標籤:

Ubuntu上使用letsencrypt獲得免費的HTTPS證書

02-12

前言

一般你的網站會使用Apache或者Nginx對外提供web服務,使用的操作系統也是五花八門,但是沒關係,不出意料的話,這些系統都被letsencrypt支持。本文就以Gemfield的個人網站gemfield.org為例來說明。gemfield.org使用了Ubuntu 16.04操作系統,並使用Nginx作為Http server。

gemfield@CivilNet:~$ cat /etc/os-releaseNAME="Ubuntu"VERSION="16.04.3 LTS (Xenial Xerus)"ID=ubuntuID_LIKE=debianPRETTY_NAME="Ubuntu 16.04.3 LTS"VERSION_ID="16.04"HOME_URL="http://www.ubuntu.com/"SUPPORT_URL="http://help.ubuntu.com/"BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"VERSION_CODENAME=xenialUBUNTU_CODENAME=xenialgemfield@CivilNet:~$

問題

在Nginx的配置文件中,我們可以看到

gemfield@CivilNet:/etc/nginx/sites-enabled$ cat gemfield.org......server { listen 80; listen [::]:80; # SSL configuration listen 443 default ssl; listen [::]:443 default ssl; #ssl on; ssl_certificate /etc/ssl/certs/nginx-gemfield.org-self-signed.crt; ssl_certificate_key /etc/ssl/private/nginx-gemfield.org-self-signed.key; #

問題是這裡的ssl_certificate是Gemfield自己給自己簽發的,像下面演示的這樣:

gemfield@CivilNet:~$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-gemfield.org-self-signed.key -out /etc/ssl/certs/nginx-gemfield.org-self-signed.crtsudo: unable to resolve host CivilNetGenerating a 2048 bit RSA private key............................................................................................+++..........................+++writing new private key to /etc/ssl/private/nginx-gemfield.org-self-signed.key-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-----Country Name (2 letter code) [AU]:CNState or Province Name (full name) [Some-State]:BeijingLocality Name (eg, city) []:BeijingOrganization Name (eg, company) [Internet Widgits Pty Ltd]:CivilNetOrganizational Unit Name (eg, section) []:GemfieldCommon Name (e.g. server FQDN or YOUR name) []:gemfield.orgEmail Address []:gemfield@civilnet.cngemfield@CivilNet:~$

其中,

  • openssl是創建和管理OpenSSL 證書,、密鑰,和其它文件的工具;
  • req: 子命令指定了我們想要使用的是 X.509 certificate signing request (CSR) 。 "X.509" 是一個公鑰設施標準,SSL和 TLS 都使用這個標準進行密鑰和證書的管理 。這裡Gemfield就是告訴openssl工具我想要的是一個X.509證;
  • -x509: 這個參數進一步告訴req子命令,Gemfield想要的是自己給自己簽發個證書,而不是 生成一個CSR(certificate signing request);
  • -nodes: 這個參數(看作no des,不是node s)告訴 OpenSSL忽略使用密碼加密證書這一步。因為這個文件要被Nginx使用而無需用戶介入去輸入這個密碼;
  • -days 365: 證書365天過期;
  • -newkey rsa:2048: 同時生成新的證書和私鑰,也就是同時生成私鑰,再用私鑰簽發新的證書。 rsa:2048 部分說的是使用的是2048位長度的RSA key;
  • -keyout: 產生的私鑰放在哪兒;
  • -out: 產生的證書放在哪;

瀏覽器或者操作系統當然是不信任gemfield.org的,於是訪問gemfield.org就會出現:

解決

要解決這個問題,就得讓那些內置在各操作系統或者瀏覽器中的CA來簽發gemfield.org證書。通常這種服務是要收費的,但也有免費的,比如letsencrypt。和正常情況下的 HTTPS TLS X.509 PKI 模型相比,Lets Encrypt 的特色就是 ACME 協議,這是一個全自動伺服器身份驗證協議,後面你會感受到到底是哪裡自動化了。它使用了Certbot作為該協議的客戶端。

