Let's Encrypt:
Let's Encrypt 每張免費憑證期限是90天,但廠商提供了自動更新 script,可排程檢查 SSL 期限並自動更新 SSL 憑證。
須停用 WEB 服務:
systemctl stop nginx.service (Let's Encrypt 程式會模擬 web 給 SSL 發行的網站確認用,80 port 不能被使用,所以要停 web)
下載、安裝 Let's Encrypt 套件:
CentOS:
# yum install epel-release
# yum install certbot
Ubuntu:
$ sudo apt install -y git bc wget
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt (安裝 Let's Encrypt 程式到 /opt/letsencrypt)
# /opt/letsencrypt/certbot-auto certonly --standalone --email xxx@example.com --agree-tos -d example.com (可利用 -d 加多個Domain)
憑證檔案 :
安裝完的憑證會依照申請的 domain 當作資料夾名稱放到 /etc/letsencrypt/live/ 目錄下
如果同時申請了 example.com 與 www.example.com,那麼憑證檔案就會分別放在 /etc/letsencrypt/live/example.com/ 及 /etc/letsencrypt/live/www.example.com/ 目錄下
憑證檔案分別會有 4 個
檔案名稱 | 說明 |
cert.pem | 申請網域的憑證 |
chain.pem | Let's Encrypt 的憑證 |
fullchain.pem | cert.pem 及 chain.pem 合併檔案 |
privkey.pem | 申請網域的憑證密鑰 |
設定 nginx 使用 SSL 憑證:
# vi /etc/nginx/templates/ssl.tmpl
內容:
server {
# 設定憑證檔案
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
.......
}
設定 nginx 80 port 自動轉址導向 SSL 443 port
# vi /etc/nginx/sites-enabled/00-default.conf
內容:
server {
location ~ /\.well-known\/acme-challenge {
allow all;
}
if ($request_uri !~ /\.well-known) {
return 301 https://$host$request_uri;
}
}
設定 Postfix 使用 SSL 憑證:
# vi /etc/postfix/main.cf
修改:
# Force TLS-encrypted SASL authentication.
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 0
smtpd_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/example.com/fullchain.pem
tls_random_source = dev:/dev/urandom
設定 dovecot 使用 SSL 憑證:
# vi /etc/dovecot/dovecot.conf
修改:
ssl_cert = </etc/letsencrypt/live/example.com/cert.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
ssl_ca = </etc/letsencrypt/live/example.com/fullchain.pem
重啟相關 Service:
# systemctl restart nginx.service postfix.service dovecot.service
測試自動更新憑證:
/opt/letsencrypt/certbot-auto renew --dry-run
加入 Crontab 排程執行憑證更新 :
crontab -e
設定每個禮拜一的凌晨 2:30 (排程自訂)進行一次憑證的檢查及更新
30 2 * * Mon /opt/letencrypt/certbot-auto renew >> /var/log/le-renewal.log; systemctl restart nginx.service postfix.service dovecot.service
建立 Let's Encrypt 設定檔 :
複製在原本 letsencrypt 目錄下的範例設定檔 /opt/letsencrypt/examples/cli.ini
cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/le-renew-webroot.ini
編輯自訂設定檔:
vi /usr/local/etc/le-renew-webroot.ini
修改:
rsa-key-size = 4096
email = xxxxx@example.com
domains = example.com, example1.com
webroot-path = /var/www/html/ # www預設目錄
使用 Script 自動更新憑證:
下載憑證更新 shell script,並將 Script 設定為可執行檔案 :
apt-get install -y curl
curl -L -o /usr/local/sbin/le-renew-webroot https://gist.githubusercontent.com/thisismitch/e1b603165523df66d5cc/raw/fbffbf358e96110d5566f13677d9bd5f4f65794c/le-renew-webroot
chmod +x /usr/local/sbin/le-renew-webroot
le-renew-webroot Script 讀取 /usr/local/etc/le-renew-webroot.ini 設定資料並進行憑證更新,若憑證還有 30 天以上才過期,則不更新憑證。
手動執行,測試 shell script 更新憑證 :
/usr/local/sbin/le-renew-webroot
Checking expiration date for example.com...
The certificate is up to date, no need for renewal (89 days left).
...........................................
如有需要可強制更新憑證:
/opt/letsencrypt/certbot-auto renew --force-renew
設定 Apache 使用 SSL 憑證:
1.確認 Apache httpd.conf 有載入 mod_ssl 模組,如果沒有安裝 SSL 模組:
yum install -y mod_ssl openssl
2.修改要套件 SSL 的網頁 conf 設定檔:
Apache 設定使用 SSL 憑證:
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/html/example
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem
<Directory "/var/www/html/example">
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
3.設定 80 port 轉址 443 port:
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/html/example
Redirect permanent / https://example.com/
<Directory "/var/www/html/example">
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>