【SSL】用Certbot生成免费HTTPS证书

HunterMichaelG2023-10-04 11:37

1. 实验背景

服务器:CentOS7.x

示例域名: www.example.com

域名对应的web站点目录: /usr/local/openresty/nginx/html

2. 安装docker

# yum -y  install  yum-utils

# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo 

# yum list docker-ce --showduplicates | sort -r

# yum -y install  docker-ce-17.12.0.ce

3. 添加镜像加速仓库

#   tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://m3e4jmm0.mirror.aliyuncs.com"]
}
EOF

# systemctl restart docker 
# systemctl restart docker

4. 拉取 certbot 工具镜像

#  docker  pull  certbot/certbot:v1.11.0
v1.11.0: Pulling from certbot/certbot
801bfaa63ef2: Pull complete
7678dd7631a2: Pull complete
4c6139ab40d8: Pull complete
ff5ef8cd8062: Pull complete
73dee1f700a1: Pull complete
3dfb7190edf9: Pull complete
176bf1686307: Pull complete
fe1749c3045d: Pull complete
5a79fca54080: Pull complete
e57ac51359f9: Pull complete
88988e2ba14a: Pull complete
a916063ca8d3: Pull complete
168ae0b7107a: Pull complete
d0bd333abff4: Pull complete
Digest: sha256:fecbc1f03607f961d20a6c6b0624507e42e6dea7c7f1548e2cbb8c3782b35da9
Status: Downloaded newer image for certbot/certbot:v1.11.0

5 . 测试示例域名解析

# nslookup  www.exanple.com
Server:         114.114.114.114
Address:        114.114.114.114#53

Non-authoritative answer:
Name:   www.exanple.com
Address: 199.59.243.224

注意,示例域名 www.exanple.com在certbot机器上一定要解析在公网ip,而不是解析在内网ip,否则会报错无法解析:

Waiting for verification...
Challenge failed for domain www.example.com
http-01 challenge for www.example.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.example.com
   Type:   dns
   Detail: DNS problem: query timed out looking up A forwww.example.com; 
   DNS problem: query timed out looking up AAAA for www.example.com

6. 生成证书

#  mkdir   -p    /etc/letsencrypt

# docker run -it --rm  -v  /etc/letsencrypt:/etc/letsencrypt   -v /usr/local/openresty/nginx/html:/usr/local/openresty/nginx/html  certbot/certbot:v1.11.0  certonly --webroot -w  /usr/local/openresty/nginx/html  -d  www.example.com  -m  123456789@qq.com   --agree-tos


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for www.example.com
Performing the following challenges:
http-01 challenge for www.example.com
Using the webroot path /usr/local/openresty/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: 123456789@qq.com).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.example.com/privkey.pem
   Your certificate will expire on 2023-12-28. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Let's Encrypt需要验证网站的所有权才能颁发证书, 官方称之为challenge(挑战)。

生成证书期间,Certbot工具在nginx的web目录 /usr/local/openresty/nginx/html/ 下创建隐藏临时文件夹 .well-known/acme-challenge,生成一个临时随机字符串文件 CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI

Certbot 会让 Let's Encrypt 通过公网访问 http://www.example.com/.well-known/acme-challenge/CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI 校验,如果文件内容对得上就签发。

证书签发完成后,Certbot 会删除该临时文件夹,所以如果要观察这个文件,需要在证书签发期间去cat一下。

#  cat /usr/local/openresty/nginx/html/.well-known/acme-challenge/CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI

CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI.sHK8K8we80hc978Nkuo1I8tCjj8VA3D87bVwb7Y8ZwM

