阿里云ECS + 腾讯域名折腾 http → Https

阿里云ECS + 腾讯域名折腾 http → Https

philo-尼可 297 2020-10-17

怎么给网站从 HTTP 换用 HTTPS。总体来说分为四个步骤:安装 SSL 证书、部署 SSL 证书、修改网站配置文件conf 、网站 URL 中 HTTP 替换为 HTTPS。

安装 SSL 证书(Certbot)

SSL 证书有免费的也有收费的。具体就不科普了。免费的也可以用,如大名鼎鼎的 Let’s Encrypt SSL certificates。 (Let’s Encrypt 已正式更名为 Certbot )

  • 安装 git
sudo yum install git
  • 下载证书工具包
sudo git clone https://github.com/certbot/certbot /opt/letsencrypt
  • 进入证书目录
cd /opt/letsencrypt

创建并部署证书

  • 继续执行命令创建证书:
./certbot-auto certonly --email zhangyongduo@gmail.com -d "*.20190616.xyz" -d 20190616.xyz --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory

注意

  1. 上面命令中的 --email 地址是方便你接收证书密钥回复以及紧急信息的,尽量填写企业邮箱或者 gmail 邮箱,QQ邮箱应该也可以,你可以填写试试
  2. certonly,表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
    3 --manual 表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择
  3. -d 为哪些主机申请证书,如果是通配符,输入 *.20190616.xyz(可以替换为你自己的域名)
  4. --preferred-challenges dns,使用 DNS 方式校验域名所有权

支持三种验证方式:

dns-01:给域名添加一个 DNS TXT 记录。

http-01:在域名对应的 Web 服务器下放置一个 HTTP well-known URL 资源文件。

tls-sni-01:在域名对应的 Web 服务器下放置一个 HTTPS well-known URL 资源文件。

  1. --server,Let's Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
  • 上面的命令回车后一路 A Y
[root@p0 certbot]# ./certbot-auto certonly --email ****@gmail.com -d "*.20190616.xyz" -d 20190616.xyz --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for 20190616.xyz
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
(Y)es/(N)o: Y
Please deploy a DNS TXT record under the name
_acme-challenge.20190616.xyz with the following value:
X9wpIH3GCNryI_2aqu941hebfp71PAMFJaq9yJfJHb8
Before continuing, verify the record is deployed.
Press Enter to Continue

  • 到此时,需要在域名服务商处添加TX TDNS记录,我的是腾讯域名,配置如下:
    image.png

  • 验证 配置的DNS _acme-challenge.20190616.xyz
dig  -t txt  _acme-challenge.20190616.xyz @8.8.8.8 
  • 输出对应配置的value值(X9wpIH3GCNryI_2aqu941hebfp71PAMFJaq9yJfJHb8)代表成功
[root@p0 ~]# dig  -t txt  _acme-challenge.20190616.xyz @8.8.8.8
;  DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6  -t txt _acme-challenge.20190616.xyz @8.8.8.8
;; global options: +cmd
;; Got answer:
;; HEADER opcode: QUERY, status: NOERROR, id: 15044
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.20190616.xyz.  IN      TXT
;; ANSWER SECTION:
_acme-challenge.20190616.xyz. 599 IN    TXT     "X9wpIH3GCNryI_2aqu941hebfp71PAMFJaq9yJfJHb8"
;; Query time: 69 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Oct 17 18:24:50 CST 2020
;; MSG SIZE  rcvd: 113
解决 -bash: dig: command not found:
     yum -y install bind-utils

  • 验证通过后,继续回车

Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: zhangyongduo@gmail.com).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/20190616.xyz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/20190616.xyz/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
  • Congratulations!成功生成证书,查看下证书
[root@p0]# pwd
/etc/letsencrypt/live/20190616.xyz
[root@p0]# ls
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

在nginx里面配置证书

安装nginx

## 安装 epel 和 nginx
yum install epel-release
yum install nginx
## 启用 nginx
systemctl enable nginx
## 查看安装路径
whereis nginx
cd /usr/sbin/nginx

