快速配置Let's encrypt通配符证书 CentOS7

发表于

本文已参与「掘力星计划」,赢取创作大礼包,挑战创作激励金。

利用certbot工具配置Let’s encrypt通配符证书,所域名下所有的子域名都能方便的使用 https证书,而且完全免费。值得关注的是,Let’s encrypt通配符证书只是针对二级域名,并不能针对主域名,如*.hubinqiang.comhubinqiang.com 被认为是两个域名,如果和我一样使用的是主域名,在申请的时候需要注意都要申请。

配置环境

操作系统:CentOS7

配置域名:hubinqiang.com,*.hubinqiang.com

步骤

1. 获取Certbot

1
2
3
4
5
6
7
bash复制代码# 下载

wget https://dl.eff.org/certbot-auto

# 设为可执行权限

chmod u+x certbot-auto

2. 申请证书

执行

1
2
3
bash复制代码./certbot-auto certonly  -d "*.9wuquan.com" -d "9wuquan.com" --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory

./certbot-auto certonly  -d "*.lww123.com" -d "lww123.com" --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory

参数说明:

  • -certonly,表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
  • -manual,表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择。
  • -d,为哪些主机申请证书,如果是通配符,输入 *.hubinqiang.com(替换为自己的域名)。
  • -preferred-challenges,使用 DNS 方式校验域名所有权。
  • -server,Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。

注意:将hubinqiang.com替换为自己的域名。可以通过多个-d 参数添加多个主机。

申请过程中需要如下确认:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
vbnet复制代码Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): hubinqiang@126.com

-------------------------------------------------------------------------------

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

-------------------------------------------------------------------------------

(A)gree/(C)ancel: A

-------------------------------------------------------------------------------

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about EFF and

our work to encrypt the web, protect its users and defend digital rights.

-------------------------------------------------------------------------------

(Y)es/(N)o: Y

Obtaining a new certificate

Performing the following challenges:

dns-01 challenge for hubinqiang.com

dns-01 challenge for hubinqiang.com

-------------------------------------------------------------------------------

NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you're running certbot in manual mode on a machine that is not

your server, please ensure you're okay with that.

Are you OK with your IP being logged?

-------------------------------------------------------------------------------

(Y)es/(N)o: Y

-------------------------------------------------------------------------------

在域名 DNS 解析中添加 TXT记录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
vbnet复制代码-------------------------------------------------------------------------------

Please deploy a DNS TXT record under the name

_acme-challenge.hubinqiang.com with the following value:

kC-QHSWO1LdIeyIs7VQ66sTAyioISnfzIJU0bXgo-Z8

Before continuing, verify the record is deployed.

-------------------------------------------------------------------------------

Press Enter to Continue

-------------------------------------------------------------------------------

Please deploy a DNS TXT record under the name

_acme-challenge.hubinqiang.com with the following value:

6XnGyee8W48QfRl61m_18aRs8rfvn4T8kKzQil0IYw4

Before continuing, verify the record is deployed.

-------------------------------------------------------------------------------

Press Enter to Continue

Waiting for verification...

Cleaning up challenges

显示我两个主机的 TXT 记录有两条,根据要求分别在 DNS 解析中添加两条 TXT 记录,其中一条如下:_acme-challenge

注意:若申请了多个主机,需要添加多个 TXT 记录。要求给 _acme-challenge.hubinqiang.com 配置 TXT 记录,在没有确认 TXT 记录生效之前不要回车执行。

确认生效后会有如下提示:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
vbnet复制代码IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/hubinqiang.com/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/hubinqiang.com/privkey.pem

   Your cert will expire on 2018-08-12. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot-auto

   again. To non-interactively renew *all* of your certificates, run

   "certbot-auto renew"

 - Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le
  • 1
  • 2

进入/etc/letsencrypt/live/hubinqiang.com/中可以看到几个文件,cert.pemchain.pemfullchain.pemprivkey.pem,说明已经成功获取证书和密钥。

  1. 配置证书

在 nginx 中配置的片段:

1
2
3
4
5
6
7
8
9
10
11
12
13
ini复制代码server {

    server_name hubinqiang.com;

    listen 443 http2 ssl;

    ssl on;

    ssl_certificate /etc/letsencrypt/live/hubinqiang.com/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/hubinqiang.com/privkey.pem;

    ssl_trusted_certificate  /etc/letsencrypt/live/hubinqiang.com/chain.pem;
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

