网站和接口要支持https协议,需要一个CA证书,通常都是用java tool或apache tool自签名生成证书,虽然自签证书在浏览器上访问时会有风险提示,好歹人家12306也这么搞的,但是,人不能摆烂啊。之前知道过StartSSL这么个东西: http://www.oschina.net/translate/switch-to-https-now-for-free?cmp,但配置繁琐,这次,意方发来了一堆证书,且用的certbot去生成的这些证书:https://certbot.eff.org/#ubuntutrusty-nginx,确实比较清爽。

使用方法简介

上面的链接里都提到了,大概过程就是:

  1. 使网站变成可访问,不管是nginx + tomcat,还是apache + tomcat。可访问,let’s encrypt才能验证域名所属。

  2. 下载certbot-auto自动安装程序 wget https://dl.eff.org/certbot-auto

  3. 运行安装程序,会安装一些pathon环境

  4. 安装证书

./certbot-auto certonly --webroot -w /var/www/words8 -d words8.com

弹出安装提示:

Saving debug log to /var/log/letsencrypt/letsencrypt.log             x
       x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org      x
       x Obtaining a new certificate                                          x
       x Performing the following challenges:                                 x
       x http-01 challenge for words8.com                                     x
       x Using the webroot path /var/www/words8 for all unmatched domains.    x
       x Waiting for verification...                                          x
       x Cleaning up challenges                                               x
       x Generating key (2048 bits):                                          x
       x /etc/letsencrypt/keys/0000_key-certbot.pem                           x
       x Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
  1. 验证证书是否有效:
openssl x509 -text -noout -in /etc/letsencrypt/live/words8.com/fullchain.pem;
  1. 使用证书
    以nginx为例,只要在/etc/nginx/sites-enabled/default中引用即可:
ssl on;
ssl_certificate /etc/letsencrypt/live/words8.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/words8.com/privkey.pem;

完整的nginx配置示例,比如:

server {
    listen 80;
    server_name app.tikimo.it tikimo.mycloudcare.net;
    root /var/www/weeocean/locator;
    location / {
      proxy_pass http://localhost:8080/;
   }
}
server {
        listen 443;
        server_name app.tikimo.it tikimo.mycloudcare.net;
        root /var/www/weeocean/locator;
        ssl on;
        #ssl_certificate /etc/ssl/certs/server.crt;
        #ssl_certificate_key /etc/ssl/private/server.key;

        ssl_certificate /etc/letsencrypt/live/app.tikimo.it/fullchain.pem; #/etc/nginx/fullchain-1473769064.pem;
        ssl_certificate_key /etc/letsencrypt/live/app.tikimo.it/privkey.pem; #/etc/nginx/privkey-1473769064.pem;
        location / {
                proxy_pass http://localhost:8080/;
        }
}

apache配置示例,可参考 https://www.zhukun.net/archives/8104

20180711 这种用法可以将多个域名加到证书中(80、443等端口不能被占用): ./certbot-auto certonly --standalone -d a.com -d b.com -d c.com

20180903 问题汇总

  • 执行certbot-auto,报错:OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2切换python版本的办法不行,解决办法:pip uninstall virtualenv然后pip install virtualenv==15.1.0,是virtualenv的版本问题,参选自这里

  • 执行pip命令,报错pip ImportError: No module named _internal,解决办法:curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py,然后python2.7 get-pip.py --force-reinstall,参考自这里

其它说明

  • 这种证书是对域名的签名,够用了

  • 运行./certbot-auto renew --quiet --no-self-upgrade,或将其加到自动任务中,去更新证书

  • 运行./certbot-auto renew --dry-run手动更新证书,运行日志如下:

Upgrading certbot-auto 0.10.1 to 0.14.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/words8.com.conf

Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for words8.com
http-01 challenge for tikimo.mycloudcare.net
Waiting for verification...
Cleaning up challenges

new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/words8.com/fullchain.pem

** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/words8.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

如果不好使,使用命令./certbot-auto renew --quiet,最终更新的文件位于/etc/letsencrypt/archive/下,如:

-rw-r--r-- 1 root root 1826 Oct 18  2016 cert1.pem
-rw-r--r-- 1 root root 1826 Jan 21 17:41 cert2.pem
-rw-r--r-- 1 root root 1826 May  9 08:08 cert3.pem
-rw-r--r-- 1 root root 1647 Oct 18  2016 chain1.pem
-rw-r--r-- 1 root root 1647 Jan 21 17:41 chain2.pem
-rw-r--r-- 1 root root 1647 May  9 08:08 chain3.pem
-rw-r--r-- 1 root root 3473 Oct 18  2016 fullchain1.pem
-rw-r--r-- 1 root root 3473 Jan 21 17:41 fullchain2.pem
-rw-r--r-- 1 root root 3473 May  9 08:08 fullchain3.pem
-rw-r--r-- 1 root root 1704 Oct 18  2016 privkey1.pem
-rw-r--r-- 1 root root 1704 Jan 21 17:41 privkey2.pem
-rw-r--r-- 1 root root 1704 May  9 08:08 privkey3.pem

server引用的是/etc/letsencrypt/live/words8.com/fullchain.pem,指向最新版本号的fullchain.pem文件。

  • 加到定时任务去更新证书 详情可以参考:crontab专题