Let's Encrypt 證書不僅是免費的,而且支援萬用字元證書,萬用字元證書指的是一個可以被多個子域名使用的公鑰證書,多個子域名使用起來十分方便。申請和配置的流程都非常簡單,雖然每次的有效期為 90 天,但可以通過指令碼去更新證書,只要配置好了,幾乎可以一勞永逸。 而市場上其他的萬用字元證書都比較昂貴,個人開發者平時做個小東西玩玩,Let's Encrypt 應該是最好的選擇了。
Certbot
certbot 可以通過簡單的命令來生成證書,我們需要先將 certbot 克隆到我們的伺服器中。
$ git clone https://github.com/certbot/certbot
複製程式碼$ cd certbot
複製程式碼申請證書
需要提到的一點是,客戶在申請 Let’s Encrypt 證書的時候,需要校驗域名的所有權,證明操作者有權利為該域名申請證書,目前支援三種驗證方式:
- dns-01:給域名新增一個 DNS TXT 記錄。
- http-01:在域名對應的 Web 伺服器下放置一個 HTTP well-known URL 資原始檔。
- tls-sni-01:在域名對應的 Web 伺服器下放置一個 HTTPS well-known URL 資原始檔。
而萬用字元域名只能通過 dns-01 的方式去申請,我是通過阿里雲購買的域名,需要登入阿里雲在解析設定中新增解析記錄,後面會提到如何新增TXT解析記錄。使用下面的命令開始生成證書,注意將 *.example.com 和 example.com 替換成你自己的域名。
$ certbot-auto certonly --manual \
-d *.example.com \
-d example.com --agree-tos \
--manual-public-ip-logging-ok --preferred-challenges \
dns-01 --server https://acme-v02.api.letsencrypt.org/directory
複製程式碼輸入完上面的命令之後,會開始下載一大堆依賴庫,至於是什麼東西,我也不太清楚,耐心等待依賴檔案下載完成即可。之後便會提示你輸入郵箱:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxxxxxx@email.com
複製程式碼當你輸入完正確的郵箱之後,需要驗證域名的所有權,如下:
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
mhumL1xJOHPIZtFTEm4rotjJnR9TdkBVPuCS9YHvNjs
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
複製程式碼此時開啟你的域名提供商去新增解析記錄,我的域名是阿里雲購買的。其他域名提供商應該也是一致的。記錄型別選擇 TXT,主機記錄輸入上面的 _acme-challenge.example.com,記錄值輸入上面生成的隨機字串 mhumL1xJOHPIZtFTEm4rotjJnR9TdkBVPuCS9YHvNjs 。
安裝一個工具,用於驗證 TXT 解析是否生效:
$ yum install bind-utils
複製程式碼$ dig -t txt _acme-challenge.example.com @8.8.8.8
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t txt _acme-challenge.example.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29355
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.example.com. IN TXT
;; ANSWER SECTION:
_acme-challenge.example.com. 599 IN TXT "1scXnCO43OgpWRkdaVpTb-_vd2NGHwdmJEmQhvRC6AA"
;; Query time: 317 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jan 01 12:30:15 CST 2019
;; MSG SIZE rcvd: 118
複製程式碼有可能會提示需要再次驗證,如下所示:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
1scXnCO43OgpWRkdaVpTb-_vd2NGHwdmJEmQhvRC6AA
Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
複製程式碼不過沒關係,依照上面的步驟再做一次即可,如果不出意外,你能看到下面的輸出:
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-04-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
複製程式碼生成的的證書和祕鑰以及過期時間都已經列印出來了,妥善保管。
配置 Https 訪問
如果你使用的是 nginx,那麼配置起來很簡單:
# 設定 http 自動跳轉到 https
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
# 監聽 443 埠,轉發請求到 3000 埠
server {
listen 443;
server_name example.com;
location / {
proxy_pass http://127.0.0.1:3000;
}
# 開啟 ssl 並指定證書檔案和祕鑰的位置
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}
複製程式碼