本文已参与「掘力星计划」,赢取创作大礼包,挑战创作激励金。
利用certbot工具配置Let’s encrypt通配符证书,所域名下所有的子域名都能方便的使用 https证书,而且完全免费。值得关注的是,Let’s encrypt通配符证书只是针对二级域名,并不能针对主域名,如*.hubinqiang.com和hubinqiang.com 被认为是两个域名,如果和我一样使用的是主域名,在申请的时候需要注意都要申请。
配置环境
操作系统:CentOS7
配置域名:hubinqiang.com,*.hubinqiang.com
步骤
1. 获取Certbot
# 下载 wget https://dl.eff.org/certbot-auto # 设为可执行权限 chmod u+x certbot-auto
2. 申请证书
执行
./certbot-auto certonly -d "*.9wuquan.com" -d "9wuquan.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory ./certbot-auto certonly -d "*.lww123.com" -d "lww123.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
参数说明:
-certonly,表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。-manual,表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择。-d,为哪些主机申请证书,如果是通配符,输入 *.hubinqiang.com(替换为自己的域名)。-preferred-challenges,使用 DNS 方式校验域名所有权。-server,Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
注意:将hubinqiang.com替换为自己的域名。可以通过多个-d 参数添加多个主机。
申请过程中需要如下确认:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): hubinqiang@126.com ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: dns-01 challenge for hubinqiang.com dns-01 challenge for hubinqiang.com ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: Y -------------------------------------------------------------------------------
在域名 DNS 解析中添加 TXT记录:
------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.hubinqiang.com with the following value: kC-QHSWO1LdIeyIs7VQ66sTAyioISnfzIJU0bXgo-Z8 Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.hubinqiang.com with the following value: 6XnGyee8W48QfRl61m_18aRs8rfvn4T8kKzQil0IYw4 Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue Waiting for verification... Cleaning up challenges
显示我两个主机的 TXT 记录有两条,根据要求分别在 DNS 解析中添加两条 TXT 记录,其中一条如下:_acme-challenge
注意:若申请了多个主机,需要添加多个 TXT 记录。要求给 _acme-challenge.hubinqiang.com 配置 TXT 记录,在没有确认 TXT 记录生效之前不要回车执行。
确认生效后会有如下提示:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/hubinqiang.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/hubinqiang.com/privkey.pem Your cert will expire on 2018-08-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
进入/etc/letsencrypt/live/hubinqiang.com/中可以看到几个文件,cert.pem、chain.pem、fullchain.pem、privkey.pem,说明已经成功获取证书和密钥。
3. 配置证书
在 nginx 中配置的片段:
server { server_name hubinqiang.com; listen 443 http2 ssl; ssl on; ssl_certificate /etc/letsencrypt/live/hubinqiang.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/hubinqiang.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/hubinqiang.com/chain.pem;
重启 nginx 查看效果。
- 证书更新
Let’s encrypt 的免费证书默认有效期为 90 天,到期后如果要续期可以执行:
1. 获取Certbot
2. 申请证书
重新这2步就可以了证书更新
或者更新全部证书:
./certbot-auto
CentOS7Apache下上安装Let's Encrypt
一、升级系统
- # yum -y update
二、Apache下配置Let's Encrypt
执行下条命令
- # ./certbot-auto --apache
根据提示操作
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
输入1
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
输入2
三、打开防火墙iptables的443端口
四、编辑ssl.conf
vi /etc/httpd/conf.d/ssl.conf
