首頁 / 網站建設 / 實戰!安裝Let’s Encrypt@CentOS、NGiNX
letsencrypt
letsencrypt

實戰!安裝Let’s Encrypt@CentOS、NGiNX

Google、Cisco、Akamai、Mozilla、IdenTrust、蘋果、微軟等等的公司合推的非營利、開源、免費SSL認證的網路認證發放機構Let’s Encrypt從去年秋季開始發放免費但限期3個月SSL簽證(可無限續期)之後,陸續已經超過有3百多萬個網站使用,我也順便這兩天玩了一下,簡單做個記錄。 (H)

1.安裝Bc、git、EPEL來源

yum -y install git bc epel-release

2-1.git方式下載Let’s Encrypt(推薦)

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

2-2.一般方式下載Let’s Encrypt

cd /opt/
wget https://github.com/letsencrypt/letsencrypt/archive/v0.5.0.tar.gz
tar xf v*.tar.gz -C /opt/
mv letsencrypt-* letsencrypt
cd /opt/letsencrypt

letsencrypt_01

3.以Diffie-Hellman(迪菲-赫爾曼)交換演算法產生密鑰

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

4.申請Let’s Encrypt認證,請注意修改以下三項:

admin@guess.za.net = 修改成使用中的信箱
guess.za.net = 修改成要申請的域名
/home/wwwroot/default/ = 修改成主機的網頁根目錄

mkdir -p /home/wwwroot/guess.za.net/.well-known/acme-challenge
cd /opt/letsencrypt
./letsencrypt-auto certonly --email admin@guess.za.net -d "guess.za.net" --webroot -w /home/wwwroot/guess.za.net/ --agree-tos

letsencrypt_02

成功後會產生三個檔案,位置分別是:

/etc/ssl/certs/dhparam.pem
/etc/letsencrypt/live/guess.za.net/fullchain.pem
/etc/letsencrypt/live/guess.za.net/privkey.pem

5.設定NGiNX檔案,在server區段內新增

※請注意修改成實際產生的位置※

        listen 443 ssl;

        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_certificate /etc/letsencrypt/live/guess.za.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/guess.za.net/privkey.pem;

        ssl on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

設定完畢後先用此指令測試設定檔有無出錯

nginx -t

確認沒問題之後才重啟NGiNX,然後前往ssllabs.com檢查SSL認證狀態

letsencrypt_06letsencrypt_07

nginx -s reload
ps ax | grep nginx
netstat -atunp | grep nginx

letsencrypt_03

6.新增Let’s Encrypt的設定檔來自動更新SSL

※請注意修改成使用中的信箱、要申請的域名、主機的網頁根目錄※

mkdir -p /var/log/letsencrypt/
mkdir -p /etc/letsencrypt/configs
cat >> /etc/letsencrypt/configs/guess.za.net.conf <<EOF
domains = guess.za.net
rsa-key-size = 2048
server = https://acme-v01.api.letsencrypt.org/directory
email = admin@guess.za.net
text = True
authenticator = webroot
webroot-path = /home/wwwroot/guess.za.net/
EOF&#91;/code&#93;

<span style="color: #f97405; font-size: medium;">7.</span>新增自動更新SSL認證的SH檔案,內容如下:

<font size="3" color="#FF0000">※請注意修改成實際設定檔的位置※</font>

<code>vi /root/renew-letsencrypt.sh</code>
#!/bin/sh

cd /opt/letsencrypt/
./letsencrypt-auto certonly --config /etc/letsencrypt/configs/111.net.conf --agree-tos --renew-by-default
./letsencrypt-auto certonly --config /etc/letsencrypt/configs/222.net.conf --agree-tos --renew-by-default
./letsencrypt-auto certonly --config /etc/letsencrypt/configs/333.net.conf --agree-tos --renew-by-default

if [ $? -ne 0 ]
 then
        ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
        echo -e &quot;The Let's Encrypt cert has not been renewed! \n \n&quot; \
                 $ERRORLOG
 else
        nginx -s reload
fi

exit 0

letsencrypt_04

記得給權限唷 :$

chmod +x /root/renew-letsencrypt.sh

8.設定自動排程,每月1號自動更新SSL認證

crontab -e

@monthly cd /opt/letsencrypt && git pull
@monthly /root/renew-letsencrypt.sh

參考資料:
http://letsencrypt.readthedocs.org/en/latest/using.html
https://www.godaddy.com/help/install-a-lets-encrypt-ssl-nginx-20246
https://codex.wordpress.org/Nginx
https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7

臉書回應

篇回應

關於 窮苦人家的小孩

In every democracy, the people get the government they deserve. ~Alexis de Tocqueville
上一篇:
下一篇:

您可能會喜歡

[CentOS]MariaDB 5.x 升級到 10.x 版本

CentOS 7預設的資料庫來 …

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步瞭解 Akismet 如何處理網站訪客的留言資料