Let’s Encrypt 免費 Wildcard 萬用字元憑證 SSL/TLS for CentOS 7

Let’s Encrypt 已經開始支援萬用字元憑證 (Wildcard Certificates),因此當有多個子網域時,也只須申請一個憑證即可。

Let’s Encrypt 憑證取得方式不同與其它網站是在網頁上手動填寫申請資料的,而是須在 Server 上安裝一個 Client(python 寫的),這種作法所帶來的好處是可全自動化,這裡使用 Let’s Encrypt 官方推薦的 Certbot Client,來自動取得、部署和更新 SSL 憑證:

 

安裝流程:

  • 安裝 EPEL 軟體擴充資源庫:
# yum install epel-release
  • 安裝 Certbot:
# yum install certbot

升級

  • 如果先前已安裝 Certbot,但要使用 Let’s Encrypt 萬用字元憑證,Certbot 的版本必須為 certbot 0.22.0 以上,先查看目前 certbot 版本:
# certbot --version
certbot 0.23.0
  • 如果不是 0.22.0 以上,就使用以下指令來更新所有軟體:
# yum -y update

申請憑證

雖然萬用字元憑證可用於所有子網域,但如果與本站一樣是直接指定網域名稱的方式 (例如abc.com 而不是 www.abc.com),就必須多指定一個域名(僅須將 -d 選項後的二個網址更換為自己的):

[[email protected] ~]# certbot -d abc.com -d *.abc.com --manual --preferred-challenges dns certonly --server https://acme-v02.api.letsencrypt.org/directory

# 設定 Email (續約或安全性通知) 後 Enter
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):[email protected]

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

# 告知 IP 將會被記錄,輸人 Y 後 Enter
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

-------------------------------------------------------------------------------
# 第一筆要新增的 DNS TXT (指令包含幾個 -d 指定的網址,就要設定幾筆)
Please deploy a DNS TXT record under the name
_acme-challenge.abc.com with the following value:

tCUh9WTqckwKrxxxxxxxxxxxxxxxxxxxxKHjFfTfKhI

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
# 直接 Enter
Press Enter to Continue

# 第二筆要新增的 DNS TXT
Please deploy a DNS TXT record under the name
_acme-challenge.abc.com with the following value:

fsGgQeEpA0kO0xxxxxxxxxxxxxxxxxxxxqYjnKhZvb4

Before continuing, verify the record is deployed.
# 先至代管 DNS 平台設定 DNS TXT 記錄,再使用下述的 host 指令確認兩筆記錄都有讀取到再 Enter
Press Enter to Continue

Waiting for verification...
Cleaning up challenges

# 建立完成
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
# 證書保存的位置
   /etc/letsencrypt/live/abc.com-0001/fullchain.pem
   Your key file has been saved at:

# 密鑰保存的位置
   /etc/letsencrypt/live/abc.com-0001/privkey.pem

# 證書到期日與如何使用指令來續訂證書方法
   Your cert will expire on 2018-08-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

設定 DNS TXT 記錄

各個代管 DNS 平台的設定方式都差不多,這裡使用 GoDaddy 說明,名稱只需設定 _acme-challenge 即可 .abc.com 可省略。:

使用 host 指令確認 DNS TXT 記錄 (須先安裝包含 host 指令的 bind-utils 軟體):

# yum install bind-utils
# host -t txt _acme-challenge.smalljacky.com
_acme-challenge.abc.com descriptive text "fsGgQeEpAXXXXXXXXXXXXXX6k-qYjnKhZvb4"
_acme-challenge.abc.com descriptive text "tCUh9WTqXXXXXXXXXXXXs0dcyUS0KHjFfTfKhI"

刪除憑證

憑證申請錯誤或是要更換時,就可以把沒用的憑證刪除。

檢查目前有幾個申請的憑證:

[[email protected] ~]# ll /etc/letsencrypt/renewal
總計 12
-rw-r--r--. 1 root root 579  6月 20 19:44 footmark.info.conf
-rw-r--r--. 1 root root 613  4月 21 22:05 abc.com.conf

刪除不需要的憑證 abc.com (結尾的 .conf 不須輸入):

存放在 /etc/letsencrypt/live/ 實際的憑證檔也會一併刪除
I am a description. Click the edit button to change this text.

# certbot delete --cert-name abc.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Deleted all files relating to certificate abc.com.
-------------------------------------------------------------------------------

Web server 設定

Apache(httpd)、Nginx  須設定的證書與密鑰保存路徑如上,設定新的憑證後 Web server 必須重新啟動才會生效

自動續期憑證

Let’s Encrypt 免費憑證有效期僅三個月,因此可使用建立憑證完成時所提示續訂證書指令的方式,來建立排程自動續期:

# vim /etc/crontab
# 每月 1 日 03:00 續期憑證,並重啟 Nginx (使用 Apache 須將 nginx 替換成 httpd)
00 03  1  *  * root /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx

參考相關網頁