【思考】
A. 多域名证书:问题在于很少超过100个;弃用。
B. 泛域名证书 + 二级域名:从客户容量上能满足需求,但也要考虑自定义域名不受保护。
C. 单域名证书 + 二级目录:从客户容量上能满足需求,但也要考虑自定义域名不受保护。
D. 多个单域名证书:问题是WPMU如何对应多个证书?
1. 自动签发:当用户绑定成功时,自动签发和部署。
2. 定期续签:琢磨部署系统定期续签。
3. 证书部署:因为用户绑定的域名在服务器上并无实际目录对应,证书是否会正确生效?
4. 统一监控:考虑怎么实现letsmonitor.org的功能。
5. 批量为已存映像域名生成Let’sEncrypt证书 / 自动为新入映像域名生成Let’sEncrypt证书
参考:http://www.gossamer-threads.com/lists/gnupg/users/57476
【介绍】
Let’s Encrypt 2015年11月16日正式对外开放。2018年3月15日Let’s Encrypt发布的ACMEv2开始正式支持通配符证书。
参考:https://linux.cn/article-6565-1.html
参考:https://www.v2ex.com/t/437798#reply120
参考:https://www.zhihu.com/question/36710815?sort=created
【签发】
certbot方法:
实证适用于大部分VPS。
1. 安装certbot-auto
wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto
2. 申请证书
普通SSL证书:需要保护根域名 domainname.com,主域名 www.domainname.com ,或者其他二级域名 misc.domainname.com 。
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d domainname.com -d www.domainname.com -d misc.domainname.com --manual --preferred-challenges dns-01 certonly
通配符SSL证书:需要保护根域名 domainname.com,所有子域名 *.domainname.com 。
./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d domainname.com -d "*.domainname.com" --manual --preferred-challenges dns-01 certonly
将安装一系列依赖包,然后设置,签发:
... Dependency Installed: ... Complete! Upgrading certbot-auto 0.22.0 to 0.22.2... ... Installation succeeded. ... Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] ... Please read the Terms of Service at ... (A)gree/(C)ancel: A ... Would you be willing to share your email address with the Electronic Frontier ... (Y)es/(N)o: Y ... Obtaining a new certificate Performing the following challenges: dns-01 challenge for domainname.com ... NOTE: The IP of this machine will be publicly logged as having requested this ... (Y)es/(N)o: Y ... Please deploy a DNS TXT record under the name _acme-challenge.domainname.com with the following value: fqVKGH-bbY87iqw2S5qYZ9IwFu1aOa82Wkqb5DAlwe0 Before continuing, verify the record is deployed. ... Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domainname.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domainname.com/privkey.pem Your cert will expire on 2018-06-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
证书路径:
/etc/letsencrypt/live/domainname.com/fullchain.pem /etc/letsencrypt/live/domainname.com/privkey.pem
注意备份整个目录:
/etc/letsencrypt
3. 证书续展
./certbot-auto renew
4. 证书重签
如果需要重签,请先在如下各目录删除对应配置文件:
/etc/letsencrypt/archive /etc/letsencrypt/csr /etc/letsencrypt/keys /etc/letsencrypt/live /etc/letsencrypt/renewal
参考:https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
参考:https://www.oschina.net/news/94188/acme-v2-and-wildcard-certificate-support-is-live
参考:https://www.coderecord.cn/lets-encrypt-wildcard-certificates.html
参考:https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
参考:https://my.oschina.net/kimver/blog/1634575
参考:https://my.oschina.net/u/1021968/blog/1604461
参考:https://www.chinassl.net/faq/n583.html
参考:https://www.v2ex.com/t/165930
参考:https://www.v2ex.com/t/437798#reply120
【部署】
1. 服务器设置
打开 httpd-vhosts.conf ,编辑:
<virtualhost *:443> ServerName domainname.com ServerAlias www.domainname.com DocumentRoot /usr/local/apache2/htdocs/domainname.com/portal/ ErrorLog /usr/local/apache2/htdocs/logs/domainname.com_error.log CustomLog /usr/local/apache2/htdocs/logs/domainname.com_access.log combined GnuTLSEnable on GnuTLSPriorities NORMAL GnuTLSCertificateFile /usr/local/apache2/htdocs/ssl/domainname.com/chained.pem GnuTLSKeyFile /usr/local/apache2/htdocs/ssl/domainname.com/domain.key <Directory /usr/local/apache2/htdocs/domainname.com/portal> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> </virtualhost> <virtualhost *:80> ServerName domainname.com ServerAlias www.domainname.com DocumentRoot /usr/local/apache2/htdocs/domainname.com/portal/ Alias /.well-known/acme-challenge/ /usr/local/apache2/htdocs/challenges/ ErrorLog /usr/local/apache2/htdocs/logs/domainname.com_error.log CustomLog /usr/local/apache2/htdocs/logs/domainname.com_access.log combined <Directory /usr/local/apache2/htdocs/domainname.com/portal> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> </VirtualHost>
【验证】
部署后重启服务器,在浏览器中打开无误。
查看证书详情,在“证书用者可选名称”中显示:
非关键 DNS 名称: *.domainname.com DNS 名称: domainname.com
【排障】
报错:Another instance of Certbot is already running
如果配置到一半,服务器退出,这时如果再重新生成此域名,会报错:
Another instance of Certbot is already running
查看已添加到一半的域名所占用的进程号:
ps -ef | grep certb
然后通过kill进程号命令删除:
kill 1105
清除相关进程号之后,重新执行签发命令。
报错:Certbot has problem setting up the virtual environment
可能是 pip 版本太低:
pip install --upgrade pip
如果仍不奏效,可能是因为pip源没有更新。
参考:https://www.cnblogs.com/ProgramLayman/p/8528568.html
参考:https://www.v2ex.com/t/347335
mv ~/.pip/pip.conf ~/.pip/pip.conf.backup
错误消失。
或者直接修改源:
参考:http://ju.outofmemory.cn/entry/287356
参考:http://www.cnblogs.com/ityunv/p/5909434.html
mkdir ~/.pip cat > ~/.pip/pip.conf < < EOF
编辑 pip.conf :
[global] trusted-host=mirrors.aliyun.com index-url=http://mirrors.aliyun.com/pypi/simple/ EOF