基于Let’s Encrypt,给自己的网站加个安全小绿锁

 

给网站加个安全锁,即浏览器和服务器之间的数据连接是加密通信的,实际上是在HTTP下加个SSL安全层,简称为HTTPS,其全称为:Hyper Text Transfer Protocol over Secure Socket Layer,HTTPS的安全基础是SSL。

HTTPS原理资料:https://en.wikipedia.org/wiki/HTTPS

Let's Encrypt是一个提供免费的传输层安全证书的授权中心,通过Let's Encrypt可以颁发让浏览器信任的域名证书,而这个过程不需要人为手动进行复杂的创建,加密,签名,安装以及更新等操作。

Let's Encrypt工作原理请参考:https://letsencrypt.org/how-it-works/

 

Let's Encrypt推荐用certbot工具来生成域名授权证书,详细步骤可以参考如下资料。

参考资料:https://certbot.eff.org/#centosrhel7-nginx

 

因为我的实际环境是通过Nginx搭建一个WEB服务器,本文以这个为基础,我将通过一个在GitHub开源的工具来生成域名的安全授权证书。

操作相关的环境信息

操作系统:CentOS release 6.8 (Final)  (命令:head -n 1 /etc/issue)

域名信息www.sharebook.site  (实际上我购买的是顶级国际域名sharebook.site,考虑到现在浏览器访问网站时会自动加上www.,这里我将自己的顶级域名,在下面开了二级域名:www.sharebook.site,二级域名自己可以随便用的。)

安装的软件

OpenSSL 1.0.1e-fips 11 Feb 2013 (命令:openssl version)

nginx version: nginx/1.10.3 (命令:nginx -v)

使用工具网站https://diafygi.github.io/gethttpsforfree/

该工具源代码https://github.com/diafygi/gethttpsforfree

 

详细操作步骤如下:

步骤一:打开工具地址 https://diafygi.github.io/gethttpsforfree/

步骤二:安装页面的要求一步一步操作。

步骤三:对其中部分解析如下

Step 1: Account Info

注解1:邮箱可以随便填写

注解2:按照上面的顺序进行操作,命令可以直接拷贝放到自己的Linux服务器上运行

注解3:这里的accout.key是用户账号KEY,后面操作失败,这个地方要重新生成,重新生成时,将原来的生成的account.key删除,继续拷贝上面命令继续运行即可。

Step 2: Certificate Signing Request

注解1:按照上面的顺序进行操作,命令可以直接拷贝放到自己的Linux服务器上运行

注解2:步骤1中的2中的DNS要改成自己的域名,比如:sharebook.site,www.sharebook.site

注解3:这里我为了将证书信息添加更多,我用oneinstack工具生成的domain.key,domain.crt,domain.csr,这里我直接将domain.csr中的信息直接拷贝到步骤2即可。(我的为:www.sharebook.site.key,www.sharebook.site.crt,www.sharebook.site.csr,我就直接将www.sharebook.site.csr中的信息直接拷贝这步骤2中。

注解4:我的文件路径为:/usr/local/nginx/conf/ssl/

Step 3: Sign API Requests

注解1:按照上面的顺序进行操作,命令可以直接拷贝放到自己的Linux服务器上运行,将返回的结果,在拷贝到下面空白中,注意看提示。

注解2:其中的命令信息拷贝如下,供参考:
命令1:
PRIV_KEY=./account.key; echo -n "eyJub25jZSI6ImVMWXR1bmE4VnRWQVNzN0hBTzJjOGIwQTJIMG9mTEJEdjdDRlE1YjlwMjQifQ.eyJyZXNvdXJjZSI6Im5ldy1yZWciLCJjb250YWN0IjpbIm1haWx0bzp6aG9uZ3dlbjc3MTBAMTI2LmNvbSJdLCJhZ3JlZW1lbnQiOiJodHRwczovL2xldHNlbmNyeXB0Lm9yZy9kb2N1bWVudHMvTEUtU0EtdjEuMS4xLUF1Z3VzdC0xLTIwMTYucGRmIn0" | openssl dgst -sha256 -hex -sign $PRIV_KEY