7. 验证证书

# ll /etc/letsencrypt/live/www.example.com/
total 4.0K
lrwxrwxrwx 1 root root  41 Sep 29 09:55 cert.pem -> ../../archive/www.example.com/cert1.pem
lrwxrwxrwx 1 root root  42 Sep 29 09:55 chain.pem -> ../../archive/www.example.com/chain1.pem
lrwxrwxrwx 1 root root  46 Sep 29 09:55 fullchain.pem -> ../../archive/www.example.com/fullchain1.pem
lrwxrwxrwx 1 root root  44 Sep 29 09:55 privkey.pem -> ../../archive/www.example.com/privkey1.pem
-rw-r----- 1 root root 692 Sep 29 09:55 README

证书: /etc/letsencrypt/live/www.example.com/fullchain.pem

私钥: /etc/letsencrypt/live/www.example.com/privkey.pem

#  openssl   x509   -noout   -text  -in  /etc/letsencrypt/live/www.example.com/fullchain.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:bb:52:8d:5a:6f:03:cc:f1:06:12:75:b0:2f:1e:8a:e6:12
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Sep 29 00:55:29 2023 GMT
            Not After : Dec 28 00:55:28 2023 GMT
        Subject: CN=www.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:d4:38:10:96:f9:7a:ef:10:00:98:1d:a3:ed:
                    c8:96:71:60:02:ed:8d:32:99:0e:15:11:a4:14:e1:
                    32:c8:31:75:fa:90:b2:55:3e:c1:6a:2a:f6:3f:ac:
                    62:1b:f8:cc:0e:bc:4a:27:ea:94:2b:eb:78:49:d1:
                    f9:c4:5e:f0:12:7f:c5:95:0d:cc:31:b3:8e:f0:ec:
                    3e:55:b6:97:17:b0:0d:32:35:72:1a:82:87:4f:81:
                    a0:07:60:7b:b8:03:2e:75:e8:7a:3b:1d:69:40:04:
                    de:50:36:e8:49:b9:82:25:1d:30:3d:38:16:28:ad:
                    df:a3:c8:d1:80:a6:87:45:e9:6a:2c:75:5b:06:0f:
                    97:1e:15:d2:f9:c9:59:9a:9e:ee:5a:4f:bd:14:74:
                    36:d1:4b:47:0b:c5:8d:75:b7:e7:e0:53:28:41:1f:
                    b7:05:ae:2f:29:86:98:6f:75:64:e7:83:fd:ce:12:
                    e2:fc:12:5d:01:01:18:e6:74:1f:83:6a:58:21:01:
                    99:68:62:8c:29:82:7e:6e:ad:26:50:6b:5d:70:73:
                    21:5e:19:e1:0c:35:71:53:b7:de:21:66:6e:e4:d9:
                    32:5e:14:0c:24:2a:00:63:f9:8b:b7:84:12:28:1d:
                    90:99:4b:08:bc:82:f8:15:68:9d:64:09:ea:1f:bf:
                    97:3f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                9F:7A:1C:81:35:31:13:62:6E:F6:84:CB:5D:67:2A:41:A5:1C:6F:AC
            X509v3 Authority Key Identifier:
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name:
                DNS:www.example.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
                                5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
                    Timestamp : Sep 29 01:55:29.732 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:04:02:FF:43:4D:F2:B4:EA:9F:A0:22:F7:
                                5A:C6:81:48:C2:A2:91:FE:5C:D7:3D:19:8D:6E:58:64:
                                06:20:6E:4C:02:21:00:E0:AB:A8:2F:FD:D6:58:E1:62:
                                6F:A6:94:F3:D8:5D:02:5E:52:1E:00:06:BD:58:B5:00:
                                F5:8A:C1:7C:EB:33:B5
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
                                03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
                    Timestamp : Sep 29 01:55:29.706 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:CE:03:25:26:CF:0E:65:22:9B:9E:EF:
                                41:CE:6E:AD:EF:FE:B9:FB:66:4F:D9:0A:40:EE:A4:48:
                                C5:1D:2A:DD:98:02:20:55:84:8F:49:51:E7:47:B7:46:
                                A4:09:AB:C2:54:F1:65:79:67:C3:7F:DE:6B:9F:77:96:
                                CF:81:A4:0D:F1:A1:8F
    Signature Algorithm: sha256WithRSAEncryption
         2d:c1:21:8b:3e:68:d8:df:47:bd:2e:b9:50:ea:cb:23:8d:ba:
         ea:17:09:15:27:cb:74:6d:6b:83:9e:a8:19:e3:75:6a:e4:ac:
         d2:13:6c:a0:d7:b1:2f:63:f4:f4:6f:86:51:af:37:8f:04:63:
         7b:6b:df:93:87:56:a2:0a:1a:79:df:f5:9d:a8:2e:45:7f:83:
         3e:b7:d8:a5:5e:59:c3:27:b7:9f:59:24:bc:d5:22:05:db:84:
         8e:db:0f:c3:1b:50:d6:c2:3e:38:8c:6e:99:29:bf:42:f7:b2:
         52:36:91:58:6e:fc:cf:ef:dd:ef:45:4c:9c:b9:9e:bb:53:49:
         a1:98:7a:ce:3b:c2:dd:38:06:c5:45:06:74:1e:da:5b:30:43:
         1a:82:95:ff:2c:d0:aa:f2:96:a3:0d:50:90:d1:ec:2b:9e:a9:
         22:3a:0e:93:9a:5c:ce:4f:c8:74:e3:c0:37:cc:4d:6f:48:3f:
         aa:6e:11:2c:79:3b:ce:b9:30:13:78:96:e7:ce:89:c6:d4:63:
         7d:3a:97:83:97:f3:a6:f0:a5:46:6a:90:4e:cf:eb:c0:13:7e:
         a9:01:bd:a9:b8:e1:01:2f:21:84:6c:9b:0c:b3:48:9b:48:a9:
         5b:b6:e3:48:91:68:56:fa:3a:26:92:88:51:c8:a8:84:17:52:
         45:d9:77:6d

