差異處
這裏顯示兩個版本的差異處。
兩邊的前次修訂版 前次修改 下次修改 | 前次修改 下次修改兩邊的下次修訂版 | ||
tech:ssl_letsencrypt [2019/04/19 18:55] – [設定自動更新憑證] jonathan_tsai | tech:ssl_letsencrypt [2020/12/06 12:45] – [CentOS 8] jonathan | ||
---|---|---|---|
行 1: | 行 1: | ||
+ | ====== 申請設定 Let's Encrypt 免費 SSL 憑證(CentOS + Apache/ | ||
+ | 因為 [[https:// | ||
+ | |||
+ | ===== 申請 Let's Encrypt 與設定 Web Server 程序 ===== | ||
+ | * 下載 Let's Encrypt certbot 工具 | ||
+ | * CentOS 8< | ||
+ | dnf install certbot | ||
+ | </ | ||
+ | * CentOS 7<code sh> | ||
+ | yum install certbot | ||
+ | </ | ||
+ | |||
+ | * 執行 certbot 工具 | ||
+ | * 使用 Apache 環境執行語法 | ||
+ | * CentOS 7<code sh> | ||
+ | yum install python-certbot-apache | ||
+ | certbot --apache | ||
+ | </ | ||
+ | * 使用 Nginx 環境執行語法 | ||
+ | * CentOS 8< | ||
+ | dnf install python3-certbot-nginx | ||
+ | </ | ||
+ | * CentOS 7<code sh> | ||
+ | yum install python-certbot-nginx | ||
+ | certbot --nginx | ||
+ | </ | ||
+ | * 這過程會檢查與安裝 python packages 並讀取 web server 的設定, 查看目前的網站網址, | ||
+ | * 原則上只要最後詢問 Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. 是否要讓瀏覽 http 網址自動轉至 https 的問題後, | ||
+ | : | ||
+ | Congratulations! You have successfully enabled https:// | ||
+ | |||
+ | You should test your configuration at: | ||
+ | https:// | ||
+ | : | ||
+ | </ | ||
+ | < | ||
+ | * 如果只要產生網站憑證檔案, | ||
+ | certbot-auto --nginx certonly | ||
+ | </ | ||
+ | * 這樣執行後, | ||
+ | </ | ||
+ | |||
+ | ===== 透過 ssllabs 來檢測是否正常 ===== | ||
+ | * https:// | ||
+ | * 測試結果如下圖所示 \\ {{: | ||
+ | * 其中檢測 CAA Record 這一項需要在 DNS 設定, 如果想完整設定可使用以下網站協助產生設定資料 \\ https:// | ||
+ | |||
+ | |||
+ | ===== apache 相關設定 ===== | ||
+ | * 必須要將 / | ||
+ | : | ||
+ | ## | ||
+ | ## SSL Virtual Host Context | ||
+ | ## | ||
+ | |||
+ | #< | ||
+ | #: | ||
+ | #: | ||
+ | #</ | ||
+ | </ | ||
+ | * certbot-auto 會自動產生 / | ||
+ | < | ||
+ | * 如果之後增加 VirtualHost 透過 <code sh> | ||
+ | * 如果想要讓連上 http: 自動轉 https: 則在 / | ||
+ | : | ||
+ | : | ||
+ | < | ||
+ | ServerName www.ichiayi.com | ||
+ | ServerAdmin [email protected] | ||
+ | DocumentRoot / | ||
+ | CustomLog logs/ | ||
+ | ErrorLog logs/ | ||
+ | Redirect permanent / https:// | ||
+ | </ | ||
+ | : | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ===== nginx 相關設定 ===== | ||
+ | * 原則上會由 certbot-auto 自動完成修改, | ||
+ | * Exp. www.ichiayi.com 的設定檔路徑 : ++/ | ||
+ | server { | ||
+ | server_name | ||
+ | |||
+ | access_log / | ||
+ | error_log / | ||
+ | |||
+ | location / { | ||
+ | : | ||
+ | : | ||
+ | } | ||
+ | |||
+ | listen 443 ssl; # managed by Certbot | ||
+ | ssl_certificate / | ||
+ | ssl_certificate_key / | ||
+ | include / | ||
+ | ssl_dhparam / | ||
+ | |||
+ | } | ||
+ | |||
+ | server { | ||
+ | if ($host = www.ichiayi.com) { | ||
+ | return 301 https:// | ||
+ | } # managed by Certbot | ||
+ | |||
+ | |||
+ | listen | ||
+ | server_name | ||
+ | return 404; # managed by Certbot | ||
+ | |||
+ | |||
+ | } | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== 設定自動更新憑證 ===== | ||
+ | * 因為免費憑證只有 3 個月的有效期, | ||
+ | * certbot 就具有自動更新的功能, | ||
+ | * CentOS 7<code sh> | ||
+ | vi / | ||
+ | : | ||
+ | # let's encrypt | ||
+ | 0 */8 * * * root python -c ' | ||
+ | </ | ||
+ | service crond restart | ||
+ | </ | ||
+ | * 之後就可以在 / | ||
+ | |||
+ | ===== 手動申請 *.ichiayi.com 的 SSL 網域憑證方式 ===== | ||
+ | - 執行以下的語法 <code sh> | ||
+ | / | ||
+ | </ | ||
+ | - 當出現以下第二次的 **Before continuing, verify the record is deployed.** 必須去設定 ichiayi.com 的 DNS< | ||
+ | Please deploy a DNS TXT record under the name | ||
+ | _acme-challenge.ichiayi.com with the following value: | ||
+ | |||
+ | 0sGmQQTfit9lW3okOa4jaYmefNQS4FsF6zZgEtyppKw | ||
+ | |||
+ | Before continuing, verify the record is deployed. | ||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | Press Enter to Continue | ||
+ | |||
+ | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
+ | Please deploy a DNS TXT record under the name | ||
+ | _acme-challenge.ichiayi.com with the following value: | ||
+ | |||
+ | fEsd-DYrN-AB_XVWb-Aa9Yx9OxCofBlFkxNmt7RWiCk | ||
+ | |||
+ | Before continuing, verify the record is deployed. | ||
+ | </ | ||
+ | - 將前面兩次出現的 hash 值正確設定到 ichiayi.com 的 DNS TXT Record 內, Exp. < | ||
+ | : | ||
+ | ; | ||
+ | $TTL 86400 ; 1 day -- ; 3 hours | ||
+ | $ORIGIN ichiayi.com. | ||
+ | @ IN SOA ns1 server ( | ||
+ | 2018123100 ; serial | ||
+ | 28800 ; refresh (2 hours) | ||
+ | 14400 ; retry (15 minutes) | ||
+ | 720000 | ||
+ | 86400 ; minimum (12 hours) | ||
+ | ) | ||
+ | NS ns4.everplast.net. | ||
+ | NS ns7.ichiayi.com. | ||
+ | ; | ||
+ | ; lets-encrypt SSL Cert | ||
+ | _acme-challenge IN TXT " | ||
+ | _acme-challenge IN TXT " | ||
+ | ; | ||
+ | : | ||
+ | </ | ||
+ | - 重新啟動 DNS 讓這兩個 TXT 生效, 可透過 nslookup 指定詢問 server 8.8.8.8 來確認 < | ||
+ | C: | ||
+ | 預設伺服器: | ||
+ | Address: | ||
+ | > server 8.8.8.8 | ||
+ | 預設伺服器: | ||
+ | Address: | ||
+ | > _acme-challenge.ichiayi.com | ||
+ | 伺服器: | ||
+ | Address: | ||
+ | 名稱: | ||
+ | > set type=txt | ||
+ | > _acme-challenge.ichiayi.com | ||
+ | 伺服器: | ||
+ | Address: | ||
+ | 未經授權的回答: | ||
+ | _acme-challenge.ichiayi.com | ||
+ | " | ||
+ | _acme-challenge.ichiayi.com | ||
+ | " | ||
+ | </ | ||
+ | - 確認可以正確查詢到這兩個新增的 TXT Record 後才可執行下一步, | ||
+ | : | ||
+ | Waiting for verification... | ||
+ | Cleaning up challenges | ||
+ | |||
+ | IMPORTANT NOTES: | ||
+ | - Congratulations! Your certificate and chain have been saved at: | ||
+ | / | ||
+ | Your key file has been saved at: | ||
+ | / | ||
+ | Your cert will expire on 2019-03-31. To obtain a new or tweaked | ||
+ | | ||
+ | | ||
+ | " | ||
+ | - Your account credentials have been saved in your Certbot | ||
+ | | ||
+ | | ||
+ | also contain certificates and private keys obtained by Certbot so | ||
+ | | ||
+ | - If you like Certbot, please consider supporting our work by: | ||
+ | |||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | ===== 相關重點檔案 ===== | ||
+ | * / | ||
+ | * / | ||
+ | * / | ||
+ | |||
+ | ===== 透過 CloudFlare DNS 自動更新無 Web 對外網站 SSL 憑證 ===== | ||
+ | * 因為部份網站是內部網站, | ||
+ | |||
+ | ==== CentOS 8 ==== | ||
+ | * 安裝 DNS CloudFlare Plugin< | ||
+ | dnf install python3-certbot-dns-cloudflare | ||
+ | </ | ||
+ | * 建立 / | ||
+ | mkdir -p / | ||
+ | vi / | ||
+ | </ | ||
+ | # Cloudflare API credentials used by Certbot | ||
+ | dns_cloudflare_email = [email protected] | ||
+ | dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567 | ||
+ | </ | ||
+ | * 設定保護權限 <cli> | ||
+ | chmod 600 / | ||
+ | </ | ||
+ | * 進行申請新憑證 Exp. example.com <code sh> | ||
+ | / | ||
+ | --dns-cloudflare \ | ||
+ | --dns-cloudflare-credentials / | ||
+ | --dns-cloudflare-propagation-seconds 10 \ | ||
+ | -d example.com | ||
+ | </ | ||
+ | * 進行定期更新憑證 Exp. example.com <cli> | ||
+ | / | ||
+ | --dns-cloudflare \ | ||
+ | --dns-cloudflare-credentials / | ||
+ | --dns-cloudflare-propagation-seconds 10 | ||
+ | </ | ||
+ | * 設定每天自動檢查更新 | ||
+ | - 建立 / | ||
+ | vi / | ||
+ | / | ||
+ | --dns-cloudflare \ | ||
+ | --dns-cloudflare-credentials / | ||
+ | --dns-cloudflare-propagation-seconds 10 | ||
+ | </ | ||
+ | chmod a+x / | ||
+ | </ | ||
+ | - 設定 / | ||
+ | vi / | ||
+ | : | ||
+ | # let's encrypt | ||
+ | 35 2 * * * root / | ||
+ | </ | ||
+ | systemctl restart crond | ||
+ | </ | ||
+ | |||
+ | ==== CentOS 7 ==== | ||
+ | * 安裝 DNS CloudFlare Plugin< | ||
+ | yum install python2-certbot-dns-cloudflare | ||
+ | </ | ||
+ | * 建立 / | ||
+ | # Cloudflare API credentials used by Certbot | ||
+ | dns_cloudflare_email = [email protected] | ||
+ | dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567 | ||
+ | </ | ||
+ | * 設定保護權限 <code sh> | ||
+ | chmod 600 / | ||
+ | </ | ||
+ | * 進行申請新憑證 Exp. example.com <code sh> | ||
+ | / | ||
+ | --dns-cloudflare \ | ||
+ | --dns-cloudflare-credentials / | ||
+ | --dns-cloudflare-propagation-seconds 10 \ | ||
+ | -d example.com | ||
+ | </ | ||
+ | * 進行定期更新憑證 Exp. example.com <code sh> | ||
+ | / | ||
+ | --dns-cloudflare \ | ||
+ | --dns-cloudflare-credentials / | ||
+ | --dns-cloudflare-propagation-seconds 10 | ||
+ | </ | ||
+ | * 設定每天自動檢查更新 | ||
+ | - 建立 / | ||
+ | vi / | ||
+ | / | ||
+ | --dns-cloudflare \ | ||
+ | --dns-cloudflare-credentials / | ||
+ | --dns-cloudflare-propagation-seconds 10 | ||
+ | </ | ||
+ | chmod a+x / | ||
+ | </ | ||
+ | - 設定 / | ||
+ | vi / | ||
+ | : | ||
+ | # let's encrypt | ||
+ | 35 2 * * * root / | ||
+ | </ | ||
+ | systemctl restart crond | ||
+ | </ | ||
+ | |||
+ | ==== CentOS 6 ==== | ||
+ | - 建立 / | ||
+ | cd / | ||
+ | wget https:// | ||
+ | chmod a+x authenticator.sh | ||
+ | </ | ||
+ | - 建立 / | ||
+ | cd / | ||
+ | wget https:// | ||
+ | chmod a+x cleanup.sh</ | ||
+ | - 取得 CloudFlare 的 Zone ID 與 Global API Key 更改 authenticator.sh 與 cleanup.sh 內容< | ||
+ | : | ||
+ | API_KEY=" | ||
+ | EMAIL=" | ||
+ | ZONE_ID=" | ||
+ | : | ||
+ | </ | ||
+ | - 執行取得 SSL 憑證命令 Exp. erp.ichiayi.com <code sh> | ||
+ | / | ||
+ | </ | ||
+ | * 設定憑證到期自動更新 | ||
+ | - 建立 / | ||
+ | vi / | ||
+ | / | ||
+ | </ | ||
+ | - 設定執行權限< | ||
+ | chmod a+x / | ||
+ | </ | ||
+ | - 設定每天 4:30 執行自動檢查一次< | ||
+ | vi / | ||
+ | </ | ||
+ | : | ||
+ | # erp.ichiayi.com SSL cert auto renew | ||
+ | 30 4 * * * root / | ||
+ | </ | ||
+ | service crond restart | ||
+ | </ | ||
+ | |||
+ | ===== 參考網址 ===== | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | {{tag> |