Letsencrypt

Summary: Author: 张亚飞 | 阅读时间: 4 minute read | Published: 2017-08-08
Filed under Categories: DevOpsTags: Linux, Server, Software, DevOps,

letsencrypt 证书签发机构

Nginx 下自签名证书

letscrypt 证书签发及使用问题

sudo pip install virtualenv
$ git clone https://github.com/letsencrypt/letsencrypt.git
$ cd letsencrypt
$ sudo ./letsencrypt-auto --help

首先停止服务器正在运行的 nginx 服务器

  • To obtain a cert using a “standalone” webserver (you may need to temporarily stop your exising webserver) for example.com and www.example.com:

To obtain a cert using the “webroot” plugin, which can work with the webroot directory of any webserver software:

./letsencrypt-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
  • 完成以上命令 最后提示如下成功信息
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/coopens.com/fullchain.pem. Your cert will
   expire on 2016-03-22. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
  • 按提示在 /etc/letsencrypt/archive/coopens.com/fullchain.pem 四个文件
cert.pem	服务端证书
chain.pem	浏览器需要的所有证书但不包括服务端证书,比如根证书和中间证书
fullchain.pem	包括了cert.pem和chain.pem的内容
privkey.pem	证书的私钥
cd /etc/letsencrypt/archive/coopens.com
cp * /data/home/coam/Server/Run/Docs/Server/ServiceConfig/Nginx/LetsSSL/coopens.com/

修改相应的 coopens.com 配置ssl证书指向

#ssl_certificate /data/home/coam/GlobalSign/SYAM/syam.crt;
#ssl_certificate_key /data/home/coam/GlobalSign/SYAM/syam.key;
ssl_certificate /etc/letsencrypt/live/coopens.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/coopens.com/privkey.pem;

最后重启 nginx 即可

  • 配置 ocsp 根证书
cat fullchain.pem /data/home/coam/Server/Run/Docs/Server/ServiceConfig/Nginx/Certify/DST_Root_CA_X3.pem > rootchain.pem
  • 总的更新流程为
# updating certificate
su
DOMAIN_DIR_NAME=nocs.cn # 首先要找到最新获取的域名证书文件夹名称
echo ${DOMAIN_DIR_NAME}

# self change {cert1.pem  chain1.pem  fullchain1.pem  privkey1.pem} to {cert.pem  chain.pem  fullchain.pem  privkey.pem}
cd /etc/letsencrypt/archive/${DOMAIN_DIR_NAME}/
ls -al
mv cert1.pem mv cert.pem
mv chain1.pem chain.pem
mv fullchain1.pem fullchain.pem
mv privkey1.pem privkey.pem

# start update automatic...
cd /data/home/coam/Server/Run/Docs/Server/ServiceConfig/Nginx/LetsSSL/${DOMAIN_DIR_NAME}/
ls
rm *
cp /etc/letsencrypt/archive/${DOMAIN_DIR_NAME}/* /data/home/coam/Server/Run/Docs/Server/ServiceConfig/Nginx/LetsSSL/${DOMAIN_DIR_NAME}/
cat fullchain.pem ../../Certify/DST_Root_CA_X3.pem > rootchain.pem

# test certificate
# restart nginx test https

# backup certificate to ali
scp -P 22312 * coam@47.90.15.40:Server/Run/Docs/Server/ServiceConfig/Nginx/LetsSSL/${DOMAIN_DIR_NAME}/

问题分析

  • 在运行 sudo ./letsencrypt-auto certonly –standalone –email admin@iirii.com -d iirii.com 时频繁出现以下网络连接的错误:
Fri Feb 19 22:37:18 coam@coam:~/RunProject/letsencrypt$ sudo ./letsencrypt-auto certonly --standalone --email admin@iirii.com \
>     -d iirii.com \
>     -d www.iirii.com \
>     -d wp.iirii.com \
>     -d ftp.iirii.com \
>     -d sarah.iirii.com \
>     -d acs.iirii.com \
>     -d acr.iirii.com
Checking for new version...
Upgrading letsencrypt-auto 0.5.0.dev0 to 0.4.0...
Couldn't download https://raw.githubusercontent.com/letsencrypt/letsencrypt/v0.4.0/letsencrypt-auto-source/letsencrypt-auto. <urlopen error [Errno -2] Name or service not known>