https://myssl.com/cert_decode.html

8. 参考

Linux上 基于x86 和 arm CPU架构安装 docker

https://www.jianshu.com/p/99373f14b990

CentOS7.x cerbot 安装使用

https://www.jianshu.com/p/735ed33feaa3

相关推荐
幽兰的天空5 小时前
介绍 HTTP 请求如何实现跨域
网络·网络协议·http
lisenustc5 小时前
HTTP post请求工具类
网络·网络协议·http
心平气和️5 小时前
HTTP 配置与应用(不同网段)
网络·网络协议·计算机网络·http
初级代码游戏5 小时前
openssl 正确生成v3带SAN的证书
https·证书·ssl·openssl·tls·v3
Gworg6 小时前
网站HTTP改成HTTPS
网络协议·http·https
7ACE7 小时前
Wireshark TS | 虚假的 TCP Spurious Retransmission
网络·网络协议·tcp/ip·wireshark·tcpdump
果果开发ggdoc.cn7 小时前
WordPress免费证书插件
服务器·https·ssl
大丈夫立于天地间8 小时前
ISIS基础知识
网络·网络协议·学习·智能路由器·信息与通信
sunnyday042611 小时前
feign调用跳过HTTPS的SSL证书校验配置详解
java·网络·https·ssl
m0_7482394711 小时前
springBoot发布https服务及调用
spring boot·后端·https
热门推荐
01centos7 init.d 和system.d02Dell服务器升级ubuntu 22.04失败解决03半导体应用系统一些小知识收集(strip&wafer mapping,EAP&scada)04PyTorch AMP 混合精度中grad_scaler.py的scale函数解析05Windows10安装PCL1.14.0及点云配准06密码学原理技术-第六章-introduction to pulibc-key cryptography07xgboost: Why not implement distributed XGBoost on top of spark08Oracle Scheduler: Calendaring09(欧拉)openEuler系统添加网卡文件配置流程、(欧拉)openEuler系统手动配置ipv6地址流程、(欧拉)openEuler系统网络管理说明10BMC 虚拟i2c访问PCA9545(switch芯片)后面的设备,为什么找不到PCA9545?