201705111210使用 Let's Encrypt 來幫你的網頁主機 Apache, Nginx 安裝 SSL 憑證 - CentOS 6/7

現在只要你的網站沒使用 https 就會被 Chrome 瀏覽器標示為「不安全」,而 https 除了傳送過程會加密外,也包含了對網站所屬單位的驗證,一般的SSL憑證都是用「點年」來計價(一個網站註冊憑證一年要多少錢),當然也有 wildcard 的單層驗證方式(例:*.nctu.edu.tw,則所有 xxx.nctu.edu.tw 網站都可以使用該憑證,但 aaa.xxx.nctu.edu.tw 第二層的則需另外計費)。SSL憑證代價不低,而且每年都要收錢,於是 ISRG 就資助了 Let's Encrypt 這公眾使用的 CA,讓大家都可以免費 Free 使用SSL 憑證 (Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost)。

官方網址:https://letsencrypt.org/ 
官網說明:Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).The objective of Let’s Encrypt and the Automatic Certificate Management Environment (ACME) protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.

詳細的驗證機制,請參考:https://letsencrypt.org/how-it-works/

安裝方式
With Shell Access (可以登入到你的系統去執行,一般都是選用這種方式),本篇講解的方式
CentOS 6 的安裝CentOS 7 的安裝
這樣的情況可以使用「Certbot ACME Client」來幫助你安裝與自動更新

Without Shell Access (無法登入進系統執行,例如使用 cPanel, Plesk, Wordpress)
依各別狀態選擇不同的安裝方式,請參考:https://community.letsencrypt.org/t/web-hosting-who-support-lets-encrypt/6920 

-----------------------------------------------------------------

 本篇主要說明在 CentOS 6 與 CentOS 7 上的安裝 -- 以 CertBot 方式安裝

★★ CentOS 6 的安裝方式 ★★
Step 1:下載 script 安裝檔「certbot-auto」
$ wget https://dl.eff.org/certbot-auto

Step 2:設定為可執行
$ chmod a+x certbot-auto

Step 3:開始安裝
$ sudo ./certbot-auto  --apache

可能會安裝額外套件
gcc、libffi-devel、openssl-devel、python-devel、python-pip、python-tools、python-virtualenv、redhat-rpm-config、cloog-ppl、cpp、keyutils-libs-devel、krb5-devel、libcom_err-devel、libselinux-devel、libsepol-devel、mpfr、ppl、python-setuptools、tcl、tix、tk、tkinter、zlib-devel ...... 這個要依每台主機的狀況不同而定

Creating virtual environment...
Installing Python packages...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): xx@nctu.edu.tw

Please read the Terms of Service at
(A)gree/(C)ancel: a
Would you be willing to share your email address with the Electronic Frontier Foundation ....
(Y)es/(N)o: n

No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): xxx.nctu.edu.tw

We were unable to find a vhost with a ServerName or Address of xxx.nctu.edu.tw.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
-------------------------------------------------------------------------------
1: ssl.conf | | HTTPS | Enabled
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1

Deploying Certificate for xxx.nctu.edu.tw to VirtualHost /etc/httpd/conf.d/ssl.conf

Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://xxx.nctu.edu.tw

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=xxx.nctu.edu.tw
-------------------------------------------------------------------------------

這樣子CentOS 6 的 Apache SSL 憑證就裝好囉~

Let's Encrypt 的 SSL 憑證一次是給3個月,可以利用 cron 設定自動更新。

 

QQ:如果你有使用 Virtual host 並於同一台主機有給予多個 domain ,你會得到底下錯誤

Could not reverse map the HTTPS VirtualHost to the original

IMPORTANT NOTES:
- Unable to install the certificate....(略)

而這個問題是 CertBot 的已知問題BUG   ref: https://community.letsencrypt.org/t/certbot-on-apache-unable-to-parse-multiple-vhosts-in-one-file/33596/7 
Unfortunately there is a significant bug in Certbot which makes it fail in this situation. Certbot is unable to understand Apache configuration files that define multiple virtual hosts in the same file. This bug is in the process of being fixed, and a subsequent version of Certbot will work correctly in this case. You can either wait for the fixed version or use the certbot certonly form which does not attempt to install the certificate for you. This would require you to edit your own Apache configuration files to refer to the certificates that have been obtained. For example, if you edit the file in (probably) /etc/apache2/sites-available that defines the skimecca.com virtual host, you can add directives to it that point at the certificate in /etc/letsencrypt/live that you got when you ran the command above.

解決方式:
以參數 certonly 取得憑證,然後手動安裝到 virtual host

 

安裝完 let's encrypt 後,系統會新增了底下項目---

1. 安裝在 /etc/letsencrypt (主機KEY、憑證請求檔、憑證鍊、主機憑證)
2. 修改 /etc/httpd/conf.d/ssl.conf
    SSLProtocol all -SSLv2
    SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
    SSLCertificateFile /etc/letsencrypt/live/xxx.nctu.edu.tw/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/xxx.nctu.edu.tw/privkey.pem
    ServerName xxx.nctu.edu.tw
    SSLCertificateChainFile /etc/letsencrypt/live/xxx.nctu.edu.tw/chain.pem
3. 重跑 apache

-------------------------------------------------------------------------

★★ CentOS 7 的安裝方式 ★★

在 CentOS 7 的環境,CertBot 就有 EPEL 的套件可以直接使用

Step 1:安裝所需環境
$ sudo yum -y install yum-utils
安裝 yum-utils、libxml2-python、python-chardet、python-kitchen

底下這步驟在官網上有寫,但在我的情況執行會錯誤,其實也不需要執行
$ #sudo yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
$ sudo yum install python-certbot-apache
安裝 python2-certbot-apache 及27個 python 與 ssl 相關的套件

Step 2:開始安裝

$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):greenth@nthu.edu.tw
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel:a
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: n
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel):xxx.nthu.edu.tw
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for xxx.nthu.edu.tw

We were unable to find a vhost with a ServerName or Address of xxx.nthu.edu.tw.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
-------------------------------------------------------------------------------
1: ssl.conf | | HTTPS | Enabled
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel):1
Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Created redirect file: le-redirect-xxx.nthu.edu.tw.conf
Rollback checkpoint is empty (no changes made?)

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://xxx.nthu.edu.tw

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=xxx.nthu.edu.tw
-------------------------------------------------------------------------------

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxx.nthu.edu.tw/fullchain.pem. Your cert
will expire on 2017-08-09. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

若是有 virtual host 情形,可以用 來進行取得憑證
$ certbot --apache certonly 

Step 3:憑證更新
$ sudo certbot renew   底下為不需要更新時會跳出的訊息

Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/xxx.nthu.edu.tw.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/xxx.nthu.edu.tw/fullchain.pem (skipped)
No renewals were attempted.


以 crontab 定期檢查是否需要 renew ,官方式建議排程一天檢查兩次
if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason).

回應
關鍵字
Google Search
Google
累積 | 今日
loading......
平均分數:0 顆星
投票人數:0
我要評分:
Google