差異處

這裏顯示兩個版本的差異處。

連向這個比對檢視

Both sides previous revision 前次修改
下次修改
前次修改
tech:ssl_letsencrypt [2019/03/25 10:17]
jonathan_tsai [透過 CloudFlare DNS 自動更新無 Web 對外網站 SSL 憑證]
tech:ssl_letsencrypt [2020/12/06 12:45] (目前版本)
jonathan [CentOS 8]
行 1: 行 1:
 +====== 申請設定 Let's Encrypt 免費 SSL 憑證(CentOS + Apache/Nginx) ======
  
 +因為 [[https://www.ithome.com.tw/news/122830|Google Chrome 自 2018/05/01]] 對於沒有合法的 SSL 網站憑證, 就會出現警告, 所以就出現要買 SSL 網站憑證的議題, 針對個人網站或是非正式的公司網站, 採用 [[https://letsencrypt.org/|Let's Encrypt 免費網站 SSL 憑證]]似乎是個不錯的選擇.
 +
 +===== 申請 Let's Encrypt 與設定 Web Server 程序 =====
 +  * 下載 Let's Encrypt certbot 工具
 +    * CentOS 8<cli>
 +dnf install certbot
 +</cli>
 +    * CentOS 7<code sh>
 +yum install certbot
 +</code>
 +
 +  * 執行 certbot 工具
 +    * 使用 Apache 環境執行語法 
 +      * CentOS 7<code sh>
 +yum install python-certbot-apache
 +certbot --apache 
 +</code>
 +    * 使用 Nginx 環境執行語法 
 +      * CentOS 8<cli>
 +dnf install python3-certbot-nginx
 +</cli>
 +      * CentOS 7<code sh>
 +yum install python-certbot-nginx
 +certbot --nginx
 +</code>
 +    * 這過程會檢查與安裝 python packages 並讀取 web server 的設定, 查看目前的網站網址, 如果有設定 Virtual Host 多網址, 也可以選擇產生多網域的憑證((只產生一個憑證檔案, 但該憑證檔案內有包含多個網址))
 +    * 原則上只要最後詢問 Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. 是否要讓瀏覽 http 網址自動轉至 https 的問題後, 出現以下的訊息, 就表示已自動將 web server 的設定都改好<file>
 +:
 +Congratulations! You have successfully enabled https://www.ichiayi.com
 +
 +You should test your configuration at:
 +https://www.ssllabs.com/ssltest/analyze.html?d=www.ichiayi.com
 +:
 +</file>
 +<note>
 +  * 如果只要產生網站憑證檔案, 可以再 certbot 後面加上 certonly 的參數 Exp.<code sh>
 +certbot-auto --nginx certonly
 +</code>
 +  * 這樣執行後, 會在 /etc/letsencrypt/live 目錄內, 產生該網域的憑證相關檔案目錄
 +</note>
 +
 +===== 透過 ssllabs 來檢測是否正常 =====
 +  * https://www.ssllabs.com/ssltest/analyze.html?d=[網址]
 +  * 測試結果如下圖所示 \\ {{:tech:2018051801.png}}
 +  * 其中檢測 CAA Record 這一項需要在 DNS 設定, 如果想完整設定可使用以下網站協助產生設定資料 \\ https://sslmate.com/caa/ \\ 當 DNS 完成設定後, 可以使用以下網站功能檢測 \\ https://caatest.co.uk/
 +
 +
 +===== apache 相關設定 =====
 +  * 必須要將 /etc/httpd/conf.d/ssl.conf 內的 "SSL Virtual Host Context" 底下預設 VirtualHost 整個拿掉才能正常運作<file>
 +:
 +##
 +## SSL Virtual Host Context
 +##
 +
 +#<VirtualHost _default_:443>
 +#:
 +#:
 +#</VirtualHost>
 +</file>
 +  * certbot-auto 會自動產生 /etc/httpd/conf/httpd-le-ssl.conf 定義 VirtualHost
 +<note>
 +  * 如果之後增加 VirtualHost 透過 <code sh>certbot-auto --apache certonly</code> 產生憑證後, 需要到 /etc/httpd/conf/httpd-le-ssl.conf 手動加上定義 
 +  * 如果想要讓連上 http: 自動轉 https: 則在 /etc/httpd/conf/httpd.conf 內定義, ++點這裡看範例|<file>
 +:
 +:
 +<VirtualHost *:80>
 +ServerName www.ichiayi.com
 +ServerAdmin [email protected]
