Let's Encrypt 申请免费的 Https 证书

时间 2019-11-08

标签 let's let encrypt 申请免费 https 证书繁體版

原文原文链接

Let's Encrypt 证书不只是免费的，并且支持通配符证书，通配符证书指的是一个能够被多个子域名使用的公钥证书，多个子域名使用起来十分方便。申请和配置的流程都很是简单，虽然每次的有效期为 90 天，但能够经过脚本去更新证书，只要配置好了，几乎能够一劳永逸。而市场上其余的通配符证书都比较昂贵，我的开发者平时作个小东西玩玩，Let's Encrypt 应该是最好的选择了。nginx

Certbot

certbot 能够经过简单的命令来生成证书，咱们须要先将 certbot 克隆到咱们的服务器中。git

$ git clone https://github.com/certbot/certbot
复制代码

$ cd certbot
复制代码

申请证书

须要提到的一点是，客户在申请 Let’s Encrypt 证书的时候，须要校验域名的全部权，证实操做者有权利为该域名申请证书，目前支持三种验证方式：github

dns-01：给域名添加一个 DNS TXT 记录。
http-01：在域名对应的 Web 服务器下放置一个 HTTP well-known URL 资源文件。
tls-sni-01：在域名对应的 Web 服务器下放置一个 HTTPS well-known URL 资源文件。

而通配符域名只能经过 dns-01 的方式去申请，我是经过阿里云购买的域名，须要登陆阿里云在解析设置中添加解析记录，后面会提到如何添加TXT解析记录。使用下面的命令开始生成证书，注意将 *.example.com 和 example.com 替换成你本身的域名。shell

$ certbot-auto certonly --manual \
-d *.example.com \
-d example.com --agree-tos \
--manual-public-ip-logging-ok --preferred-challenges \
dns-01 --server https://acme-v02.api.letsencrypt.org/directory
复制代码

输入完上面的命令以后，会开始下载一大堆依赖库，至因而什么东西，我也不太清楚，耐心等待依赖文件下载完成便可。以后便会提示你输入邮箱：api

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxxxxxx@email.com
复制代码

当你输入完正确的邮箱以后，须要验证域名的全部权，以下：bash

Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

mhumL1xJOHPIZtFTEm4rotjJnR9TdkBVPuCS9YHvNjs

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
复制代码

此时打开你的域名提供商去添加解析记录，个人域名是阿里云购买的。其余域名提供商应该也是一致的。记录类型选择 TXT，主机记录输入上面的 _acme-challenge.example.com，记录值输入上面生成的随机字符串 mhumL1xJOHPIZtFTEm4rotjJnR9TdkBVPuCS9YHvNjs 。服务器

安装一个工具，用于验证 TXT 解析是否生效：ide

$ yum install bind-utils
复制代码

$ dig -t txt _acme-challenge.example.com @8.8.8.8

; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t txt _acme-challenge.example.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29355
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.example.com. IN  TXT

;; ANSWER SECTION:
_acme-challenge.example.com. 599 IN TXT   "1scXnCO43OgpWRkdaVpTb-_vd2NGHwdmJEmQhvRC6AA"

;; Query time: 317 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jan 01 12:30:15 CST 2019
;; MSG SIZE  rcvd: 118
复制代码

有可能会提示须要再次验证，以下所示：工具

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

1scXnCO43OgpWRkdaVpTb-_vd2NGHwdmJEmQhvRC6AA

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
复制代码

不过不要紧，依照上面的步骤再作一次便可，若是不出意外，你能看到下面的输出：ui

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-04-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
复制代码

生成的的证书和秘钥以及过时时间都已经打印出来了，妥善保管。

配置 Https 访问

若是你使用的是 nginx，那么配置起来很简单：

# 设置 http 自动跳转到 https
server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;                                      
}

# 监听 443 端口，转发请求到 3000 端口
server {
    listen 443;
    server_name example.com;
    location / {
        proxy_pass http://127.0.0.1:3000;
    }

    # 开启 ssl 并指定证书文件和秘钥的位置
    ssl on;
    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;        
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;          
}                                                                                     

复制代码

原文连接: Let's Encrypt 申请免费的 Https 证书