利用certbot
工具配置Let’s encrypt通配符证书,所域名下所有的子域名都能方便的使用 https
证书,而且完全免费。值得关注的是,Let’s encrypt通配符证书只是针对二级域名,并不能针对主域名,如*.hubinqiang.com
和hubinqiang.com
被认为是两个域名,如果和我一样使用的是主域名,在申请的时候需要注意都要申请。
配置环境
操作系统:CentOS7
配置域名:hubinqiang.com,*.hubinqiang.com
步骤
1. 获取Certbot
代码语言:javascript复制# 下载
wget https://dl.eff.org/certbot-auto
# 设为可执行权限
chmod u x certbot-auto
复制代码
2. 申请证书
执行
代码语言:javascript复制./certbot-auto certonly -d "*.9wuquan.com" -d "9wuquan.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
./certbot-auto certonly -d "*.lww123.com" -d "lww123.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
复制代码
参数说明:
-certonly
,表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。-manual
,表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择。-d
,为哪些主机申请证书,如果是通配符,输入 *.hubinqiang.com(替换为自己的域名)。-preferred-challenges
,使用 DNS 方式校验域名所有权。-server
,Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
注意
:将hubinqiang.com替换为自己的域名。可以通过多个-d
参数添加多个主机。
申请过程中需要如下确认:
代码语言:javascript复制Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): hubinqiang@126.com
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for hubinqiang.com
dns-01 challenge for hubinqiang.com
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
-------------------------------------------------------------------------------
复制代码
在域名 DNS 解析中添加 TXT记录:
代码语言:javascript复制-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.hubinqiang.com with the following value:
kC-QHSWO1LdIeyIs7VQ66sTAyioISnfzIJU0bXgo-Z8
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.hubinqiang.com with the following value:
6XnGyee8W48QfRl61m_18aRs8rfvn4T8kKzQil0IYw4
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
复制代码
显示我两个主机的 TXT 记录有两条,根据要求分别在 DNS 解析中添加两条 TXT 记录,其中一条如下:_acme-challenge
注意
:若申请了多个主机,需要添加多个 TXT 记录。要求给 _acme-challenge.hubinqiang.com
配置 TXT 记录,在没有确认 TXT 记录生效之前不要回车执行。
确认生效后会有如下提示:
代码语言:javascript复制IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hubinqiang.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hubinqiang.com/privkey.pem
Your cert will expire on 2018-08-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
复制代码
进入/etc/letsencrypt/live/hubinqiang.com/
中可以看到几个文件,cert.pem
、chain.pem
、fullchain.pem
、privkey.pem
,说明已经成功获取证书和密钥。
3. 配置证书
在 nginx 中配置的片段:
代码语言:javascript复制server {
server_name hubinqiang.com;
listen 443 http2 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/hubinqiang.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hubinqiang.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/hubinqiang.com/chain.pem;
复制代码
重启 nginx 查看效果。
- 证书更新
Let’s encrypt 的免费证书默认有效期为 90 天,到期后如果要续期可以执行:
1. 获取Certbot 2. 申请证书
重新这2步就可以了证书更新
或者更新全部证书:
./certbot-auto
CentOS7Apache下上安装Let's Encrypt
一、升级系统
- # yum -y update
四、Apache下配置Let's Encrypt
执行下条命令
- # ./certbot-auto --apache
根据提示操作
Which names would you like to activate HTTPS for?
1: www.9wuquan.cn
2: www.lww123.cn
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
输入1
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
输入2
五、打开防火墙iptables的443端口
六、编辑ssl.conf
vi /etc/httpd/conf.d/ssl.conf
代码语言:javascript复制<VirtualHost *:80>
DocumentRoot /var/www/jqbs
ServerName 9wuquan.cn
ServerAlias *.9wuquan.cn
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/jqbs
ServerName 9wuquan.cn
ServerAlias *.9wuquan.cn
SSLEngine on
SSLProtocol TLSv1 TLSv1.1 TLSv1.2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
<Directory />
Options FollowSymLinks ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
SSLCertificateFile /etc/letsencrypt/live/9wuquan.cn/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/9wuquan.cn/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/9wuquan.cn/chain.pem
</VirtualHost>
复制代码
/etc/httpd/conf/httpd.conf配置文件的修改主要有以下几项:
(2.安装apache的mod_ssl.so模块yum -y install mod_ssl)
代码语言:javascript复制LoadModule ssl_module modules/mod_ssl.so
LoadModule rewrite_module modules/mod_rewrite.so
复制代码
重启Apache
systemctl restart httpd
七、这个时候网站HTTPS已经能够访问了,试一下
最后,通过.htaccess进行301转向
代码语言:javascript复制<IfModule mod_rewrite.c>
Options FollowSymlinks -Multiviews
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [L,R=302]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php?/$1 [QSA,PT,L]
</IfModule>
# 图片和Flash内容缓存一个月
<FilesMatch ".(flv|gif|jpg|jpeg|png|ico|swf)$">
Header set Cache-Control "max-age=2592000"
</FilesMatch>
<FilesMatch ".(ttf)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
复制代码
- 八、大功告成证书更新
Let’s encrypt 的免费证书默认有效期为 90 天,到期后如果要续期可以执行:
更新全部证书:
./certbot-auto
怎么把申请到的证书导入到IIS中
由于我们申请的证书为pem格式,而IIS只支持pfx格式证书 所以我们要把输的人pem文件合并为pfx证书 这样我们就要用到openssl命令了
openssl pkcs12 -export -out 51tcsd.pfx -inkey privkey.pem -in fullchain.pem -certfile cert.pem
我们用此命令把pem文件合并为51tcsd.pfx文件,提示中要输入证书的密码,按提示输入即可 显示输出如下
我们可以看到,当前目录下成功生成了51tcsd.pfx文件 接下来我们就要把51tcsd.pfx文件导入到Windows系统 我们知道Ubuntu对于Windows来说只是一个应用, 所以Ubuntu里所有的文件,我们都可以通过Windows资源管理里看到, 我发现我的Ubuntu目录挂载在我的Windows目录的此位置 C:UsersAdministratorAppDataLocalPackagesCanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgscLocalStaterootfs
我们进到C:UsersAdministratorAppDataLocalPackagesCanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgscLocalStaterootfsetcletsencryptlive51tcsd.com-0001 就可以看到我们的pfx文件了
( 1 ) 证书导入
• 开始 -〉运行 -〉MMC;
• 启动控制台程序,选择菜单“文件”中的”添加/删除管理单元”-> “添加”,从“可用的独立管理单元”列表中选择“证书”-> 选择“计算机帐户”;
• 在控制台的左侧显示证书树形列表,选择“个人”->“证书”,右键单击,选择“所有任务”-〉”导入”, 根据”证书导入向导”的提示,导入PFX文件(此过程当中有一步非常重要: “根据证书内容自动选择存储区”)。安装过程当中需要输入密码为您当时设置的密码。导入成功后,可以看到证书信息。
( 2 ) 分配服务器证书
• 打开 IIS8.0 管理器面板,找到待部署证书的站点,点击“绑定”。
• 设置参数选择“绑定”->“添加”->“类型选择 https” ->“端口 443” ->“ssl 证书【导入的证书名称】” ->“确定”。
SSL 缺省端口为 443 端口(请不要随便修改。 如果您使用其他端口如:8443,则访问时必须输入:www.domain.com:8443)。。/)
接下来。我们右键证书点安装pfx
输入刚刚openssl合并的时候输入的密码
点完成后。就会显示导入成功了 接下来。我们打开IIS管理器。看到服务器证书里面,就能发现我们申请的通配符证书了
接下来,我们给一个站点绑定随便一个二级域名,比如:a.51tcsd.com 首先把hosts文件把a.51tcsd.com解析到我本机127.0.0.1
然后在IIS里选择站点”Default Web Site"选择右边的“绑定”
输入相关信息,并选择证书
然后我们在浏览器里访问a.51tcsd.com/ 是不是看到惊喜了
HTTP 转HTTPS
HTTP和HTTPS交叉使用属于跨域的范畴,直接转接解决跨域问题的方法:
可以在相应的页面的里加上这句代码,意思是自动将http的不安全请求升级为https
IIS http转HTTPS
在web.cofg文件内加加入
<system.webServer>
</system.webServer>