Let’s Encrypt 免費 Wildcard 萬用字元憑證 SSL/TLS for CentOS 7
Let’s Encrypt 已經開始支援萬用字元憑證 (Wildcard Certificates),因此當有多個子網域時,也只須申請一個憑證即可。
Let’s Encrypt 憑證取得方式不同與其它網站是在網頁上手動填寫申請資料的,而是須在 Server 上安裝一個 Client(python 寫的),這種作法所帶來的好處是可全自動化,這裡使用 Let’s Encrypt 官方推薦的 Certbot Client,來自動取得、部署和更新 SSL 憑證:
安裝流程:
- 安裝 EPEL 軟體擴充資源庫:
# yum install epel-release- 安裝 Certbot:
# yum install certbot升級
- 如果先前已安裝 Certbot,但要使用 Let’s Encrypt 萬用字元憑證,Certbot 的版本必須為 certbot 0.22.0 以上,先查看目前 certbot 版本:
# certbot --version
certbot 0.23.0- 如果不是 0.22.0 以上,就使用以下指令來更新所有軟體:
# yum -y update申請憑證
雖然萬用字元憑證可用於所有子網域,但如果與本站一樣是直接指定網域名稱的方式 (例如abc.com 而不是 www.abc.com),就必須多指定一個域名(僅須將 -d 選項後的二個網址更換為自己的):
[root@smalljacky ~]# certbot -d abc.com -d *.abc.com --manual --preferred-challenges dns certonly --server https://acme-v02.api.letsencrypt.org/directory
# 設定 Email (續約或安全性通知) 後 Enter
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):[email protected]
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
# 告知 IP 將會被記錄,輸人 Y 後 Enter
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
-------------------------------------------------------------------------------
# 第一筆要新增的 DNS TXT (指令包含幾個 -d 指定的網址,就要設定幾筆)
Please deploy a DNS TXT record under the name
_acme-challenge.abc.com with the following value:
tCUh9WTqckwKrxxxxxxxxxxxxxxxxxxxxKHjFfTfKhI
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
# 直接 Enter
Press Enter to Continue
# 第二筆要新增的 DNS TXT
Please deploy a DNS TXT record under the name
_acme-challenge.abc.com with the following value:
fsGgQeEpA0kO0xxxxxxxxxxxxxxxxxxxxqYjnKhZvb4
Before continuing, verify the record is deployed.
# 先至代管 DNS 平台設定 DNS TXT 記錄,再使用下述的 host 指令確認兩筆記錄都有讀取到再 Enter
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
# 建立完成
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
# 證書保存的位置
/etc/letsencrypt/live/abc.com-0001/fullchain.pem
Your key file has been saved at:
# 密鑰保存的位置
/etc/letsencrypt/live/abc.com-0001/privkey.pem
# 證書到期日與如何使用指令來續訂證書方法
Your cert will expire on 2018-08-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le設定 DNS TXT 記錄
各個代管 DNS 平台的設定方式都差不多,這裡使用 GoDaddy 說明,名稱只需設定 _acme-challenge 即可 .abc.com
使用 host 指令確認 DNS TXT 記錄 (須先安裝包含 host 指令的 bind-utils 軟體):
# yum install bind-utils
# host -t txt _acme-challenge.smalljacky.com
_acme-challenge.abc.com descriptive text "fsGgQeEpAXXXXXXXXXXXXXX6k-qYjnKhZvb4"
_acme-challenge.abc.com descriptive text "tCUh9WTqXXXXXXXXXXXXs0dcyUS0KHjFfTfKhI"刪除憑證
憑證申請錯誤或是要更換時,就可以把沒用的憑證刪除。
檢查目前有幾個申請的憑證:
[root@footmark ~]# ll /etc/letsencrypt/renewal
總計 12
-rw-r--r--. 1 root root 579 6月 20 19:44 footmark.info.conf
-rw-r--r--. 1 root root 613 4月 21 22:05 abc.com.conf刪除不需要的憑證 abc.com (結尾的 .conf 不須輸入):
存放在 /etc/letsencrypt/live/ 實際的憑證檔也會一併刪除
I am a description. Click the edit button to change this text.
# certbot delete --cert-name abc.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Deleted all files relating to certificate abc.com.
-------------------------------------------------------------------------------Web server 設定
Apache(httpd)、Nginx 須設定的證書與密鑰保存路徑如上,設定新的憑證後 Web server 必須重新啟動才會生效
自動續期憑證
Let’s Encrypt 免費憑證有效期僅三個月,因此可使用建立憑證完成時所提示續訂證書指令的方式,來建立排程自動續期:
# vim /etc/crontab
# 每月 1 日 03:00 續期憑證,並重啟 Nginx (使用 Apache 須將 nginx 替換成 httpd)
00 03 1 * * root /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx