网络拓扑:
公网流量 -> zenlayer -> aws-lb -> apisix
我们需要在zenlayer,aws-lb上配置certbot证书,因为是免费的,便宜。
目录:
(1).centos7上部署certbot
(2).申请certbot免费证书
(3).查看证书
(4).证书更新
(5).配置证书到zenlayer
(6).配置证书到aws-lb
(7).相关命令
(8).参考资料
(1).centos7上部署certbot
找一台centos7的机器并验证os版本:
cat /proc/version
安装 certbot
sudo yum install certbot
查看 certbot 版本,因为 ACME v2 要在 certbot 0.20.0 以后的版本支持。
完成后可以看到安装的组件和依赖:
certbot --version
如果yum源没有certbot,先安装 EPEL 仓库:
$ sudo yum install epel-release
(2).申请certbot免费证书
申请通配符证书命令:
sudo certbot certonly -d test.cc -d *.test.cc --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
主要参数说明:
a1.certonly 是 certbot 众多插件之一,可以选择其他插件。
a2.-d 为那些主机申请证书,如果是通配符,输入 *.yourdomain.com。
a3.还要申请yourdomain.com 这是为了避免通配符证书不匹配。
a4.–preferred-challenges dns,使用 DNS 方式校验域名所有权。
a5.通配符证书只能使用 dns-01 这种方式申请。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): test@outlook.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf.
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot?
We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for test.cc and *.test.cc
Performing the following challenges:
dns-01 challenge for test.cc
dns-01 challenge for test.cc
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.test.cc with the following value:
snZDWRDuIo4mOHXXYYZZZZZZZZZZZZZZZZZZZZlOsk_GCX6Y
Before continuing, verify the record is deployed.
(在这里,要把这个DNS TXT配置到godaddy解析,需要验证,否则会失败)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
先不要继续!!
交互提示:
a1.输入邮箱地址,以备紧急更新或者安全提醒的通知。
a2.同意许可协议。
a3.同意域名和 IP 绑定。
a4.绑定 DNS 的 TXT 记录值,校验域名的所有权。
此时去 DNS 服务商那里,配置 _acme-challenge.yourdomain.com 类型为 TXT 的记录。在没有确认 TXT 记录生效之前不要回车执行。
新打开一个 ssh 窗口,输入下列命令确认 TXT 记录是否生效:
dig -t txt _acme-challenge.test.cc @8.8.8.8
可以看到配置已经生效。
回到原来的 ssh 窗口,按下回车。
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: test@outlook.com).
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/test.cc/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/test.cc/privkey.pem
Your certificate will expire on 2022-08-18. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
(3).查看证书
证书申请成功后,默认存放在 /etc/letsencrypt 目录下
$ cd /etc/letsencrypt/
$ ls
accounts archive csr keys live renewal renewal-hooks
可以校验一下证书信息
$ sudo openssl x509 -in /etc/letsencrypt/live/yourdomain.com/cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
...
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:*.yourdomain.com, DNS:yourdomain.com
X509v3 Certificate Policies:
...
...
可以看到证书的 SAN 扩展里包含了 *.yourdomain.com, 说明申请的证书的匹配范围。
举例;
/etc/letsencrypt/live/test.cc
(4).证书更新
certbot 默认离过期 30 天内可以 renew。普通的证书可以使用 certbot 自带命令,配合 corn 表达式,定时执行作业。另行开文。
(5).配置证书到zenlayer
证书内容:填fullchain.pem内容
私钥内容:填privkey.pem内容
(6).配置证书到aws-lb
证书私有密钥:填privkey.pem内容
证书正文:填cert.pem内容
证书链:填fullchain.pem内容
(7).相关命令
创建certbot证书:
sudo certbot certonly -d tests.cc -d *.tests.cc --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
验证证书是否在DNS生效:
dig -t txt _acme-challenge.tests.cc @8.8.8.8
(8).参考资料
1.CentOS 7 下 安装 Let's Encrypt 的通配符证书
https://qizhanming.com/blog/2019/04/23/how-to-install-let-s-encrypt-wildcards-certificate-on-centos-7