配置文件:/etc/nginx/nginx.conf

  • 打开 nginx server 配置文件加入如下设置:
server {
   listen 443
   ssl on;
   ssl_certificate /etc/letsencrypt/live/网站域名/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/网站域名/privkey.pem;
   ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:SSL:10m;

   # HSTS (ngx_http_headers_module is required) (31536000 seconds = 12 months)
   # add_header Strict-Transport-Security "max-age=31536000" always;

   # OCSP Stapling ---
   # fetch OCSP records from URL in ssl_certificate and cache them
   ssl_stapling on;
   ssl_stapling_verify on;
}

  • 配置http 转 https
server {
        listen 80;
        server_name 你的域名;
        rewrite ^(.*)$ https://$host$1 permanent;
}

设置定时更新证书

  • /var/spool/cron/root 添加 Certbot 的自动续期命令
55 9 11 1,3,5,7,9,11 * /opt/certbot/certbot-auto renew --no-self-upgrade --renew-hook "/usr/sbin/nginx -s reload"

以上含义是:1,3,5,7,9,11月11号 9 点55分自动执行检查续期命令一次。续期完成后,重启 nginx 服务。

不加 --no-self-upgrade 时,会报错

Upgrading certbot-auto 1.9.0 to 1.11.0...
Couldn't download https://raw.githubusercontent.com/certbot/certbot/v1.11.0/letsencrypt-auto-source/letsencrypt-auto. <urlopen error [Errno 111] Connection refused>

将其锁定到特定版本并且不接收自动更新,只需在命令后加 --no-self-upgrade

  • 重启 Cron 服务,使之生效
service crond restart

更换证书申请工具(不再使用certbot-auto)

2021年1月发现证书没有成功续期, 查看crontab 执行日志

less /var/log/cron

发现已经执行,但是证书并没有续成功

Jan 10 01:50:01 p0 CROND[27267]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 10 02:00:01 p0 CROND[27768]: (root) CMD (/opt/certbot/certbot-auto renew --renew-hook "/usr/sbin/nginx -s reload")
Jan 10 02:00:01 p0 CROND[27769]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 10 02:00:09 p0 CROND[27767]: (root) MAIL (mailed 207 bytes of output but got status 0x004b#012)

把脚本拿出来跑一下,果然报错了

[root@p0 log]# /opt/certbot/certbot-auto renew --renew-hook "/usr/sbin/nginx -s reload"
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
yum is hashed (/usr/bin/yum)
Loaded plugins: fastestmirror, product-id, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

Loading mirror speeds from cached hostfile
Package libffi-devel-3.0.13-19.el7.x86_64 already installed and latest version
Package redhat-rpm-config-9.1.0-88.el7.centos.noarch already installed and latest version
......
Complete!
Upgrading certbot-auto 1.9.0 to 1.11.0...
Couldn't download https://raw.githubusercontent.com/certbot/certbot/v1.11.0/letsencrypt-auto-source/letsencrypt-auto. <urlopen error [Errno 111] Connection refused>

总之certbot-auto已经不太好使用了,经(技术)小伙伴推荐,转用 snap-apache

具体可以看后面的链接:
snap-apache

另整理一份安装snap命令:

yum install epel-release

yum install snapd

systemctl enable --now snapd.socket

ln -s /var/lib/snapd/snap /snap

snap install core

snap refresh core

安装certbot工具

snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

申请证书命令(更新申请也可以用此命令)

certbot certonly --email *@gmail.com -d "*.20190616.xyz" -d 20190616.xyz --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory

更新证书时,需要先关闭nginx,防止验证DNS TXT 失败

Please deploy a DNS TXT record under the name
_acme-challenge.20190616.xyz with the following value:

更新之后,重新启动nginx,证书续期完成。


# https # 证书 # certbot # 域名 # nginx