Let’s Encrypt 介绍
Let’s Encrypt 是一个免费、开放,自动化的证书颁发机构,由 ISRG(Internet Security Research Group)运作。
Let’s Encrypt 安装
git
git clone https://github.com/certbot/certbot.git
cd letsencrypt
./letsencrypt-auto --help
ubuntu apt
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbo
Let’s Encrypt 验证方式
Let’s Encrypt 使用两种方式对申请的域名进行验证:
1、 手动验证:按照提示在申请证书的服务器上使用一个指定的URL提供一个指定的文件内容来进行验证,进行手动验证的服务器IP地址会被 Let’s Encrypt 服务端记录在案。
2、 自动验证:在目标服务器 (指域名解析对应的IP地址的服务器,下同)上运行客户端,并启动一个 80 或 443 端口进行自动验证。包括独立模式和其他web sever验证模式,在 Plugins 中详细解释。
Let’s Encrypt Plugins
challenges
--preferred-challenges #使用这个命令
| Plugin | Auth | Inst | Notes | Challenge types (and port) |
|---|---|---|---|---|
| apache | Y | Y | Automates obtaining and installing a certificate with Apache 2.4 on Debian-based distributions with libaugeas0 1.0+. |
tls-sni-01 (443) |
| webroot | Y | N | Obtains a certificate by writing to the webroot directory of an already running webserver. | http-01 (80) |
| nginx | Y | Y | Automates obtaining and installing a certificate with Nginx. Shipped with Certbot 0.9.0. | tls-sni-01 (443) |
| standalone | Y | N | Uses a “standalone” webserver to obtain a certificate. Requires port 80 or 443 to be available. This is useful on systems with no webserver, or when direct integration with the local webserver is not supported or not desire |
http-01 (80) or tls-sni-01 (443) |
| manual | Y | N | Helps you obtain a certificate by giving you instructions to perform domain validation yourself. Additionally allows you to specify scripts to automate the validation task in a customized way. |
http-01 (80), dns-01 (53) or tls-sni-01 (443) |
相关文档
dns
dns 验证目前比较麻烦,官网目前有插件了,不过是dev版的,下个版本估计就可以用了
插件目录:
- certbot-compatibility-test
- certbot-dns-cloudflare
- certbot-dns-cloudxns
- certbot-dns-digitalocean
- certbot-dns-dnsimple
- certbot-dns-dnsmadeeasy
- certbot-dns-google
- certbot-dns-luadns
- certbot-dns-nsone
- certbot-dns-rfc2136
- certbot-dns-route53
目前的办法
#1 install required applications
apt-get install -y git ruby letsencrypt
git clone https://github.com/lukas2511/dehydrated.git
git clone https://github.com/jbjonesjr/letsencrypt-manual-hook.git dehydrated/hooks/manual
#2 generate certificate with manual DNS challenge confirmation for www.example.com (replace with your domain):
./dehydrated/dehydrated -c -t dns-01 -d www.example.com -k ./dehydrated/hooks /manual/manual_hook.rb
Manual
当你在非目标服务器上申请证书,或希望进行手动验证时,可以使用manual插件,运行命令:
suo certbot certonly -d subdomain.domain.org --manual
会得到提示:
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
(Y)es/(N)o: Y
- 选择
Yes继续后,便会提示创建一个指定内容的URL用来验证对域名及服务器的所有权,注意这个URL仍然需要部署在目标服务器上:
Make sure your web server displays the following content at
http://subdomain.domain.org/.well-known/acme-challenge/somelargetext before continuing:
somelargetext.blahblahblah
If you don't have HTTP server configured, you can run the following
command on the target server (as root):
mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge
cd /tmp/certbot/public_html
printf "%s" somelargetext.blahblahblah > .well-known/acme-challenge/somelargetext
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()"
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/subdomain.domain.org/fullchain.pem. Your cert
will expire on 2017-06-08. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
machine:scripts $ sudo ls -ltr /etc/letsencrypt/live/subdomain.domain.org
total 40
lrwxr-xr-x 1 root wheel 47 Mar 10 12:19 privkey.pem -> ../../archive/subdomain.domain.org/privkey1.pem
lrwxr-xr-x 1 root wheel 49 Mar 10 12:19 fullchain.pem -> ../../archive/subdomain.domain.org/fullchain1.pem
lrwxr-xr-x 1 root wheel 45 Mar 10 12:19 chain.pem -> ../../archive/subdomain.domain.org/chain1.pem
lrwxr-xr-x 1 root wheel 44 Mar 10 12:19 cert.pem -> ../../archive/subdomain.domain.org/cert1.pem
Standalone
使用独立模式进行自动验证,需要在目标服务器上运行 Let’s Encrypt 客户端,并指定 certonly 和 –standalone参数。本模式需要绑定 80 或 443 端口进行域名验证,
所以如果服务器上已有web server运行并侦听这2个端口,则需要先关闭web server。
sudo certbot certonly --standalone -d subdomain.domain.org
--preferred-challenges http to use port 80
--preferred-challenges tls-sni to use port 443
Webroot
如果目标服务器已有web server运行,并且不能够关闭服务来获取和安装证书,可以使用 Webroot plugin。在运行 Let’s Encrypt 客户端时指定 certonly 和 –webroot 参数,
并使用 –webroot-path 或 -w 参数来指定 webroot 目录,比如 –webroot-path /usr/share/nginx/html。
Apache
Apache plugin可以用来为Apache 2.4服务器自动获取和安装证书,需要运行在基于 Debian 的操作系统上,并且要求1.0+以上版本的 libaugeas0。如需要运行 Apache plugin, 在运行客户端时指定 –apache 参数。
Nginx
Nginx plugin用于为Nginx服务器自动获取和安装证书,仍然处在实验阶段,并且 letsencrypt-auto 没有安装这个 plugin,如需使用,
运行 pip install letsencrypt-nginx进行安装后,通过 –nginx 参数调用 plugin。
证书位置
所有版本已申请的证书放在/etc/letsencrypt/archive下,/etc/letsencrypt/live是指向最新版本的符号链接。web server中关于证书的配置建议指向live目录下的文件,
以免证书更新后还需要更改配置。
每个域名一个目录,主要包含以下几个文件:
- cert.pem 申请的服务器证书文件
- privkey.pem 服务器证书对应的私钥
- chain.pem 除服务器证书外,浏览器解析所需的其他全部证书,比如根证书和中间证书
- fullchain.pem 包含服务器证书的全部证书链文件
证书更新
Let’s Encrypt颁发的服务器证书有效期为90天,官方表示此为出于安全原因,降低错发证书,证书泄漏的危害。通过自动续期来解决有效期短的问题,官方建议每2个月更新证书。
如果到期没有更新证书,CA会向申请证书时提交的邮件地址发送提醒email。
自动续期可以使用crontab实现。注意更新证书后重启web server !
申请频率限制
- 注册IP限制:每IP每3个小时不超过10次
- 域名数量限制:每个域名(包含子域名)每7天不超过5个
