基于certbot的letsencrypt安装使用
起因
- 前面的文章讲过,运营商环节会在用户加载内容的时候,在流中进行注入frame ,强行展示广告。
- 如果你的server是给App提供web api的接口,由于苹果ATS的执行,你不得不所有接口都升级成HTTPS。
免费ssl证书
首选当时letsencrypt了,官方网站是:https://letsencrypt.org. 网上大把文章,但按照本人一贯的习惯还是去官网,避免被过时的信息误导,反而浪费更多的时间。
官方推荐的是cetrbot:https://certbot.eff.org/
根据本人的系统,实际的文档路径:https://certbot.eff.org/#centosrhel7-nginx
letsencrypt
安装
首先需要安装certbot:
默认centos7是不支持certot,你需要先安装EPEL:https://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F
实际的安装包为:https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
下载后安装rpm。然后执行:
sudo yum install certbot
一路‘y’,安装完成:
Installed:
certbot.noarch 0:0.9.3-1.el7
Dependency Installed:
dialog.x86_64 0:1.2-4.20130523.el7 pyOpenSSL.x86_64 0:0.13.1-3.el7 python-cffi.x86_64 0:1.6.0-5.el7
python-chardet.noarch 0:2.2.1-1.el7_1 python-enum34.noarch 0:1.0.4-1.el7 python-idna.noarch 0:2.0-1.el7
python-ipaddress.noarch 0:1.0.16-2.el7 python-ndg_httpsclient.noarch 0:0.3.2-1.el7 python-parsedatetime.noarch 0:1.5-3.el7
python-ply.noarch 0:3.4-10.el7 python-psutil.x86_64 0:2.2.1-1.el7 python-pycparser.noarch 0:2.14-1.el7
python-requests.noarch 0:2.6.0-1.el7_1 python-six.noarch 0:1.9.0-2.el7 python-urllib3.noarch 0:1.10.2-2.el7_1
python-zope-component.noarch 1:4.1.0-1.el7 python-zope-event.noarch 0:4.0.3-2.el7 python-zope-interface.x86_64 0:4.0.5-4.el7
python2-acme.noarch 0:0.9.3-1.el7 python2-certbot.noarch 0:0.9.3-1.el7 python2-configargparse.noarch 0:0.11.0-1.el7
python2-cryptography.x86_64 0:1.3.1-3.el7 python2-dialog.noarch 0:3.3.0-6.el7 python2-mock.noarch 0:1.0.1-9.el7
python2-pyasn1.noarch 0:0.1.9-7.el7 python2-pyrfc3339.noarch 0:1.0-2.el7 pytz.noarch 0:2012d-5.el7
Complete!
开始
在已经有webserver运行的情况下,certbot推荐我们使用“webroot”插件。可以实现在不暂停web服务的情况下更新证书。
webroot:不需要停机你的web服务
certbot certonly --webroot -w AAA -d BBB
BBB是你要支持的域名,AAA是BBB当前已经可以访问的目录。
standalone:需要停机你当前服务器的80端口的服务
certbot certonly --standalone -d xxx.com
以上每一条命令生成一个对立的目录,如果是多个域名就是合在一起的一个文件。如果要每个域名都生成独立的目录和文件,就要执行多次。
成功后:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxx/fullchain.pem. Your cert
will expire on 2017-03-18. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
手动在nginx的conf中配置相关的路径就可以了:
ssl_certificate /etc/letsencrypt/live/xxx/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx/privkey.pem;
续期
certbot renew
撤销
证书没有过期的话,我们可以撤销:
[root@rxblog certbot-0.22.2]# ./certbot revoke --cert-path /etc/letsencrypt/archive/xxx.com/cert1.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Would you like to delete the cert(s) you just revoked?
-------------------------------------------------------------------------------
(Y)es (recommended)/(N)o: Y
-------------------------------------------------------------------------------
Deleted all files relating to certificate iwwenbo.com.
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Congratulations! You have successfully revoked the certificate that was located
at /etc/letsencrypt/archive/iwwenbo.com/cert1.pem
-------------------------------------------------------------------------------
删除
如果证书已经过期了,我们只能删除了
certbot delete --cert-name example.com
OK,暂时告一段落。