需要配合 ShadowSocks 代理翻墙,详细配置参见 Linux/ShadowSocks.md

$ sudo ./letsencrypt-auto --help
...
Creating virtual environment...
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
    main()
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
    symlink=options.symlink)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
    download=download,
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
    call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
    % (cmd_desc, proc.returncode))
OSError: Command /data/home/coam/.l...ncrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2
  • 临时设定如下环境变量
export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"

使用 acme.sh 自动签发证书

qs-co.coam.co
qs-co.coopens.com
qs-co.lonal.com
qw-co.coam.co

qs-ct.coam.co
qs-ct.coopens.com
qs-ct.lonal.com
qw-ct.coam.co

qs-mo.coam.co
qs-mo.coopens.com
qs-mo.lonal.com
qw-mo.coam.co

qs-mt.coam.co
qs-mt.coopens.com
qs-mt.lonal.com
qw-mt.coam.co

acme.sh 安装

curl  https://get.acme.sh | sh

安装在 ~/.acme.sh/ 目录下

  • 使用 dns 签发证书

DnsPod Api

export DP_Id="72921"
export DP_Key="303e442575de36c5b854c9eb95da2106"
~/.acme.sh/acme.sh --issue --force --dns dns_dp -d qs-co.lonal.com -d qs-ct.lonal.com -d qs-mo.lonal.com -d qs-mt.lonal.com
#~/.acme.sh/acme.sh --issue --force --dns dns_dp -d qs-co.lonal.com -d qs-ct.lonal.com -d qs-mo.lonal.com -d qs-mt.lonal.com --install-cert --cert-file "/data/home/coam/.acme.sh/qs.lonal.com/cert.cer" --key-file "/data/home/coam/.acme.sh/qs.lonal.com/key.key" --ca-file "/data/home/coam/.acme.sh/qs.lonal.com/ca.cer" --fullchain-file "/data/home/coam/.acme.sh/qs.lonal.com/fullchain.cer" --staging

证书生成到 .acme.sh/qs-co.lonal.com

  • 使用测试模式
~/.acme.sh/acme.sh --issue -d qs-co.nocs.cn --dns dns_dp --staging --debug 2
~/.acme.sh/acme.sh --issue -d *.coam.co --dns dns_dp --staging --debug 2
~/.acme.sh/acme.sh --issue -d *.nocs.cn --dns dns_dp --staging --debug 2

~/.acme.sh/acme.sh --issue -d *.nocs.cn --dns dns_dp --cert-file "/data/home/coam/.acme.sh/nocs.cn/cert.cer" --key-file "/data/home/coam/.acme.sh/nocs.cn/key.key" --ca-file "/data/home/coam/.acme.sh/nocs.cn/ca.cer" --fullchain-file "/data/home/coam/.acme.sh/nocs.cn/fullchain.cer" --staging --debug 2

部署证书到 Qiniu.com

使用 acme.sh 部署到七牛之前,需要确保部署的域名已打开 HTTPS 功能,您可以访问融合 CDN - 域名管理 设置. 另外还需要先导出 AK/SK 环境变量,您可以访问密钥管理获得.

export QINIU_AK="Se81VMsQEbwVASh_1-SG6sU_dJUNSnSlG3OUZD1a"
export QINIU_SK="hpvZFdL3Tw2QzvN7CYsqqZvfvhIeaNWDylFmE-YG"

完成准备工作之后,您就可以通过下面的命令开始部署 SSL 证书到七牛上:

~/.acme.sh/acme.sh --deploy -d qs-ct.lonal.com --deploy-hook qiniu

假如您部署的证书为泛域名证书,您还需要设置 QINIU_CDN_DOMAIN 变量,指定实际需要部署的域名:

#export QINIU_CDN_DOMAIN="qs-ct.coam.co"
~/.acme.sh/acme.sh --deploy -d *.coam.co --deploy-hook qiniu

~/.acme.sh/acme.sh --deploy -d qs.lonal.com --deploy-hook qiniu

参考列表

Comments

Cor-Ethan, the beverage → www.iirii.com