SSL 證書的安裝
推薦使用的證書安裝方式是 Let’s Encrypt 提供的 Certbot 自動(dòng)腳本颤练。(舊版本的 Certbot 稱為 letsencrypt or letsencrypt-auto)
Certbot : 只支持 Unix-base 的系統(tǒng)唱凯,即 Linux 、Ubuntu帆啃、MacOS 等
阿里云的 SSL 證書漠烧,但現(xiàn)在已經(jīng)沒有免費(fèi)的了梆掸。
騰訊云的 SSL 證書痴脾,不知道以后會(huì)不會(huì)收費(fèi)了。
先去 Certbot 的官網(wǎng):https://certbot.eff.org/
Certbot
意思就是在 什么 系統(tǒng)上使用 什么 HTTP 服務(wù)器期贫,因?yàn)槲业南到y(tǒng)是 CentOS 7.4 所以選擇 CentOS/RHEL 7 跟匆,HTTP 服務(wù)器我選擇的是 Apache 。( HTTP 服務(wù)器這塊通常是選擇 Apache 或者 Nginx 通砍。)
Step 01
我的 CentOS 不是 EC2 實(shí)例
[root@~]# cat /sys/devices/virtual/dmi/id/product_uuid
8113ECEB-...
如果沒有 dmi 文件夾玛臂,就安裝
[root@~]# sudo yum -y install dmidecode
如果 UUID 是 ec2 開頭的,就要運(yùn)行以下兩行指令
[root@~]# yum -y install yum-utils
[root@~]# yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
Step 02
安裝 Certbot
[root@~]# sudo yum -y install python2-certbot-apache
......
Total 4.6 MB/s | 876 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : python2-certbot-0.26.1-2.el7.noarch 1/4
Installing : certbot-0.26.1-2.el7.noarch 2/4
Installing : 1:mod_ssl-2.4.6-80.el7.centos.1.x86_64 3/4
Installing : python2-certbot-apache-0.26.1-1.el7.noarch 4/4
Verifying : certbot-0.26.1-2.el7.noarch 1/4
Verifying : python2-certbot-0.26.1-2.el7.noarch 2/4
Verifying : 1:mod_ssl-2.4.6-80.el7.centos.1.x86_64 3/4
Verifying : python2-certbot-apache-0.26.1-1.el7.noarch 4/4
Installed:
python2-certbot-apache.noarch 0:0.26.1-1.el7
Dependency Installed:
certbot.noarch 0:0.26.1-2.el7 mod_ssl.x86_64 1:2.4.6-80.el7.centos.1 python2-certbot.noarch 0:0.26.1-2.el7
Complete!
查看安裝
[root@~]# ls /etc/ | grep "python"
python
[root@~]# yum list installed | grep "certbot"
certbot.noarch 0.26.1-2.el7 @epel
python2-certbot.noarch 0.26.1-2.el7 @epel
python2-certbot-apache.noarch 0.26.1-1.el7 @epel
[root@~]# ls /etc/ | grep "letsencrypt"
letsencrypt
[root@~]# whereis certbot
certbot: /usr/bin/certbot
Step 03
開始生成 SSL 證書
[root@~]# sudo certbot --apache
如果 sudo certbot --apache 出錯(cuò)了:
[root@~]# sudo certbot --apache
Traceback (most recent call last):
File "/bin/certbot", line 9, in <module>
load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 570, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2751, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2405, in load
return self.resolve()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2411, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 18, in <module>
from certbot import account
File "/usr/lib/python2.7/site-packages/certbot/account.py", line 18, in <module>
from acme import messages
File "/usr/lib/python2.7/site-packages/acme/messages.py", line 7, in <module>
from acme import challenges
File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 11, in <module>
import requests
File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in <module>
from . import utils
File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in <module>
from .exceptions import InvalidURL
File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in <module>
from .packages.urllib3.exceptions import HTTPError as BaseHTTPError
File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 95, in load_module
raise ImportError("No module named '%s'" % (name,))
ImportError: No module named 'requests.packages.urllib3'
按以下命令操作封孙,修復(fù)問題
[root@~]# cd /usr/lib/python2.7/site-packages/urllib3/packages/
[root@~]# sudo rm -rf ssl_match_hostname*
[root@~]# yum -y install python-urllib3.noarch
具體操作細(xì)節(jié)
[root@~]# cd /usr/lib/python2.7/site-packages/urllib3/packages/
[root@packages]# ls -la
total 48
drwxr-xr-x 4 root root 4096 Sep 3 18:23 .
drwxr-xr-x 5 root root 4096 Sep 3 18:23 ..