命令2:
PRIV_KEY=./account.key; echo -n "eyJub25jZSI6IkxENkpMRnhHNElLbnhPTjdQOTZGc3BfWWxmZlJaaEJEVTRNVmZJNHRiWEEifQ.eyJyZXNvdXJjZSI6Im5ldy1hdXRoeiIsImlkZW50aWZpZXIiOnsidHlwZSI6ImRucyIsInZhbHVlIjoid3d3LnNoYXJlYm9vay5zaXRlIn19" | openssl dgst -sha256 -hex -sign $PRIV_KEY
命令3:
PRIV_KEY=./account.key; echo -n "eyJub25jZSI6IjFiSXE0RXVuLThVeTZnZXFkOGpiLUJNOVdNUDYtLVNubVgyOWY2VWNycTQifQ.eyJyZXNvdXJjZSI6Im5ldy1jZXJ0IiwiY3NyIjoiTUlJQ3h6Q0NBYThDQVFBd2dZRXhDekFKQmdOVkJBWVRBa05PTVJFd0R3WURWUVFJREFoVGFHRnVaMmhoYVRFUk1BOEdBMVVFQnd3SVUyaGhibWRvWVdreEhEQWFCZ05WQkFvTUUzTm9ZWEpsWW05dmF5NXphWFJsSUVsdVl5NHhFVEFQQmdOVkJBc01DRWxVSUVSbGNIUXVNUnN3R1FZRFZRUUREQkozZDNjdWMyaGhjbVZpYjI5ckxuTnBkR1V3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREV1ZTVENFgyVy16RUxCSE1pd3czYTluTW43X3VmYWFjSEFWbWFFeW5YM19pem8wTEpTbmRhWFhfeFNiTlh6NFNaR3Z4V2Fzc1JBWTdxcC1pY1c4VTJiSXVmNjljUXA4UzhIWEdWSDFuZVdFdGF4YldWTjM2MDFHdkNrWVl6b2JHOWxJcHgtVGpfNV9NLVdaZzRhQkhXSXhJcW5zTEhNZUp6RE1PUGg1ZUc3RDhYQ3Z6X0R4YjFNX3pnMHdPWDYwNzNQLXVyM21XVEF1QWFpYVBvOVgxMnZLVXZ6aHZDOV9OWDI5Vy13WVlNUFVleTlZUkZCc3pkbWg0OWY3RGNmSjZVa1ZWVjJENnIxSEtSei1ETHFJdUpoZkdnOTE3TFY0dmZDejVWcXI3SGZBNmp5emp0YXIwWEl0cWdpclQ1MTd5MFVoVGFkeGFuN05qdW5sM1RDWjh0QWdNQkFBR2dBREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBblpaQ3plWnpaV3JDT0FPMnFodHNYZEloVEhlcDVBeUxPRDJtVTNuRDUyWnpmRE1vNi1iclA5QTJfcHlvZXBBOUsxWEtkZ1kta3hObW1LNFVLbGhoczIwRW9PS0pFSVpjbl9BMTlQejYwVXVKOTBtR21MclR2RUV4elFQOVZQYVRHbnEzNUhGZnRMNVQwZUdjcG1fR25KQl9FdmFtNW5xNnVaS3g0VGw4dTBxeE9tV3ZaNlFYR0hybXpOS0NhTV94Mnl4Q0RPMGNzVG5FQXNUajY4ODJjTk04dXY2M3FEWE91amRVVUxzei1BU01HUGxUaXpMX2ZnX3AzRjNQZG1ZZU1oOEJYcm5BU0JLWXpOVFpxTHBuYy1RNFk3cU5pSlM3c0dsUUwtMlM2ZlE4eXJESFFZemVZMFhIbl9tbXN6UFFaY0NnX295TE5ZZVRuZTFxdzh6NWpBIn0" | openssl dgst -sha256 -hex -sign $PRIV_KEY

Step 4: Verify Ownership

注解1:按照上面的顺序进行操作,命令可以直接拷贝放到自己的Linux服务器上运行,将返回的结果,在拷贝到下面空白中。

注解2:步骤2中,只需要选择一个即可,比如用Option1-Python server,这里的代码直接拷贝到Linux服务器终端运行即可,记得服务器中80端口要kill掉,不然运行上面代码会出现address bind错误。(查看端口命令:lsof -i:80)

注解3:这一步验证成功的标志,如果成功,下面一步会出现Signed Certificate和Intermediate Certificate信息。

注解4:80端口一般是nginx端口,可以直接通过命令:service nginx stop,来关闭nginx,之后拷贝上面步骤2的代码放到自己的Linux服务器终端运行即可,之后再单击步骤3。

注释5:验证完之后,记得在你自己的服务器终端关闭这个程序,“Ctrl + C”即可。不然后面起Nginx服务起不来,也会出现端口占用的问题。

Step 5: Install Certificate (see below)