 +DocumentRoot /var/www/www.ichiayi.com_html
 +CustomLog logs/www.ichiayi.com-access_log common
 +ErrorLog logs/www.ichiayi.com-error_log
 +Redirect permanent / https://www.ichiayi.com/
 +</VirtualHost>
 +:
 +</file>++
 +</note>
 +
 +===== nginx 相關設定 =====
 +  * 原則上會由 certbot-auto 自動完成修改, 但如果出現問題需要手動處理可以檢查 nginx 內的網站設定檔目錄 /etc/nginx/conf.d
 +  * Exp. www.ichiayi.com 的設定檔路徑 : ++/etc/nginx/conf.d/www_ichiayi.conf |<file>
 +server {
 +        server_name     www.ichiayi.com;
 +
 +        access_log /var/log/nginx/www.ichiayi.com.access.log main;
 +        error_log /var/log/nginx/www.ichiayi.com.error.log;
 +
 +        location / {
 +       :
 +       :
 +        }
 +
 +    listen 443 ssl; # managed by Certbot
 +    ssl_certificate /etc/letsencrypt/live/www.ichiayi.com/fullchain.pem; # managed by Certbot
 +    ssl_certificate_key /etc/letsencrypt/live/www.ichiayi.com/privkey.pem; # managed by Certbot
 +    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
 +    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 +
 +}
 +
 +server {
 +    if ($host = www.ichiayi.com) {
 +        return 301 https://$host$request_uri;
 +    } # managed by Certbot
 +
 +
 +        listen  80;
 +        server_name     www.ichiayi.com;
 +    return 404; # managed by Certbot
 +
 +
 +}
 +</file>++
 +
 +
 +===== 設定自動更新憑證 =====
 +  * 因為免費憑證只有 3 個月的有效期, 所以自動檢查與更新是很重要
 +  * certbot 就具有自動更新的功能, 可設定每天檢查三次(00:00 08:00 16:00), 執行時先隨機取 3600 中的一個秒數等待, 避免造成同時間大家一起連上 Let's Encrypt 主機, 方式如下
 +    * CentOS 7<code sh>
 +vi /etc/crontab</code><file>
 +:
 +# let's encrypt
 +0 */8 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew > /tmp/cert-bot_renew.log
 +</file><code sh>
 +service crond restart
 +</code>
 +  * 之後就可以在 /tmp/cert-bot_renew.log 看到檢查更新的紀錄
 +
 +===== 手動申請 *.ichiayi.com 的 SSL 網域憑證方式 =====
 +  - 執行以下的語法 <code sh>
 +/root/lets-encrypt/certbot-auto -d ichiayi.com -d *.ichiayi.com --manual --preferred-challenges dns certonly --server https://acme-v02.api.letsencrypt.org/directory
 +</code>
 +  - 當出現以下第二次的 **Before continuing, verify the record is deployed.** 必須去設定 ichiayi.com 的 DNS<file>
 +Please deploy a DNS TXT record under the name
 +_acme-challenge.ichiayi.com with the following value:
 +
 +0sGmQQTfit9lW3okOa4jaYmefNQS4FsF6zZgEtyppKw
 +
 +Before continuing, verify the record is deployed.
 +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +Press Enter to Continue
 +
 +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 +Please deploy a DNS TXT record under the name
 +_acme-challenge.ichiayi.com with the following value:
 +
 +fEsd-DYrN-AB_XVWb-Aa9Yx9OxCofBlFkxNmt7RWiCk
 +
 +Before continuing, verify the record is deployed.
