目录
有些时候我们需要生成自签名的ssl证书,该博文用于记录下生成ssl证书的两种方式。
一、通过github上的项目来生成(比较简单)
此方式不要求域名可以在公网解析(其实此项目就是封装了openssl指令,做了一个自动版的openssl生成证书)。
1.1 下载项目并设置有效期
[root@test nginx]# git clone https://github.com/Fishdrowned/ssl.git
[root@test nginx]# cd ssl # 进入下载的目录
# 设置证书的有效期(可选配置)
[root@test ssl]# cat ca.cnf | grep days # ca.cnf文件中有一些默认设置
default_days = 3650 # 此处是设置证书的有效期(默认为730天,也就是两年),我这里直接修改为十年
# 设置根证书的有效期(可选配置)
[root@test ssl]# cat gen.root.sh | grep days # 就是此文件
-new -x509 -days 7300 -out out/root.crt # 默认天数为7300(二十年)
1.2 生成证书
[root@test ssl]# ./gen.cert.sh www.ljz.com # 执行此脚本即可,后面的www.ljz.com是你的域名
脚本执行后,输出大概如下(所有和证书相关的文件都会保存在当前目录的out目录下):
1.3 将所需证书文件copy到其他目录,以便统一管理
[root@test ssl]# mkdir -pv /data/ssl/www.ljz.com # 此目录用于存放证书文件
# *.key.pem为证书私钥
[root@test ssl]# cp out/www.ljz.com/www.ljz.com.key.pem /data/ssl/www.ljz.com/
# *.bundle.crt为证书
[root@test ssl]# cp out/www.ljz.com/www.ljz.com.bundle.crt /data/ssl/www.ljz.com/
# root.crt为根证书(此证书用于给client使用,加载到浏览器中,以便信任这个证书)
[root@test ssl]# cp out/www.ljz.com/root.crt /data/ssl/www.ljz.com/
[root@test ssl]# ./flush.sh # 证书相关文件copy走后,可以执行此脚本来清空所有历史(非必须执行)。
至此,只要在你的网站中指定证书及其私钥的位置,即可通过https来访问你的网站了。(若不将root.crt导入到client的浏览器,https访问时会提示不安全。)
二、Let's encrypt
注:此方式需要你的域名必须可以在公网解析。
Let’s Encrypt 是一个自动签发 https 证书的免费项目
Certbot是 Let’s Encrypt 官方推荐的证书生成客户端工具。
注:每种操作系统及要绑定证书的网站不同,对应的安装操作可能也有出入,我这里以证书是在centos 7上给nginx使用,若你们的需求和我不一样,可以去官网查询安装过程。
2.1 letsencrypt有什么限制
- 同一个顶级域名下的二级域名,一周做多申请 20 个
- 一个域名一周最多申请 5 次
- 1 小时最多允许失败 5 次
- 请求频率需要小于 20 次/s
- 一个 ip 3 小时内最多创建 10 个账户
- 一个账户最多同时存在 300 个 pending 的审核
2.2 配置yum
[root@nginx ~]# yum -y install epel-release
[root@nginx ~]# yum -y install yum-utils
[root@nginx ~]# yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
2.3 安装certbor
[root@nginx ~]# yum -y install certbot python2-certbot-nginx
[root@nginx ~]# certbot --version # 确定已安装
certbot 1.3.0
2.4 以命令交互方式开始制作证书
[root@nginx ~]# certbot certonly # 进入交互模式
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx) # 此方式需要修改配置文件
2: Spin up a temporary webserver (standalone) # 此方式需要停止服务
3: Place files in webroot directory (webroot) # 如果需要不影响服务器正常运行的情况下制作证书,可以选择这种方式
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
# 在这里我们输入1,选择为nginx插件
Plugins selected: Authenticator nginx, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxxxxxxxx@qq.com # 这里输入你的邮箱账号(只有第一次使用时会出现)
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a # 输入“a”同意(只有第一次使用时会出现)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y # 输入“y”确认
Starting new HTTPS connection (1): supporters.eff.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): www.lvjianzhao.top # 这里输入你的域名
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.lvjianzhao.top
nginx: [error] invalid PID number "" in "/run/nginx.pid"
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.lvjianzhao.top/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.lvjianzhao.top/privkey.pem
Your cert will expire on 2020-07-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- We were unable to subscribe you the EFF mailing list because your
e-mail address appears to be invalid. You can try again later by
visiting https://act.eff.org.
# 假如你的域名解析没有问题,那么至此就是证书制作成功了。
2.5 配置nginx使用生成的证书
[root@nginx ~]# cd /etc/letsencrypt/live/www.lvjianzhao.top/ # 进入证书存放目录
[root@nginx www.lvjianzhao.top]# ll
total 4
# 下面两个文件无需关注
lrwxrwxrwx 1 root root 42 Apr 19 21:20 cert.pem -> ../../archive/www.lvjianzhao.top/cert1.pem
lrwxrwxrwx 1 root root 43 Apr 19 21:20 chain.pem -> ../../archive/www.lvjianzhao.top/chain1.pem
# 下面是证书文件
lrwxrwxrwx 1 root root 47 Apr 19 21:20 fullchain.pem -> ../../archive/www.lvjianzhao.top/fullchain1.pem
# 下面是证书私钥
lrwxrwxrwx 1 root root 45 Apr 19 21:20 privkey.pem -> ../../archive/www.lvjianzhao.top/privkey1.pem
# 此README为上面几个文件的作用说明
-rw-r--r-- 1 root root 692 Apr 19 21:20 README
# 将所需证书及其私钥copy到指定目录统一存放
[root@nginx www.lvjianzhao.top]# cp fullchain.pem privkey.pem /etc/nginx/ssl/www.lvjianzhao.top/
# 接下来就是要修改nginx的配置文件来引用这个证书了,不过关于nignx的配置文件修改不是此博文的重点,所以就不解释了
[root@nginx nginx]# egrep -v '^$|^#' nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name www.lvjianzhao.top;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
return 302 https://www.lvjianzhao.top;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.lvjianzhao.top;
root /usr/share/nginx/html;
ssl_certificate "/etc/nginx/ssl/www.lvjianzhao.top/fullchain.pem";
ssl_certificate_key "/etc/nginx/ssl/www.lvjianzhao.top/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
2.6 访问测试https是否生效
2.7 设置自动任务,配置自动续订(防止证书过期)
[root@nginx nginx]# echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | tee -a /etc/crontab