Let’s Encrypt是一个证书机构,被浏览器信任,它会颁发一个免费3个月的证书,到期可以重新颁发或者更新。
这个机构搞了一个协议叫ACME (Automatic Certificate Management Environment)
根据这个协议搞了一个官网客户端叫 Certbot 便于给使用者申请证书。
官网地址:https://certbot.eff.org/
github地址:https://github.com/certbot/certbot
# 克隆 certbot:
[root@www ~]# git clone https://github.com/certbot/certbot.git
# 生成证书
[root@www certbot]# ./certbot-auto certonly --webroot -w /mnt/web/wx.rootop.org/ -d wx.rootop.org --webroot 是通过验证网站目录 -w 是指定网站目录路径 -d 指定域名 Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): # 输入你邮箱 ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: # 输入 A 同意 ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: N # 发送邮件,我选了N Obtaining a new certificate Performing the following challenges: http-01 challenge for wx.rootop.org Using the webroot path /mnt/web/wx.rootop.org for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/wx.rootop.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/wx.rootop.org/privkey.pem Your cert will expire on 2018-07-25. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
看到 Congratulations 即为成功。
/etc/letsencrypt/live/wx.rootop.org/fullchain.pem 证书路径
/etc/letsencrypt/live/wx.rootop.org/privkey.pem 私钥路径
# 原理推测:
[root@www certbot]# ./certbot-auto certonly --webroot -w /mnt/web/a/ -d wx.rootop.org # 我写了一个非网站目录地址
如果上面的 -w 输入的网站路径不是网站的根目录,那么在验证信息的时候会报错。
Waiting for verification... Cleaning up challenges Failed authorization procedure. wx.rootop.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://wx.rootop.org/.well-known/acme-challenge/o-2oEswrYaKXstl3mckB9KFRt9kaxPsGhCDPngATQFA: "<html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>" IMPORTANT NOTES: - The following errors were reported by the server: Domain: wx.rootop.org Type: unauthorized Detail: Invalid response from http://wx.rootop.org/.well-known/acme-challenge/o-2oEswrYaKXstl3mckB9KFRt9kaxPsGhCDPngATQFA: "<html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
可以看到验证的时候是访问了 http://wx.rootop.org/.well-known/acme-challenge/o-2oEswrYaKXstl3mckB9KFRt9kaxPsGhCDPngATQFA
这个路径的文件,但是我-w指定的路径是错的,并不是网站的目录,所以访问不到。
这样就可以推测,certbot是去网站根目录自动创建文件夹及文件,用于官方确认你对域名拥有所有权。
通过上面的错误提示,如下2个原因。
原因1,未添加dns解析
原因2,网站根目录配置错误
所以要确认dns已经解析及路径无误。
还有一种情况就是nginx做为反向代理,这样的话就需要自己写个location,并指定目录。如:
location ~ ^/.well-known/ { root /mnt/web/a/; }
这样就让服务器在验证的时候,直接去/mnt/web/a下找自动生成的验证文件。
# 配置nginx
listen 443; ssl on; ssl_certificate /etc/letsencrypt/live/wx.rootop.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/wx.rootop.org/privkey.pem;
重启nginx,就可以https访问了。
证书续期:
[root@www certbot]# ./certbot-auto renew # 执行此命令自动检测续期,不需要干预。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
——————————————————————————-
Processing /etc/letsencrypt/renewal/wx.rootop.org.conf
——————————————————————————-
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wx.rootop.org
Waiting for verification…
Cleaning up challenges
——————————————————————————-
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/wx.rootop.org/fullchain.pem
——————————————————————————-
Plugins selected: Authenticator webroot, Installer None
——————————————————————————-
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/wx.rootop.org/fullchain.pem (success)
——————————————————————————-
原创文章,转载请注明。本文链接地址: https://www.rootop.org/pages/4045.html