA     dns25.hichina.com. hostmaster.hichina.com. 2019121120 3600 1200 86400 360

;; Query time: 265 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Mon Nov 23 10:51:21 CST 2020
;; MSG SIZE  rcvd: 118

回車執行,輸出如下

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/zisefeizhu.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/zisefeizhu.com/privkey.pem
   Your cert will expire on 2021-02-21. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

看到這個界面內容的話,證書安裝成功了。

查看證書過期時間

# ./certbot-auto certificates
Certificate Name: zisefeizhu.com
    Serial Number: 3041ed1be0505aaa20c9c192744c3ed28f3
    Domains: *.zisefeizhu.com
    Expiry Date: 2021-02-21 01:55:54+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/zisefeizhu.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/zisefeizhu.com/privkey.pem

驗證

# yum install nginx

取消證書

可以使用一下命令取消剛剛生成的密匙,也就是以上的反操作:

certbot revoke --cert-path /etc/letsencrypt/live/leixf.cn/cert.pem
certbot delete --cert-name leixf.cn

證書路徑:

/etc/letsencrypt/live/zisefeizhu.com/

k8s使用

image

tls.crt --> /etc/letsencrypt/live/zisefeizhu.com/fullchain.pem

tls.key --> /etc/letsencrypt/live/zisefeizhu.com/privkey.pem

crt.sh

kubectl create secret tls zisefeizhu-cn-crt --key tls.key --cert tls.crt -n zisefeizhu

nginx-ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-test
  namespace: realihub
  annotations:
    kubernetes.io/ingress.class: "kong"
  labels:
    app: nginx-test
spec:
  tls:
    - hosts:
        - "*.zisefeizhu.com"
      secretName: hub-zisefeizhu-com-crt
  rules:
    - host: test.zisefeizhu.com
      http:
        paths:
          - path: /
            backend:
              serviceName: nginx-test
              servicePort: 80

參考文檔:

https://github.com/jaywcjlove/handbook/blob/master/CentOS/使用免費SSL證書讓網站支持HTTPS訪問.md

https://leixf.cn/archives/142


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 免費SSL證書(https網站)申請,便宜SSL https證書申請 如何給網站添加SSL證書(免費) 如何通過手機客戶端Android、Iphone 等訪問要求使用客戶端證書SSL加密的https網站 網站配置https,免費ssl證書下載和安裝,個人是nginx服務器 IIS - 自動申請、部署Let's Encrypt的免費SSL證書(讓網站實現HTTPS協議) 最新阿里雲申請免費SSL證書實現網站HTTPS化(圖文教程一) 如何申請阿里雲免費SSL證書(可用於https網站)並下載下來 為什么有時候訪問某些加密https網站是不需要證書的? https? ssl? 讓網站永久擁有免費HTTPS(SSL) Certbot讓網站擁有免費https證書
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM