CentOS + Nginx 申请Let's Encrypt通配符HTTPS证书

在CentOS 7.2系统中利用Certbot工具配置Let's Encrypt通配符证书,所域名下所有的子域名都能方便的使用 https证书,而且完全免费。值得关注的是,Let's encrypt通配符证书只是针对二级域名,并不能针对主域名,如*.example.com和example.com被认为是两个域名,如果和我一样使用的是主域名,在申请的时候需要注意都要申请。

获取Certbot

# 下载
wget https://dl.eff.org/certbot-auto
# 设为可执行权限
chmod u+x certbot-auto

申请证书

执行以下命令

./certbot-auto certonly  -d "*.example.com" -d "example.com" --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory  

参数说明:

  • -certonly 表示安装模式,Certbot 有安装模式和验证模式两种类型的插件。
  • -manual 表示手动安装插件,Certbot 有很多插件,不同的插件都可以申请证书,用户可以根据需要自行选择。
  • -d 为哪些主机申请证书,如果是通配符,输入 *.example.com(替换为自己的域名)。
  • -preferred-challenges 使用 DNS 方式校验域名所有权。
  • -server Let’s Encrypt ACME v2 版本使用的服务器不同于 v1 版本,需要显示指定。
    注意example.com替换为自己的域名

执行过程中确认以下信息

Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): test@example.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

在域名 DNS 解析中添加 TXT记录

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

c1tiuYabTeauuA3Byjc6Sdn7vbBPjwXZkdZDnry5wvg

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

接下来需要到域名服务器商添加两条TXT记录,本人使用的是腾讯云,以下是解析记录


添加以后会有最多10分钟的生效时间,这里先要确认解析已经生效,才能在配置Let's Encrypt的终端按回车。
判断解析已经生效,可使用dig _acme-challenge.example.com txt,若出现DNS解析的记录值,则说明解析已经生效了。如下所示:

[root@VM_0_15_centos ~]# dig _acme-challenge.example.com txt

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> _acme-challenge.example.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48247
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.example.com.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.xj10.xyz. 600	IN	TXT	"c1tiuYabTeauuA3Byjc6Sdn7vbBPjwXZkdZDnry5wvg"

;; Query time: 296 msec
;; SERVER: 183.60.83.19#53(183.60.83.19)
;; WHEN: Thu Mar 21 20:39:09 CST 2019
;; MSG SIZE  rcvd: 109

确认生效后回车后会让继续添加另一条TXT记录,生效后再次回车:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-06-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

生成的文件在/etc/letsencrypt/live/example.com/目录中

在Nginx中配置证书

在nginx中进行如下配置:

#http跳转至https
server {
        listen 80;
        server_name example.com;
        rewrite ^(.*)$  https://$host$1 permanent;
}
server {
        listen 443 http2 ssl;
        server_name example.com;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
        ssl_trusted_certificate  /etc/letsencrypt/live/example.com/chain.pem;
        location / {
                proxy_pass http://127.0.0.1:8080/;
                proxy_set_header   Host             $host:$server_port;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_set_header   Remote_Addr    $remote_addr;
        }
}

证书更新

Let's Encrypt 的免费证书默认有效期为 90 天,到期后如果要续期可以执行:
certbot-auto renew

可以定义crontab每晚自动执行

# 每月的 1,15号, 2点30 更新证书
30 2 1,15 * * /path/to/certbot-auto renew
# 每月的 1,15号, 3点30 重新加载配置
30 3 1,15 * * nginx -s reload