【SSL】用Certbot生成免费HTTPS证书

1. 实验背景

服务器:CentOS7.x

示例域名: www.example.com

域名对应的web站点目录: /usr/local/openresty/nginx/html

2. 安装docker

# yum -y  install  yum-utils

# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo 

# yum list docker-ce --showduplicates | sort -r

# yum -y install  docker-ce-17.12.0.ce

3. 添加镜像加速仓库

#   tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://m3e4jmm0.mirror.aliyuncs.com"]
}
EOF

# systemctl restart docker 
# systemctl restart docker 

4. 拉取 certbot 工具镜像

#  docker  pull  certbot/certbot:v1.11.0
v1.11.0: Pulling from certbot/certbot
801bfaa63ef2: Pull complete
7678dd7631a2: Pull complete
4c6139ab40d8: Pull complete
ff5ef8cd8062: Pull complete
73dee1f700a1: Pull complete
3dfb7190edf9: Pull complete
176bf1686307: Pull complete
fe1749c3045d: Pull complete
5a79fca54080: Pull complete
e57ac51359f9: Pull complete
88988e2ba14a: Pull complete
a916063ca8d3: Pull complete
168ae0b7107a: Pull complete
d0bd333abff4: Pull complete
Digest: sha256:fecbc1f03607f961d20a6c6b0624507e42e6dea7c7f1548e2cbb8c3782b35da9
Status: Downloaded newer image for certbot/certbot:v1.11.0

5 . 测试示例域名解析

# nslookup  www.exanple.com
Server:         114.114.114.114
Address:        114.114.114.114#53

Non-authoritative answer:
Name:   www.exanple.com
Address: 199.59.243.224

注意,示例域名 www.exanple.com在certbot机器上一定要解析在公网ip,而不是解析在内网ip,否则会报错无法解析:

Waiting for verification...
Challenge failed for domain www.example.com
http-01 challenge for www.example.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.example.com
   Type:   dns
   Detail: DNS problem: query timed out looking up A forwww.example.com; 
   DNS problem: query timed out looking up AAAA for www.example.com

6. 生成证书

#  mkdir   -p    /etc/letsencrypt

# docker run -it --rm  -v  /etc/letsencrypt:/etc/letsencrypt   -v /usr/local/openresty/nginx/html:/usr/local/openresty/nginx/html  certbot/certbot:v1.11.0  certonly --webroot -w  /usr/local/openresty/nginx/html  -d  www.example.com  -m  123456789@qq.com   --agree-tos


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for www.example.com
Performing the following challenges:
http-01 challenge for www.example.com
Using the webroot path /usr/local/openresty/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: 123456789@qq.com).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.example.com/privkey.pem
   Your certificate will expire on 2023-12-28. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Let's Encrypt需要验证网站的所有权才能颁发证书, 官方称之为challenge(挑战)。

生成证书期间,Certbot工具在nginx的web目录 /usr/local/openresty/nginx/html/ 下创建隐藏临时文件夹 .well-known/acme-challenge,生成一个临时随机字符串文件 CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI

Certbot 会让 Let's Encrypt 通过公网访问 http://www.example.com/.well-known/acme-challenge/CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI 校验,如果文件内容对得上就签发。

证书签发完成后,Certbot 会删除该临时文件夹,所以如果要观察这个文件,需要在证书签发期间去cat一下。

#  cat /usr/local/openresty/nginx/html/.well-known/acme-challenge/CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI

CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI.sHK8K8we80hc978Nkuo1I8tCjj8VA3D87bVwb7Y8ZwM

7. 验证证书

# ll /etc/letsencrypt/live/www.example.com/
total 4.0K
lrwxrwxrwx 1 root root  41 Sep 29 09:55 cert.pem -> ../../archive/www.example.com/cert1.pem
lrwxrwxrwx 1 root root  42 Sep 29 09:55 chain.pem -> ../../archive/www.example.com/chain1.pem
lrwxrwxrwx 1 root root  46 Sep 29 09:55 fullchain.pem -> ../../archive/www.example.com/fullchain1.pem
lrwxrwxrwx 1 root root  44 Sep 29 09:55 privkey.pem -> ../../archive/www.example.com/privkey1.pem
-rw-r----- 1 root root 692 Sep 29 09:55 README

证书: /etc/letsencrypt/live/www.example.com/fullchain.pem

私钥: /etc/letsencrypt/live/www.example.com/privkey.pem

#  openssl   x509   -noout   -text  -in  /etc/letsencrypt/live/www.example.com/fullchain.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:bb:52:8d:5a:6f:03:cc:f1:06:12:75:b0:2f:1e:8a:e6:12
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Sep 29 00:55:29 2023 GMT
            Not After : Dec 28 00:55:28 2023 GMT
        Subject: CN=www.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:d4:38:10:96:f9:7a:ef:10:00:98:1d:a3:ed:
                    c8:96:71:60:02:ed:8d:32:99:0e:15:11:a4:14:e1:
                    32:c8:31:75:fa:90:b2:55:3e:c1:6a:2a:f6:3f:ac:
                    62:1b:f8:cc:0e:bc:4a:27:ea:94:2b:eb:78:49:d1:
                    f9:c4:5e:f0:12:7f:c5:95:0d:cc:31:b3:8e:f0:ec:
                    3e:55:b6:97:17:b0:0d:32:35:72:1a:82:87:4f:81:
                    a0:07:60:7b:b8:03:2e:75:e8:7a:3b:1d:69:40:04:
                    de:50:36:e8:49:b9:82:25:1d:30:3d:38:16:28:ad:
                    df:a3:c8:d1:80:a6:87:45:e9:6a:2c:75:5b:06:0f:
                    97:1e:15:d2:f9:c9:59:9a:9e:ee:5a:4f:bd:14:74:
                    36:d1:4b:47:0b:c5:8d:75:b7:e7:e0:53:28:41:1f:
                    b7:05:ae:2f:29:86:98:6f:75:64:e7:83:fd:ce:12:
                    e2:fc:12:5d:01:01:18:e6:74:1f:83:6a:58:21:01:
                    99:68:62:8c:29:82:7e:6e:ad:26:50:6b:5d:70:73:
                    21:5e:19:e1:0c:35:71:53:b7:de:21:66:6e:e4:d9:
                    32:5e:14:0c:24:2a:00:63:f9:8b:b7:84:12:28:1d:
                    90:99:4b:08:bc:82:f8:15:68:9d:64:09:ea:1f:bf:
                    97:3f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                9F:7A:1C:81:35:31:13:62:6E:F6:84:CB:5D:67:2A:41:A5:1C:6F:AC
            X509v3 Authority Key Identifier:
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name:
                DNS:www.example.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
                                5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
                    Timestamp : Sep 29 01:55:29.732 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:04:02:FF:43:4D:F2:B4:EA:9F:A0:22:F7:
                                5A:C6:81:48:C2:A2:91:FE:5C:D7:3D:19:8D:6E:58:64:
                                06:20:6E:4C:02:21:00:E0:AB:A8:2F:FD:D6:58:E1:62:
                                6F:A6:94:F3:D8:5D:02:5E:52:1E:00:06:BD:58:B5:00:
                                F5:8A:C1:7C:EB:33:B5
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
                                03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
                    Timestamp : Sep 29 01:55:29.706 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:CE:03:25:26:CF:0E:65:22:9B:9E:EF:
                                41:CE:6E:AD:EF:FE:B9:FB:66:4F:D9:0A:40:EE:A4:48:
                                C5:1D:2A:DD:98:02:20:55:84:8F:49:51:E7:47:B7:46:
                                A4:09:AB:C2:54:F1:65:79:67:C3:7F:DE:6B:9F:77:96:
                                CF:81:A4:0D:F1:A1:8F
    Signature Algorithm: sha256WithRSAEncryption
         2d:c1:21:8b:3e:68:d8:df:47:bd:2e:b9:50:ea:cb:23:8d:ba:
         ea:17:09:15:27:cb:74:6d:6b:83:9e:a8:19:e3:75:6a:e4:ac:
         d2:13:6c:a0:d7:b1:2f:63:f4:f4:6f:86:51:af:37:8f:04:63:
         7b:6b:df:93:87:56:a2:0a:1a:79:df:f5:9d:a8:2e:45:7f:83:
         3e:b7:d8:a5:5e:59:c3:27:b7:9f:59:24:bc:d5:22:05:db:84:
         8e:db:0f:c3:1b:50:d6:c2:3e:38:8c:6e:99:29:bf:42:f7:b2:
         52:36:91:58:6e:fc:cf:ef:dd:ef:45:4c:9c:b9:9e:bb:53:49:
         a1:98:7a:ce:3b:c2:dd:38:06:c5:45:06:74:1e:da:5b:30:43:
         1a:82:95:ff:2c:d0:aa:f2:96:a3:0d:50:90:d1:ec:2b:9e:a9:
         22:3a:0e:93:9a:5c:ce:4f:c8:74:e3:c0:37:cc:4d:6f:48:3f:
         aa:6e:11:2c:79:3b:ce:b9:30:13:78:96:e7:ce:89:c6:d4:63:
         7d:3a:97:83:97:f3:a6:f0:a5:46:6a:90:4e:cf:eb:c0:13:7e:
         a9:01:bd:a9:b8:e1:01:2f:21:84:6c:9b:0c:b3:48:9b:48:a9:
         5b:b6:e3:48:91:68:56:fa:3a:26:92:88:51:c8:a8:84:17:52:
         45:d9:77:6d

https://myssl.com/cert_decode.html

8. 参考

Linux上 基于x86 和 arm CPU架构安装 docker

https://www.jianshu.com/p/99373f14b990

CentOS7.x cerbot 安装使用

https://www.jianshu.com/p/735ed33feaa3

相关推荐
hzyyyyyyyu5 小时前
隧道技术-tcp封装icmp出网
网络·网络协议·tcp/ip
运维佬7 小时前
在 MySQL 8.0 中,SSL 解密失败,在使用 SSL 加密连接时出现了问题
mysql·adb·ssl
清尘沐歌9 小时前
有什么好用的 WebSocket 测试工具吗?
websocket·网络协议·测试工具
清尘沐歌9 小时前
有什么好用的 WebSocket 调试工具吗?
网络·websocket·网络协议
earthzhang202110 小时前
《深入浅出HTTPS》读书笔记(7):安全的密码学Hash算法
网络·网络协议·http·https·1024程序员节
找藉口是失败者的习惯10 小时前
探索 HTTP 请求方法:GET、POST、PUT、DELETE 等的用法详解
网络·网络协议·http
vortex510 小时前
HTTP 协议及内外网划分详解
网络·网络协议·http·网络安全
莫轻言舞10 小时前
Java Http 接口对接太繁琐?试试 UniHttp 框架吧
网络·网络协议·http
卜及中10 小时前
理解HTTP中的Cookie与Session:机制、安全性与报头响应
网络·网络协议·http
群联云防护小杜11 小时前
CC攻击为什么难防御?
网络·网络协议·安全·web安全·udp