基于certbot的letsencrypt安装使用

起因

  • 前面的文章讲过,运营商环节会在用户加载内容的时候,在流中进行注入frame ,强行展示广告。
  • 如果你的server是给App提供web api的接口,由于苹果ATS的执行,你不得不所有接口都升级成HTTPS。

免费ssl证书

首选当时letsencrypt了,官方网站是:https://letsencrypt.org. 网上大把文章,但按照本人一贯的习惯还是去官网,避免被过时的信息误导,反而浪费更多的时间。
官方推荐的是cetrbot:https://certbot.eff.org/
根据本人的系统,实际的文档路径:https://certbot.eff.org/#centosrhel7-nginx

letsencrypt

安装

首先需要安装certbot:
默认centos7是不支持certot,你需要先安装EPEL:https://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F
实际的安装包为:https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
下载后安装rpm。然后执行:

sudo yum install certbot

一路‘y’,安装完成:

Installed:
  certbot.noarch 0:0.9.3-1.el7

Dependency Installed:
  dialog.x86_64 0:1.2-4.20130523.el7                 pyOpenSSL.x86_64 0:0.13.1-3.el7                     python-cffi.x86_64 0:1.6.0-5.el7
  python-chardet.noarch 0:2.2.1-1.el7_1              python-enum34.noarch 0:1.0.4-1.el7                  python-idna.noarch 0:2.0-1.el7
  python-ipaddress.noarch 0:1.0.16-2.el7             python-ndg_httpsclient.noarch 0:0.3.2-1.el7         python-parsedatetime.noarch 0:1.5-3.el7
  python-ply.noarch 0:3.4-10.el7                     python-psutil.x86_64 0:2.2.1-1.el7                  python-pycparser.noarch 0:2.14-1.el7
  python-requests.noarch 0:2.6.0-1.el7_1             python-six.noarch 0:1.9.0-2.el7                     python-urllib3.noarch 0:1.10.2-2.el7_1
  python-zope-component.noarch 1:4.1.0-1.el7         python-zope-event.noarch 0:4.0.3-2.el7              python-zope-interface.x86_64 0:4.0.5-4.el7
  python2-acme.noarch 0:0.9.3-1.el7                  python2-certbot.noarch 0:0.9.3-1.el7                python2-configargparse.noarch 0:0.11.0-1.el7
  python2-cryptography.x86_64 0:1.3.1-3.el7          python2-dialog.noarch 0:3.3.0-6.el7                 python2-mock.noarch 0:1.0.1-9.el7
  python2-pyasn1.noarch 0:0.1.9-7.el7                python2-pyrfc3339.noarch 0:1.0-2.el7                pytz.noarch 0:2012d-5.el7

Complete!

开始

在已经有webserver运行的情况下,certbot推荐我们使用“webroot”插件。可以实现在不暂停web服务的情况下更新证书。

webroot:不需要停机你的web服务

certbot certonly --webroot -w AAA -d BBB

BBB是你要支持的域名,AAA是BBB当前已经可以访问的目录。

standalone:需要停机你当前服务器的80端口的服务

certbot certonly --standalone  -d xxx.com

以上每一条命令生成一个对立的目录,如果是多个域名就是合在一起的一个文件。如果要每个域名都生成独立的目录和文件,就要执行多次。

成功后:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/xxx/fullchain.pem. Your cert
   will expire on 2017-03-18. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

手动在nginx的conf中配置相关的路径就可以了:

ssl_certificate /etc/letsencrypt/live/xxx/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx/privkey.pem;

续期

certbot renew

撤销

证书没有过期的话,我们可以撤销:

[root@rxblog certbot-0.22.2]# ./certbot revoke --cert-path /etc/letsencrypt/archive/xxx.com/cert1.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Would you like to delete the cert(s) you just revoked?
-------------------------------------------------------------------------------
(Y)es (recommended)/(N)o: Y

-------------------------------------------------------------------------------
Deleted all files relating to certificate iwwenbo.com.
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Congratulations! You have successfully revoked the certificate that was located
at /etc/letsencrypt/archive/iwwenbo.com/cert1.pem

-------------------------------------------------------------------------------

删除

如果证书已经过期了,我们只能删除了

certbot delete --cert-name example.com

OK,暂时告一段落。