<VirtualHost *:80> DocumentRoot /var/www/jqbs ServerName 9wuquan.cn ServerAlias *.9wuquan.cn <Directory /> Options FollowSymLinks AllowOverride All </Directory> </VirtualHost> <VirtualHost *:443> DocumentRoot /var/www/jqbs ServerName 9wuquan.cn ServerAlias *.9wuquan.cn SSLEngine on SSLProtocol TLSv1 TLSv1.1 TLSv1.2 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 <Directory /> Options FollowSymLinks ExecCGI AllowOverride All Order allow,deny Allow from all Require all granted </Directory> SSLCertificateFile /etc/letsencrypt/live/9wuquan.cn/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/9wuquan.cn/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/9wuquan.cn/chain.pem </VirtualHost>
/etc/httpd/conf/httpd.conf配置文件的修改主要有以下几项:
(2.安装apache的mod_ssl.so模块yum -y install mod_ssl)
LoadModule ssl_module modules/mod_ssl.so LoadModule rewrite_module modules/mod_rewrite.so
- ServerSignature On => ServerSignature Off // 配置错误页不显示Apache版本
- Options Indexes FollowSymLinks => Options FollowSymLinks // 配置Apache不能通过目录层级进行文件访问
AllowOverride All
- AllowOverride None => AllowOverride All // 配置允许.htaccess
- DirectoryIndex index.html => DirectoryIndex index.html index.php // 配置Apache支持.php文件解析
重启Apache
systemctl restart httpd
五、这个时候网站HTTPS已经能够访问了,试一下
最后,通过.htaccess进行301转向
<IfModule mod_rewrite.c> Options +FollowSymlinks -Multiviews RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [L,R=302] RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ index.php?/$1 [QSA,PT,L] </IfModule> # 图片和Flash内容缓存一个月 <FilesMatch ".(flv|gif|jpg|jpeg|png|ico|swf)$"> Header set Cache-Control "max-age=2592000" </FilesMatch> <FilesMatch ".(ttf)$"> Header set Access-Control-Allow-Origin "*" </FilesMatch>
- 八、大功告成证书更新
Let’s encrypt 的免费证书默认有效期为 90 天,到期后如果要续期可以执行:
更新全部证书:
./certbot-auto
怎么把申请到的证书导入到IIS中
由于我们申请的证书为pem格式,而IIS只支持pfx格式证书
所以我们要把输的人pem文件合并为pfx证书
这样我们就要用到openssl命令了
openssl pkcs12 -export -out 51tcsd.pfx -inkey privkey.pem -in fullchain.pem -certfile cert.pem
我们用此命令把pem文件合并为51tcsd.pfx文件,提示中要输入证书的密码,按提示输入即可
显示输出如下
我们可以看到,当前目录下成功生成了51tcsd.pfx文件
接下来我们就要把51tcsd.pfx文件导入到Windows系统
我们知道Ubuntu对于Windows来说只是一个应用,
所以Ubuntu里所有的文件,我们都可以通过Windows资源管理里看到,
我发现我的Ubuntu目录挂载在我的Windows目录的此位置
C:\Users\Administrator\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs
我们进到C:\Users\Administrator\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\etc\letsencrypt\live\51tcsd.com-0001
就可以看到我们的pfx文件了
( 1 ) 证书导入
• 开始 -〉运行 -〉MMC;
• 启动控制台程序,选择菜单“文件”中的”添加/删除管理单元”-> “添加”,从“可用的独立管理单元”列表中选择“证书”-> 选择“计算机帐户”;
• 在控制台的左侧显示证书树形列表,选择“个人”->“证书”,右键单击,选择“所有任务”-〉”导入”, 根据”证书导入向导”的提示,导入PFX文件(此过程当中有一步非常重要: “根据证书内容自动选择存储区”)。安装过程当中需要输入密码为您当时设置的密码。导入成功后,可以看到证书信息。
( 2 ) 分配服务器证书
• 打开 IIS8.0 管理器面板,找到待部署证书的站点,点击“绑定”。
• 设置参数选择“绑定”->“添加”->“类型选择 https” ->“端口 443” ->“ssl 证书【导入的证书名称】” ->“确定”。
SSL 缺省端口为 443 端口(请不要随便修改。 如果您使用其他端口如:8443,则访问时必须输入:www.domain.com:8443)。%E3%80%82/)
接下来。我们右键证书点安装pfx
输入刚刚openssl合并的时候输入的密码
点完成后。就会显示导入成功了
接下来。我们打开IIS管理器。看到服务器证书里面,就能发现我们申请的通配符证书了
接下来,我们给一个站点绑定随便一个二级域名,比如:a.51tcsd.com
首先把hosts文件把a.51tcsd.com解析到我本机127.0.0.1
然后在IIS里选择站点”Default Web Site"选择右边的“绑定”
输入相关信息,并选择证书
然后我们在浏览器里访问a.51tcsd.com/
是不是看到惊喜了
HTTP 转HTTPS
HTTP和HTTPS交叉使用属于跨域的范畴,直接转接解决跨域问题的方法:
可以在相应的页面的里加上这句代码,意思是自动将http的不安全请求升级为https
IIS http转HTTPS
在web.cofg文件内加加入