 +</file>
 +  - 將前面兩次出現的 hash 值正確設定到 ichiayi.com 的 DNS TXT Record 內, Exp. <file>
 +:
 +;
 +$TTL 86400      ; 1 day -- ; 3 hours
 +$ORIGIN ichiayi.com.
 +@               IN SOA  ns1 server (
 +                                2018123100 ; serial
 +                                28800       ; refresh (2 hours)
 +                                14400        ; retry (15 minutes)
 +                                720000     ; expire (1 week)
 +                                86400      ; minimum (12 hours)
 +                                )
 +                        NS      ns4.everplast.net.
 +                        NS      ns7.ichiayi.com.
 +;
 +; lets-encrypt SSL Cert
 +_acme-challenge IN TXT  "0sGmQQTfit9lW3okOa4jaYmefNQS4FsF6zZgEtyppKw"
 +_acme-challenge IN TXT  "fEsd-DYrN-AB_XVWb-Aa9Yx9OxCofBlFkxNmt7RWiCk"
 +;
 +:
 +</file>
 +  - 重新啟動 DNS 讓這兩個 TXT 生效, 可透過 nslookup 指定詢問 server 8.8.8.8 來確認 <file>
 +C:\Users\jonathan>nslookup
 +預設伺服器:  UnKnown
 +Address:  192.168.1.5
 +> server 8.8.8.8
 +預設伺服器:  google-public-dns-a.google.com
 +Address:  8.8.8.8
 +> _acme-challenge.ichiayi.com
 +伺服器:  google-public-dns-a.google.com
 +Address:  8.8.8.8
 +名稱:    _acme-challenge.ichiayi.com
 +> set type=txt
 +> _acme-challenge.ichiayi.com
 +伺服器:  google-public-dns-a.google.com
 +Address:  8.8.8.8
 +未經授權的回答:
 +_acme-challenge.ichiayi.com  text =
 +        "fEsd-DYrN-AB_XVWb-Aa9Yx9OxCofBlFkxNmt7RWiCk"
 +_acme-challenge.ichiayi.com  text =
 +        "0sGmQQTfit9lW3okOa4jaYmefNQS4FsF6zZgEtyppKw"
 +</file> 
 +  - 確認可以正確查詢到這兩個新增的 TXT Record 後才可執行下一步, 當出現以下訊息就表示正確產生<file>
 +:
 +Waiting for verification...
 +Cleaning up challenges
 +
 +IMPORTANT NOTES:
 + - Congratulations! Your certificate and chain have been saved at:
 +   /etc/letsencrypt/live/ichiayi.com/fullchain.pem
 +   Your key file has been saved at:
 +   /etc/letsencrypt/live/ichiayi.com/privkey.pem
 +   Your cert will expire on 2019-03-31. To obtain a new or tweaked
 +   version of this certificate in the future, simply run certbot-auto
 +   again. To non-interactively renew *all* of your certificates, run
 +   "certbot-auto renew"
 + - Your account credentials have been saved in your Certbot
 +   configuration directory at /etc/letsencrypt. You should make a
 +   secure backup of this folder now. This configuration directory will
 +   also contain certificates and private keys obtained by Certbot so
 +   making regular backups of this folder is ideal.
