Nemo

Nemo

路漫漫其修远兮,吾将上下而求索。

Nemo

Nemo

关注TA

路漫漫其修远兮,吾将上下而求索。

  • 普罗旺斯
  • 负责帅就完事了

最近留言

该文章投稿至  综合  板块


利用Let’s Encrypt获取https证书免费为网站添加全站https支持

2017年09月14 17:27 3,703 0 复制链接

Let’s Encrypt是一个完全免费的https证书提供服务,link-nemo之前因为觉得麻烦,所以就没有做https方面的工作,正好现在有点时间,所以稍稍弄下。

这里的服务器环境是Ubuntu。

1、安装certbot-auto,可以参考官网:https://certbot.eff.org/#ubuntuother-nginx

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

2、生成证书:

 ./certbot-auto certonly --email nemomeng@link-nemo.com --agree-tos --no-eff-email --webroot -w /path-to-webroot -d www.link-nemo.com

需要注意的是,这个命令中的path-to-webroot是指网站的根目录,比如,www.link-nemo.com可以直接访问到的根目录。

该指令执行过程可能会比较慢,也可以修改pip源为国内源来加速。

当看到如下输出,证明成功:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.link-nemo.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.link-nemo.com/privkey.pem
   Your cert will expire on 2017-12-13. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

可以看到输出结果显示,输出文件存储在

 /etc/letsencrypt/live/www.link-nemo.com/

至此,证书生成完毕。

3、link-nemo的服务是跑在nginx + tomcat 下的,而之前nginx只监听了80端口,所以需要修改nginx,添加https需要监听的443 ssl端口,并且指定ssl证书的位置:

server{
  listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/www.link-nemo.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.link-nemo.com/privkey.pem;
  server_name www.link-nemo.com link-nemo.com;

  #....此处省略一些别的配置
}

还需要调整下原来的http监听的80端口,把所有http的请求都转发为https:

server {
    listen       80 default;
    server_name  www.link-nemo.com link-nemo.com;

    #......此处省略了一些别的配置
}

4、保存后,重载下nginx服务:

service nginx restart

重载过程若无错误,则访问http://www.link-nemo.com,正常情况下,该请求会被正常转发为https://www.link-nemo.com。


至此,https证书服务部署完毕。


5、不过,还需要注意的是,Let’s Encrypt证书的有效期只有90天,一旦过期,还需要更新下证书。这里可以添加系统事件,让系统自动更新证书即可。

cd 进入certbot-auto的存储目录,执行

./certbot-auto renew --dry-run 

可以测试证书是否可以更新。

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.link-nemo.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.link-nemo.com
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.link-nemo.com/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.link-nemo.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.


OK,接下来在系统事件中添加定时任务:

输入

crontab -e

添加

30 4 * * 1  /path-to-cerbot/certbot-auto renew --renew-hook "service nginx restart" --quiet > /dev/null 2>&1 &

需要注意的是,这里的path-to-cerbot是指保存cerbot-auto文件的位置。

这样,设置了就每周一凌晨4点30自动更新证书,如果更新成功就自动重启nginx服务,证书在到期前30天内才能更新,多余的更新会自动忽略掉的,每周更新还有一个好处是更新可能会失败,这样最多还有4次的尝试机会来保证不会过期。

修改好后保存退出即可。


6、最后一下忽然想到去https://www.ssllabs.com做个评级。

浏览器打开:https://www.ssllabs.com/ssltest/analyze.html?d=www.link-nemo.com

好一会结果出来,显示评级为C:

TIM截图20170914175404

证明还需要优化下ssl配置。

首先关掉ssl v2和ssl v3支持,这两个有安全问题,在nginx配置中的443监听服务中添加:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

再配置下dhparams长度,先执行如下操作:

$ cd /opt
$ mkdir dhparam
$ cd dhparam/
$ mkdir keys
$ cd keys/
$ openssl dhparam -out dhparams.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..................................+.............................................................................................................................................+........................................................................................................................................................................+....................................................+......................................................................................................................................................................................................................................................................................................................................................................+..................+................................................+.+..............................................................................................................................................................................+.................................................................................................................................+......................................................................+..........................................................................................................................+............................................................................................................................................................................................+..+..........................................................................................................................+.........................................+.+...................+..........................+....................................................................+...............................................................................................................+...+...............+..........................................+.......................................................+..............................................................+...........................+........................................................................................+.........+................................................................+...................................+................................................+..............+....................+....................................................................................................................+.............................................+...........................................................................................................................................................+...................................+.............................................................................................+............................................................................................................................+............+................................+.................+...............................................................+...............................................................................................................................................................+.....................................+..............................................................................................................................................+..................................................+.....+......................................................................+...................................................+.........+..............................................................................+................+.....................................................................................+...............................................+........................................................................................................................................................+..................................+...................................................+....................................................................................................................+............................+.............................................................+..........................+...............+.............................+............++*++*
$ cd ..
$ sudo chmod 700 keys

然后修改nginx配置,添加一些配置,最终443监听服务会变成如下配置:

server{
  listen 443 ssl;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_dhparam /opt/dhparam/keys/dhparams.pem;
  ssl_certificate /etc/letsencrypt/live/www.link-nemo.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.link-nemo.com/privkey.pem;
  server_name www.link-nemo.com;

 #......此处省略了一些别的配置
}

重启nginx服务:

$  service nginx restart

再次评级,等级即可到达A

TIM截图20170914180227

点赞(0)
点了个评

回复@{{reply.nickName}}