重启 nginx 查看效果。

  1. 证书更新

Let’s encrypt 的免费证书默认有效期为 90 天,到期后如果要续期可以执行:

1. 获取Certbot 2. 申请证书

重新这2步就可以了证书更新

或者更新全部证书:

./certbot-auto

CentOS7Apache下上安装Let’s Encrypt

一、升级系统

  1. yum -y update

四、Apache下配置Let’s Encrypt

执行下条命令

  1. ./certbot-auto –apache

根据提示操作

Which names would you like to activate HTTPS for?

1: www.9wuquan.cn

2: www.lww123.cn

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter ‘c’ to cancel): 1

输入1

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.

2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you’re confident your site works on HTTPS. You can undo this

change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2

输入2

五、打开防火墙iptables的443端口

六、编辑ssl.conf

vi /etc/httpd/conf.d/ssl.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
bash复制代码<VirtualHost *:80>

    DocumentRoot /var/www/jqbs

    ServerName 9wuquan.cn

    ServerAlias *.9wuquan.cn

<Directory />

     Options FollowSymLinks

     AllowOverride All

</Directory>

</VirtualHost>

<VirtualHost *:443>

  DocumentRoot /var/www/jqbs

  ServerName 9wuquan.cn

  ServerAlias *.9wuquan.cn

  SSLEngine on

  SSLProtocol TLSv1 TLSv1.1 TLSv1.2

  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

<Directory />

      Options FollowSymLinks ExecCGI

      AllowOverride All

      Order allow,deny

      Allow from all

      Require all granted

</Directory>

SSLCertificateFile /etc/letsencrypt/live/9wuquan.cn/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/9wuquan.cn/privkey.pem

Include /etc/letsencrypt/options-ssl-apache.conf

SSLCertificateChainFile /etc/letsencrypt/live/9wuquan.cn/chain.pem

</VirtualHost>

/etc/httpd/conf/httpd.conf配置文件的修改主要有以下几项:

(2.安装apache的mod_ssl.so模块yum -y install mod_ssl)

1
2
3
bash复制代码LoadModule ssl_module modules/mod_ssl.so

LoadModule rewrite_module modules/mod_rewrite.so
  1. ServerSignature On => ServerSignature Off // 配置错误页不显示Apache版本
  2. Options Indexes FollowSymLinks => Options FollowSymLinks // 配置Apache不能通过目录层级进行文件访问

<Directory “/var/www”>

1
css复制代码AllowOverride All
  1. AllowOverride None => AllowOverride All // 配置允许.htaccess
  2. DirectoryIndex index.html => DirectoryIndex index.html index.php // 配置Apache支持.php文件解析

重启Apache

systemctl restart httpd

七、这个时候网站HTTPS已经能够访问了,试一下

最后,通过.htaccess进行301转向

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
perl复制代码<IfModule mod_rewrite.c>

  Options +FollowSymlinks -Multiviews

  RewriteEngine On



  RewriteCond   %{HTTPS} !=on

  RewriteRule   ^(.*)  https://%{SERVER_NAME}/$1 [L,R=302]

  RewriteCond %{REQUEST_FILENAME} !-d

  RewriteCond %{REQUEST_FILENAME} !-f

  RewriteRule ^(.*)$ index.php?/$1 [QSA,PT,L]

</IfModule>

# 图片和Flash内容缓存一个月

<FilesMatch ".(flv|gif|jpg|jpeg|png|ico|swf)$">

Header set Cache-Control "max-age=2592000"

</FilesMatch>

<FilesMatch ".(ttf)$">

Header set Access-Control-Allow-Origin "*"

</FilesMatch>
  1. 八、大功告成证书更新

Let’s encrypt 的免费证书默认有效期为 90 天,到期后如果要续期可以执行:

更新全部证书:

./certbot-auto

怎么把申请到的证书导入到IIS中

由于我们申请的证书为pem格式,而IIS只支持pfx格式证书

所以我们要把输的人pem文件合并为pfx证书

这样我们就要用到openssl命令了

openssl pkcs12 -export -out 51tcsd.pfx -inkey privkey.pem -in fullchain.pem -certfile cert.pem