 + - If you like Certbot, please consider supporting our work by:
 +
 +   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 +   Donating to EFF:                    https://eff.org/donate-le
 +</file>
 +
 +===== 相關重點檔案 =====
 +  * /root/lets-encrypt/certbot-auto (下載時指定位置)
 +  * /etc/letsencrypt/ 存放執行 certbot-auto 自動申請 SSL 相關憑證與檔案
 +  * /var/log/letsencrypt/ 存放執行 certbot-auto 的紀錄檔案
 +
 +===== 透過 CloudFlare DNS 自動更新無 Web 對外網站 SSL 憑證 =====
 +  * 因為部份網站是內部網站, 並無法對外透過 Web 方式認證自動更新憑證, 所以需要透過 DNS 即時建立 TXT Record 來認證, 如要自動認證, 就需要透過 DNS 提供整合 API 才能達成
 +
 +==== CentOS 8 ====
 +  * 安裝 DNS CloudFlare Plugin<cli>
 +dnf install python3-certbot-dns-cloudflare
 +</cli>
 +  * 建立 /root/lets-encrypt/cloudflare.ini <cli>
 +mkdir -p /root/lets-encrypt/
 +vi /root/lets-encrypt/cloudflare.ini
 +</cli>Exp:<file>
 +# Cloudflare API credentials used by Certbot
 +dns_cloudflare_email = [email protected]
 +dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567
 +</file>
 +  * 設定保護權限 <cli>
 +chmod 600 /root/lets-encrypt/cloudflare.ini
 +</cli>
 +  * 進行申請新憑證 Exp. example.com <code sh>
 +/usr/bin/certbot certonly \
 +  --dns-cloudflare \
 +  --dns-cloudflare-credentials /root/lets-encrypt/cloudflare.ini \
 +  --dns-cloudflare-propagation-seconds 10 \
 +  -d example.com
 +</code>
 +  * 進行定期更新憑證 Exp. example.com <cli>
 +/usr/bin/certbot renew \
 +  --dns-cloudflare \
 +  --dns-cloudflare-credentials /root/lets-encrypt/cloudflare.ini \
 +  --dns-cloudflare-propagation-seconds 10
 +</cli>
 +  * 設定每天自動檢查更新 
 +    - 建立 /root/lets-encrypt/renewcert.sh <cli>
 +vi /root/lets-encrypt/renewcert.sh</cli><file>
 +/usr/bin/certbot renew \
 +  --dns-cloudflare \
 +  --dns-cloudflare-credentials /root/lets-encrypt/cloudflare.ini \
 +  --dns-cloudflare-propagation-seconds 10
 +</file><cli>
 +chmod a+x /root/lets-encrypt/renewcert.sh
 +</cli>
 +    - 設定 /etc/crontab<cli>
 +vi /etc/crontab</cli><file>
 +:
 +# let's encrypt
 +35 2 * * * root /root/lets-encrypt/renewcert.sh > /tmp/renewcert.log
 +</file><cli>
 +systemctl restart crond
 +</cli>
 +
 +==== CentOS 7 ====
 +  * 安裝 DNS CloudFlare Plugin<code sh>
 +yum install python2-certbot-dns-cloudflare
 +</code>
 +  * 建立 /root/lets-encrypt/cloudflare.ini <code sh>mkdir -p /root/lets-encrypt/</code>Exp:<file>
 +# Cloudflare API credentials used by Certbot
 +dns_cloudflare_email = [email protected]
 +dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567
 +</file>
 +  * 設定保護權限 <code sh>
 +chmod 600 /root/lets-encrypt/cloudflare.ini
 +</code>
 +  * 進行申請新憑證 Exp. example.com <code sh>
 +/usr/bin/certbot certonly \
 +  --dns-cloudflare \
 +  --dns-cloudflare-credentials /root/lets-encrypt/cloudflare.ini \
 +  --dns-cloudflare-propagation-seconds 10 \
 +  -d example.com
 +</code>
 +  * 進行定期更新憑證 Exp. example.com <code sh>
 +/usr/bin/certbot renew \
 +  --dns-cloudflare \
 +  --dns-cloudflare-credentials /root/lets-encrypt/cloudflare.ini \
 +  --dns-cloudflare-propagation-seconds 10
 +</code>
 +  * 設定每天自動檢查更新 