1,下載Certbot

到Certbot選擇你對應的操作系統和http server ,就會出現相應的下載指令。這裡以gemfield.org的Ubuntu 16.04和Nginx為例:

$ sudo apt-get update$ sudo apt-get install software-properties-common$ sudo add-apt-repository ppa:certbot/certbot$ sudo apt-get update$ sudo apt-get install python-certbot-nginx

2,使用certbot命令

Certbot含有Nginx插件(參考上面的安裝步驟),因此它不光會獲得證書,而且會安裝證書到系統目錄上再配置Nginx。

注意,這一步輸入的domain name是會被Certbot驗證的,比如,你寫的domain name是gemfield.org,那麼Certbot會檢查gemfield.org解析到的IP是不是你當前使用certbot命令的機器的IP,這樣就完成了身份的驗證。

gemfield@CivilNet:/etc/nginx/sites-enabled$ sudo certbot --nginxsudo: unable to resolve host CivilNetSaving debug log to /var/log/letsencrypt/letsencrypt.logEnter email address (used for urgent renewal and security notices) (Enter c tocancel): gemfield@civilnet.cn-------------------------------------------------------------------------------Please read the Terms of Service athttps://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agreein order to register with the ACME server athttps://acme-v01.api.letsencrypt.org/directory-------------------------------------------------------------------------------(A)gree/(C)ancel: A-------------------------------------------------------------------------------Would you be willing to share your email address with the Electronic FrontierFoundation, a founding partner of the Lets Encrypt project and the non-profitorganization that develops Certbot? Wed like to send you email about EFF andour work to encrypt the web, protect its users and defend digital rights.-------------------------------------------------------------------------------(Y)es/(N)o: YWhich names would you like to activate HTTPS for?-------------------------------------------------------------------------------1: civilnet.cn2: gemfield.org-------------------------------------------------------------------------------Select the appropriate numbers separated by commas and/or spaces, or leave inputblank to select all options shown (Enter c to cancel): 2Obtaining a new certificatePerforming the following challenges:tls-sni-01 challenge for gemfield.orgWaiting for verification...Cleaning up challengesDeployed Certificate to VirtualHost /etc/nginx/sites-enabled/gemfield.org for set([civilnet.cn, gemfield.org])Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.-------------------------------------------------------------------------------1: No redirect - Make no further changes to the webserver configuration.2: Redirect - Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if youre confident your site works on HTTPS. You can undo thischange by editing your web servers configuration.-------------------------------------------------------------------------------Select the appropriate number [1-2] then [enter] (press c to cancel): 1-------------------------------------------------------------------------------Congratulations! You have successfully enabled https://gemfield.orgYou should test your configuration at:https://www.ssllabs.com/ssltest/analyze.html?d=gemfield.org-------------------------------------------------------------------------------IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/gemfield.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/gemfield.org/privkey.pem Your cert will expire on 2017-12-27. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Lets Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-legemfield@CivilNet:/etc/nginx/sites-enabled$

這一步成功之後,其實letsencryt簽發的證書已經自動注入到了Nginx的配置文件中了,如下所示:

gemfield@CivilNet:/etc/nginx/sites-enabled$ cat gemfield.org......server { listen 80; listen [::]:80; # listen 443 default ssl; listen [::]:443 default ssl; #ssl on;ssl_certificate /etc/letsencrypt/live/gemfield.org/fullchain.pem; # managed by Certbotssl_certificate_key /etc/letsencrypt/live/gemfield.org/privkey.pem; # managed by Certbot

3,訪問ssllabs.com進行驗證

訪問: ssllabs.com/ssltest/ana

檢測會耗時一分鐘左,最後得到的分析結果如下圖:

4,證書更新

Lets Encrypt 的證書有效期是90天,雖然比一般的證書短,但其實是合理的(很多域名的有效期其實也都不到一年了),遑論現在有了ACME協議,於是證書的更新可以自動化了。你可以使用下面的命令來自動更新證書:

$ sudo certbot renew

慶祝

現在再訪問gemfield.org 就看不到證書告警了,哈哈哈哈哈哈哈哈。


推薦閱讀:

TAG:Nginx | LetsEncrypt | Ubuntu |