我们用此命令把pem文件合并为51tcsd.pfx文件,提示中要输入证书的密码,按提示输入即可

显示输出如下

https://images2018.cnblogs.com/blog/45026/201805/45026-20180525174216702-1789610871.png

我们可以看到,当前目录下成功生成了51tcsd.pfx文件

接下来我们就要把51tcsd.pfx文件导入到Windows系统

我们知道Ubuntu对于Windows来说只是一个应用,

所以Ubuntu里所有的文件,我们都可以通过Windows资源管理里看到,

我发现我的Ubuntu目录挂载在我的Windows目录的此位置

C:\Users\Administrator\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs

https://images2018.cnblogs.com/blog/45026/201805/45026-20180525174601519-1460102186.png

我们进到C:\Users\Administrator\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\etc\letsencrypt\live\51tcsd.com-0001

就可以看到我们的pfx文件了

https://images2018.cnblogs.com/blog/45026/201805/45026-20180525174708392-773956879.png

( 1 ) 证书导入

• 开始 -〉运行 -〉MMC;

• 启动控制台程序,选择菜单“文件”中的”添加/删除管理单元”-> “添加”,从“可用的独立管理单元”列表中选择“证书”-> 选择“计算机帐户”;

• 在控制台的左侧显示证书树形列表,选择“个人”->“证书”,右键单击,选择“所有任务”-〉”导入”, 根据”证书导入向导”的提示,导入PFX文件(此过程当中有一步非常重要: “根据证书内容自动选择存储区”)。安装过程当中需要输入密码为您当时设置的密码。导入成功后,可以看到证书信息。

( 2 ) 分配服务器证书

• 打开 IIS8.0 管理器面板,找到待部署证书的站点,点击“绑定”。

• 设置参数选择“绑定”->“添加”->“类型选择 https” ->“端口 443” ->“ssl 证书【导入的证书名称】” ->“确定”。

SSL 缺省端口为 443 端口(请不要随便修改。 如果您使用其他端口如:8443,则访问时必须输入:www.domain.com:8443)。%E3%80%82/)

接下来。我们右键证书点安装pfx

https://images2018.cnblogs.com/blog/45026/201805/45026-20180525174903645-1223980533.png

https://images2018.cnblogs.com/blog/45026/201805/45026-20180525174934998-2047727718.png

输入刚刚openssl合并的时候输入的密码

https://images2018.cnblogs.com/blog/45026/201805/45026-20180525174959631-1344108232.png

https://images2018.cnblogs.com/blog/45026/201805/45026-20180525175044587-858536133.png

https://images2018.cnblogs.com/blog/45026/201805/45026-20180525175102458-361536214.png

点完成后。就会显示导入成功了

接下来。我们打开IIS管理器。看到服务器证书里面,就能发现我们申请的通配符证书了

https://images2018.cnblogs.com/blog/45026/201805/45026-20180525175317147-765263780.png

https://images2018.cnblogs.com/blog/45026/201805/45026-20180525175402347-596073691.png

接下来,我们给一个站点绑定随便一个二级域名,比如:a.51tcsd.com

首先把hosts文件把a.51tcsd.com解析到我本机127.0.0.1

https://images2018.cnblogs.com/blog/45026/201805/45026-20180525175608991-414872320.png

然后在IIS里选择站点”Default Web Site”选择右边的“绑定”

输入相关信息,并选择证书

https://images2018.cnblogs.com/blog/45026/201805/45026-20180525175819396-1302058709.png

然后我们在浏览器里访问a.51tcsd.com/

是不是看到惊喜了

https://images2018.cnblogs.com/blog/45026/201805/45026-20180525175945295-1026881646.png

HTTP 转HTTPS

HTTP和HTTPS交叉使用属于跨域的范畴,直接转接解决跨域问题的方法:

可以在相应的页面的里加上这句代码,意思是自动将http的不安全请求升级为https

IIS http转HTTPS

在web.cofg文件内加加入

<system.webServer>

</system.webServer>

Buy me a cup of coffee :)

本文转载自: 掘金

开发者博客 – 和开发相关的 这里全都有

0%