Let's Encrypt 是一個線上免費證書頒發組織,能夠頒發權威機構認證的證書。此組織已經是當前最受歡迎、用戶數量最廣的證書頒發組織。
概況
在Let's Encrypt出現之前,證書頒發被各個持有License的CA機構壟斷,找這些結構申請證書需要繳納一筆不小的費用,這些機構就是躺着收錢。
證書頒發在技術上非常簡單,用OpenSSL工具幾條命令就可以完成一個自簽名證書頒發,有興趣的同學參考。但是你自己頒發的證書無法融入到證書認證這個生態中,操作系統/瀏覽器等工具沒有也不能將你的自簽名CA證書加到證書信任鏈中。
Let's Encrypt是Internet Security Research Group這個組織發起的一個項目,其願景是 to reduce financial, technological, and educational barriers to secure communication over the Internet。從目前的效果來看,這個遠景基本實現了,因為其解決了行業痛點問題。
截至到目前,已經有 240 million 個網站使用Let's Encrypt頒發證書。互聯網上能叫出名字的大廠都加入了這個組織。
證書管理流程
證書的生命周期管理階段很清晰,包含:申請/頒發/部署/更新/吊銷。
Let's Encrypt提供了一個證書管理服務器,以及對應的客戶端工具。證書頒發流程如下。
- 客戶端在本地生成證書請求,提交證書頒發請求到服務器。
- 服務器頒發證書並將證書返回給客戶端。
- 客戶端接收證書,並在本地保存。
- 客戶端工具還支持與主流的Web容器(Nginx/Apache httpd等)對接,將證書配置到Web容器。
當前,雲廠商的證書管理服務,很多也支持與Let's Encrypt對接,實現證書管理自動化。
實操
使用Let's Encryp申請證書,你需要擁有一個域名,與證書中的CNAME一致的域名。
下載客戶端工具
sudo apt-get update
sudo apt-get install certbot
工具有兩種運行模式:自動部署證書到Web容器,手動部署證書。
運行工具(手動部署模式)
mao@DESKTOP-TFLJVQD:~$ sudo certbot certonly --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxx@example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): *.test.example.com
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for test.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.test.example.com with the following value:
jvkP5pIFlM21CJhwWWZeTx1jchCk1ob50iF0G4Qh4jM
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
這時候,需要在域名 example.com 上配置一條TXT解析記錄,值為工具生成的隨機字符串,下一步工具會訪問此域名獲取TXT記錄,表明你擁有此域名。
驗證域名
到域名代理商,配置TXT解析記錄。通過命令 nslookup -q=TXT _acme-challenge.test.example.com 查詢TXT記錄是否生效了。
生成證書
下一步,工具就在本地生成證書。
-rw-r--r-- 1 root root 1870 Apr 25 19:44 cert1.pem
-rw-r--r-- 1 root root 1586 Apr 25 19:44 chain1.pem
-rw-r--r-- 1 root root 3456 Apr 25 19:44 fullchain1.pem
-rw------- 1 root root 1708 Apr 25 19:44 privkey1.pem
- cert1.pem: *.test.example.com 的證書文件
- chain1.pem: CA證書鏈
- fullchain1.pem: 完整的CA證書鏈
- privkey1.pem: *.test.example.com 的私鑰文件
Reference
Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web
本篇文章由一文多發平台ArtiPub自動發布