证书到这里就自动生成了,我们可以直接单击上面的(Test my install),来测试我们刚配置的域名是具有那些认证权限。如下图所示:

但是怎样将上面的信息配置到自己的WEB容器呢?单击(how do I install this?),配置步骤如下所示

注解1:按照上面的顺序进行操作,命令可以直接拷贝放到自己的Linux服务器上运行

注解2:图中的箭头指向的foo.com要改成你自己服务器的主机名,比如我的就是sharebook.site,这个地方实际上不需要远程拷贝,可以直接在自己的服务器上面生成文件,之后通过cp拷贝到指定的路径即可。

注解3:修改Nginx配置文件(nginx.conf)中的信息,主要修改箭头指向的部分(上面的5),我服务器的路径为:/usr/local/nginx/conf/vhost/www.sharebook.site.conf

注解4:修改完之后,记得运行命令:service nginx reload。

注解5:之后运行重启命令:service nginx restart

 

通过上面的配置,相关效果信息截图如下:

遇到的问题及解决方案:

问题1:通过命令service nginx restart重启Nginx时,包如下错误?

[root@bigdata~]# service nginx restart
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Stopping nginx: nginx: [error] invalid PID number "" in "/var/run/nginx.pid"

Starting nginx: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] still could not bind()
[FAILED]

解决方法:

[root@bigdata~]# sudo fuser -k 80/tcp
80/tcp: 27626
[root@iZwz981cltiu6yas5ncttwZ ~]# service nginx restart
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Stopping nginx: nginx: [error] invalid PID number "" in "/var/run/nginx.pid"

Starting nginx: [ OK ]
[root@bigdata~]#

 

新的简便操作方法(最近应用使用下面的方法_有效简单_20171002):

1、在自己的服务器上面下载Certbot-Auto安装脚本,脚本如下所示

user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
user@webserver:~$ ./certbot-auto --help

参考资料:https://certbot.eff.org/docs/install.html#certbot-auto

 

2、关闭服务器上面的80和443端口

一般是Nginx端口,可以通过如下命令进行关闭

service nginx stop

 

3、使用Standalone的模式安装证书

进入到第1步安装的certbot的安装位置,之后执行下面这句话,多个域名用-d区分。

./certbot-auto certonly --standalone --email admin@sharebook.site -d sharebook.site -d www.sharebook.site

参考资料:https://certbot.eff.org/docs/using.html#standalone

 

输出的日志信息如下(仅供参考):

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/sharebook.site.conf)

It contains these names: sharebook.site

You requested these names for the new certificate: sharebook.site,
www.sharebook.site.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for sharebook.site
tls-sni-01 challenge for www.sharebook.site
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sharebook.site/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sharebook.site/privkey.pem
Your cert will expire on 2017-12-31. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

注解:在第一次运行这个脚本之后,回生成/etc/letsencrypt/renewal/sharebook.site.conf配置文件,第二次运行脚本就会出现提示信息,这是只需要按照相应的操作即可。安装成功,回提示生成两个文件,该文件在下面Nginx配置中要用到,分别是: /etc/letsencrypt/live/sharebook.site/fullchain.pem/etc/letsencrypt/live/sharebook.site/privkey.pem

 

4、修改Nginx配置文件(nginx.conf)中的信息

我服务器的路径为:/usr/local/nginx/conf/vhost/www.sharebook.site.conf,主要修改如下截图的几个参数,截图如下所示:

 

5、重启Nginx,就生效了

命令如下:

service nginx reload

service nginx start

 

6、Renewing certificates(证书过期,更新脚本)

certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

注解:重复进行上面的操作,很繁琐,通过上面几个步骤,将其写成了shell脚本,直接运行,证书就会更新,方便简单。脚本位置:

/home/study_cerbot/auto_generate_https_byguan.sh

/home/study_cerbot/auto_update_method_byguan.sh

参考资料:https://certbot.eff.org/docs/using.html#renewing-certificates

 

其他相关资料:

免费SSL证书Let’s Encrypt安装中文教程:

https://www.freehao123.com/lets-encrypt/

https://www.vpser.net/build/letsencrypt-certbot.html/comment-page-2#comments

Certbot安装免费SSL证书Let’s Encrypt官方教程:

https://certbot.eff.org

Let’s Encrypt官方文档:

https://letsencrypt.org/docs/

Let's Encrypt,站点加密之旅:

https://laravel-china.org/articles/2766/lets-encrypt-the-site-of-the-encrypted-tour

 

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: