兩邊的前次修訂版 前次修改
下次修改 | 前次修改
最後一次修改
兩邊的下次修訂版 |
tech:ssl_letsencrypt [2021/06/23 22:29] – [申請 Let's Encrypt 與設定 Web Server 程序] jonathan | tech:ssl_letsencrypt [2022/02/04 22:36] – jonathan |
---|
| |
===== 申請 Let's Encrypt 與設定 Web Server 程序 ===== | ===== 申請 Let's Encrypt 與設定 Web Server 程序 ===== |
{{tabinclude>tech:ssl_letsencrypt:ubuntu20_04, tech:ssl_letsencrypt:centos8, tech:ssl_letsencrypt:centos7}} | {{tabinclude>tech:ssl_letsencrypt:ubuntu20_04, tech:ssl_letsencrypt:alpine3_15, tech:ssl_letsencrypt:centos8, tech:ssl_letsencrypt:centos7}} |
| |
* 這過程會檢查與安裝 python packages 並讀取 web server 的設定, 查看目前的網站網址, 如果有設定 Virtual Host 多網址, 也可以選擇產生多網域的憑證((只產生一個憑證檔案, 但該憑證檔案內有包含多個網址)) | * 這過程會檢查與安裝 python packages 並讀取 web server 的設定, 查看目前的網站網址, 如果有設定 Virtual Host 多網址, 也可以選擇產生多網域的憑證((只產生一個憑證檔案, 但該憑證檔案內有包含多個網址)) |
* 因為部份網站是內部網站, 並無法對外透過 Web 方式認證自動更新憑證, 所以需要透過 DNS 即時建立 TXT Record 來認證, 如要自動認證, 就需要透過 DNS 提供整合 API 才能達成 | * 因為部份網站是內部網站, 並無法對外透過 Web 方式認證自動更新憑證, 所以需要透過 DNS 即時建立 TXT Record 來認證, 如要自動認證, 就需要透過 DNS 提供整合 API 才能達成 |
{{tabinclude>tech:ssl_letsencrypt:cf_ubuntu20_04, tech:ssl_letsencrypt:cf_centos8, tech:ssl_letsencrypt:cf_centos7, tech:ssl_letsencrypt:cf_centos6}} | {{tabinclude>tech:ssl_letsencrypt:cf_ubuntu20_04, tech:ssl_letsencrypt:cf_centos8, tech:ssl_letsencrypt:cf_centos7, tech:ssl_letsencrypt:cf_centos6}} |
| |
==== CentOS 8 ==== | |
* 安裝 DNS CloudFlare Plugin<cli> | |
dnf install python3-certbot-dns-cloudflare | |
</cli> | |
* 建立 /root/lets-encrypt/cloudflare.ini <cli> | |
mkdir -p /root/lets-encrypt/ | |
vi /root/lets-encrypt/cloudflare.ini | |
</cli>Exp:<file> | |
# Cloudflare API credentials used by Certbot | |
dns_cloudflare_email = [email protected] | |
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567 | |
</file> | |
* 設定保護權限 <cli> | |
chmod 600 /root/lets-encrypt/cloudflare.ini | |
</cli> | |
* 進行申請新憑證 Exp. example.com <code sh> | |
/usr/bin/certbot certonly \ | |
--dns-cloudflare \ | |
--dns-cloudflare-credentials /root/lets-encrypt/cloudflare.ini \ | |
--dns-cloudflare-propagation-seconds 10 \ | |
-d example.com | |
</code> | |
* 進行定期更新憑證 Exp. example.com <cli> | |
/usr/bin/certbot renew \ | |
--dns-cloudflare \ | |
--dns-cloudflare-credentials /root/lets-encrypt/cloudflare.ini \ | |
--dns-cloudflare-propagation-seconds 10 | |
</cli> | |
* 設定每天自動檢查更新 | |
- 建立 /root/lets-encrypt/renewcert.sh <cli> | |
vi /root/lets-encrypt/renewcert.sh</cli><file> | |
/usr/bin/certbot renew \ | |
--dns-cloudflare \ | |
--dns-cloudflare-credentials /root/lets-encrypt/cloudflare.ini \ | |
--dns-cloudflare-propagation-seconds 10 | |
</file><cli> | |
chmod a+x /root/lets-encrypt/renewcert.sh | |
</cli> | |
- 設定 /etc/crontab<cli> | |
vi /etc/crontab</cli><file> | |
: | |
# let's encrypt | |
35 2 * * * root /root/lets-encrypt/renewcert.sh > /tmp/renewcert.log | |
</file><cli> | |
systemctl restart crond | |
</cli> | |
| |
==== CentOS 7 ==== | |
* 安裝 DNS CloudFlare Plugin<code sh> | |
yum install python2-certbot-dns-cloudflare | |
</code> | |
* 建立 /root/lets-encrypt/cloudflare.ini <code sh>mkdir -p /root/lets-encrypt/</code>Exp:<file> | |
# Cloudflare API credentials used by Certbot | |
dns_cloudflare_email = [email protected] | |
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567 | |
</file> | |
* 設定保護權限 <code sh> | |
chmod 600 /root/lets-encrypt/cloudflare.ini | |
</code> | |
* 進行申請新憑證 Exp. example.com <code sh> | |
/usr/bin/certbot certonly \ | |
--dns-cloudflare \ | |
--dns-cloudflare-credentials /root/lets-encrypt/cloudflare.ini \ | |
--dns-cloudflare-propagation-seconds 10 \ | |
-d example.com | |
</code> | |
* 進行定期更新憑證 Exp. example.com <code sh> | |
/usr/bin/certbot renew \ | |
--dns-cloudflare \ | |
--dns-cloudflare-credentials /root/lets-encrypt/cloudflare.ini \ | |
--dns-cloudflare-propagation-seconds 10 | |
</code> | |
* 設定每天自動檢查更新 | |
- 建立 /root/lets-encrypt/renewcert.sh <code sh> | |
vi /root/lets-encrypt/renewcert.sh</code><file> | |
/usr/bin/certbot renew \ | |
--dns-cloudflare \ | |
--dns-cloudflare-credentials /root/lets-encrypt/cloudflare.ini \ | |
--dns-cloudflare-propagation-seconds 10 | |
</file><code sh> | |
chmod a+x /root/lets-encrypt/renewcert.sh | |
</code> | |
- 設定 /etc/crontab<code sh> | |
vi /etc/crontab</code><file> | |
: | |
# let's encrypt | |
35 2 * * * root /root/lets-encrypt/renewcert.sh > /tmp/renewcert.log | |
</file><code sh> | |
systemctl restart crond | |
</code> | |
| |
==== CentOS 6 ==== | |
- 建立 /root/lets-encrypt/authenticator.sh<code sh> | |
cd /root/lets-encrypt/ | |
wget https://svn.ichiayi.com/opensvn/opentrysoft/certbot/authenticator.sh | |
chmod a+x authenticator.sh | |
</code> | |
- 建立 /root/lets-encrypt/cleanup.sh<code sh> | |
cd /root/lets-encrypt/ | |
wget https://svn.ichiayi.com/opensvn/opentrysoft/certbot/cleanup.sh | |
chmod a+x cleanup.sh</code> | |
- 取得 CloudFlare 的 Zone ID 與 Global API Key 更改 authenticator.sh 與 cleanup.sh 內容<file> | |
: | |
API_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | |
EMAIL="[email protected]" | |
ZONE_ID="xxxxxxxxxxxxxxx" | |
: | |
</file>++看 CloudFlare 取得 Zone ID / Global API Key 畫面| {{:tech:2019031501.png}} \\ {{:tech:2019031502.png}} \\ {{:tech:2019031503.png}} \\ {{:tech:2019031504.png}} \\ {{:tech:2019031505.png}}++ | |
- 執行取得 SSL 憑證命令 Exp. erp.ichiayi.com <code sh> | |
/root/lets-encrypt/certbot-auto certonly --manual --preferred-challenges=dns --manual-auth-hook /root/lets-encrypt/authenticator.sh --manual-cleanup-hook /root/lets-encrypt/cleanup.sh -d erp.ichiayi.com | |
</code> | |
* 設定憑證到期自動更新 | |
- 建立 /root/lets-encrypt/renewcert.sh Exp. erp.ichiayi.com <code sh> | |
vi /root/lets-encrypt/renewcert.sh</code><file> | |
/root/lets-encrypt/certbot-auto renew --preferred-challenges=dns --manual-auth-hook /root/lets-encrypt/authenticator.sh --manual-cleanup-hook /root/lets-encrypt/cleanup.sh --agree-tos | |
</file> | |
- 設定執行權限<code sh> | |
chmod a+x /root/lets-encrypt/renewcert.sh | |
</code> | |
- 設定每天 4:30 執行自動檢查一次<code sh> | |
vi /etc/crontab | |
</code><file> | |
: | |
# erp.ichiayi.com SSL cert auto renew | |
30 4 * * * root /root/lets-encrypt/renewcert.sh > /tmp/certrenew.log | |
</file><code sh> | |
service crond restart | |
</code> | |
| |
===== 參考網址 ===== | ===== 參考網址 ===== |
* https://certbot.eff.org/lets-encrypt/centos6-apache | * https://certbot.eff.org/lets-encrypt/centos6-apache |
* https://certbot.eff.org/lets-encrypt/centosrhel7-other | * https://certbot.eff.org/lets-encrypt/centosrhel7-other |
| * https://gitpress.io/@chchang/ubuntu-letsencrypt-cloudflare-wildcard |
| * https://blog.anzupop.com/posts/acquire-lets-encrypt-certs-using-dns-cloudflare-plugin/ |
* https://serverfault.com/questions/744960/configuring-ssl-with-virtual-hosts-under-apache-and-centos | * https://serverfault.com/questions/744960/configuring-ssl-with-virtual-hosts-under-apache-and-centos |
* https://sslmate.com/caa/ | * https://sslmate.com/caa/ |