 +    - 建立 /root/lets-encrypt/renewcert.sh <code sh>
 +vi /root/lets-encrypt/renewcert.sh</code><file>
 +/usr/bin/certbot renew \
 +  --dns-cloudflare \
 +  --dns-cloudflare-credentials /root/lets-encrypt/cloudflare.ini \
 +  --dns-cloudflare-propagation-seconds 10
 +</file><code sh>
 +chmod a+x /root/lets-encrypt/renewcert.sh
 +</code>
 +    - 設定 /etc/crontab<code sh>
 +vi /etc/crontab</code><file>
 +:
 +# let's encrypt
 +35 2 * * * root /root/lets-encrypt/renewcert.sh > /tmp/renewcert.log
 +</file><code sh>
 +systemctl restart crond
 +</code>
 +
 +==== CentOS 6 ====
 +  - 建立 /root/lets-encrypt/authenticator.sh<code sh>
 +cd /root/lets-encrypt/
 +wget https://svn.ichiayi.com/opensvn/opentrysoft/certbot/authenticator.sh
 +chmod a+x authenticator.sh
 +</code>
 +  - 建立 /root/lets-encrypt/cleanup.sh<code sh>
 +cd /root/lets-encrypt/
 +wget https://svn.ichiayi.com/opensvn/opentrysoft/certbot/cleanup.sh
 +chmod a+x cleanup.sh</code>
 +  - 取得 CloudFlare 的 Zone ID 與 Global API Key 更改 authenticator.sh 與 cleanup.sh 內容<file>
 +:
 +API_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 +EMAIL="[email protected]"
 +ZONE_ID="xxxxxxxxxxxxxxx"
 +:
 +</file>++看 CloudFlare 取得 Zone ID / Global API Key 畫面| {{:tech:2019031501.png}} \\ {{:tech:2019031502.png}} \\ {{:tech:2019031503.png}} \\ {{:tech:2019031504.png}} \\ {{:tech:2019031505.png}}++
 +  - 執行取得 SSL 憑證命令 Exp. erp.ichiayi.com <code sh>
 +/root/lets-encrypt/certbot-auto certonly --manual --preferred-challenges=dns --manual-auth-hook /root/lets-encrypt/authenticator.sh --manual-cleanup-hook /root/lets-encrypt/cleanup.sh -d erp.ichiayi.com
 +</code>
 +  * 設定憑證到期自動更新
 +    - 建立 /root/lets-encrypt/renewcert.sh Exp. erp.ichiayi.com <code sh>
 +vi /root/lets-encrypt/renewcert.sh</code><file>
 +/root/lets-encrypt/certbot-auto renew --preferred-challenges=dns --manual-auth-hook /root/lets-encrypt/authenticator.sh --manual-cleanup-hook /root/lets-encrypt/cleanup.sh --agree-tos
 +</file>
 +    - 設定執行權限<code sh>
 +chmod a+x /root/lets-encrypt/renewcert.sh
 +</code>
 +    - 設定每天 4:30 執行自動檢查一次<code sh>
 +vi /etc/crontab
 +</code><file>
 +:
 +# erp.ichiayi.com SSL cert auto renew
 +30 4 * * * root /root/lets-encrypt/renewcert.sh > /tmp/certrenew.log
 +</file><code sh>
 +service crond restart
 +</code>
 +
 +===== 參考網址 =====
 +  * https://certbot.eff.org/lets-encrypt/centos6-apache
 +  * https://certbot.eff.org/lets-encrypt/centosrhel7-other
 +  * https://serverfault.com/questions/744960/configuring-ssl-with-virtual-hosts-under-apache-and-centos
 +  * https://sslmate.com/caa/
 +  * https://blog.heckel.xyz/2018/08/05/issuing-lets-encrypt-certificates-for-65000-internal-servers/
 +  * https://community.letsencrypt.org/t/how-to-manually-renew-a-certificate/11263/3
 +  * https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks
 +  * https://dafzheng.wordpress.com/2018/03/08/%E5%9C%A8nginx%E4%B8%8A%E4%BD%BF%E7%94%A8lets-encrypt%E5%B0%87%E7%B6%B2%E9%A0%81%E8%A8%AD%E6%88%90https/
 +
 +{{tag>SSL 免費憑證}}