drwxr-xr-x 2 root root 4096 Oct 15 2017 backports
-rw-r--r-- 1 root root 74 Aug 7 2014 __init__.py
-rw-r--r-- 1 root root 275 Sep 3 18:15 __init__.pyc
-rw-r--r-- 1 root root 8935 Aug 7 2014 ordered_dict.py
-rw-r--r-- 1 root root 9868 Oct 15 2017 ordered_dict.pyc
lrwxrwxrwx 1 root root 12 Sep 3 18:23 six.py -> ../../six.py
lrwxrwxrwx 1 root root 13 Sep 3 18:23 six.pyc -> ../../six.pyc
lrwxrwxrwx 1 root root 13 Sep 3 18:23 six.pyo -> ../../six.pyo
drwxr-xr-x 2 root root 4096 Oct 15 2017 ssl_match_hostname
lrwxrwxrwx 1 root root 34 Sep 3 18:11 ssl_match_hostname;5b8d08dd -> ../../backports/ssl_match_hostname
lrwxrwxrwx 1 root root 34 Sep 3 18:20 ssl_match_hostname;5b8d0afa -> ../../backports/ssl_match_hostname
lrwxrwxrwx 1 root root 34 Sep 3 18:23 ssl_match_hostname;5b8d0b99 -> ../../backports/ssl_match_hostname
[root@packages]# sudo rm -rf ssl_match_hostname*
[root@packages]# sudo yum update python-urllib3.noarch
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Package(s) python-urllib3.noarch available, but not installed.
No packages marked for update
[root@izwz9dnfbgdn5tleje5eitz packages]# yum -y install python-urllib3.noarch
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package python-urllib3.noarch 0:1.10.2-5.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==============================================================================================================
Package Arch Version Repository Size
==============================================================================================================
Installing:
python-urllib3 noarch 1.10.2-5.el7 base 102 k
Transaction Summary
==============================================================================================================
Install 1 Package
Total download size: 102 k
Installed size: 378 k
Downloading packages:
python-urllib3-1.10.2-5.el7.noarch.rpm | 102 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : python-urllib3-1.10.2-5.el7.noarch 1/1
Verifying : python-urllib3-1.10.2-5.el7.noarch 1/1
Installed:
python-urllib3.noarch 0:1.10.2-5.el7
Complete!
重新運(yùn)行 sudo certbot --apache
[root@~]# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxx@gmail.com // 如果有國外的郵箱迹冤,盡量使用國外,防止國內(nèi)郵箱收件緩慢虎忌,
// 而且有時(shí)候會(huì)出現(xiàn)一些國內(nèi)郵箱收不到件的問題泡徙。
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:
直接用瀏覽器打開 https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf 就可以把文件下載下來;
直接用瀏覽器打開 https://acme-v02.api.letsencrypt.org/directory 可以查看里面的內(nèi)容膜蠢。這個(gè)文件是 ACME v2 的時(shí)候需要用到的堪藐,現(xiàn)在生成的證書是 ACME 的莉兰,ACME v2 后面會(huì)有介紹
{
"OjTRjMzrdVo": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
我們繼續(xù),填入 a/A 同意就可以了
......
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom. // 大意:?jiǎn)柲阋灰?Let's Encrypt 項(xiàng)目的工作的內(nèi)容礁竞,發(fā)送到你的電子郵箱中去贮勃。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y // 這個(gè)看你自己了,我選 y 原因是苏章,我選擇了使用這個(gè)項(xiàng)目,我得了解這個(gè)項(xiàng)目奏瞬,才能防止出現(xiàn)不可預(yù)估的問題枫绅。
Starting new HTTPS connection (1): supporters.eff.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): deepppixel.com // 輸入你的域名
Obtaining a new certificate
Resetting dropped connection: acme-v02.api.letsencrypt.org
Resetting dropped connection: acme-v02.api.letsencrypt.org
Performing the following challenges:
http-01 challenge for deepppixel.com
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
先備份 /etc/letsencrypt 文件夾
[root@~]# cp -rf /etc/letsencrypt/ /etc/.letsencrypt.backup/
[root@~]# ls /etc/.letsencrypt.backup/
accounts csr keys options-ssl-apache.conf renewal renewal-hooks
[root@~]# ls /etc/letsencrypt/
accounts csr keys options-ssl-apache.conf renewal renewal-hooks
如果出現(xiàn)下面的錯(cuò)誤信息,則需要配置 Apache 的虛擬機(jī)
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
添加虛擬主機(jī) Apache vhost
我使用的域名是 deepppixel.com硼端,域名要添加解析哦并淋。
我創(chuàng)建的是基于域名的虛擬主機(jī),就是多個(gè)域名指向同一個(gè)服務(wù)器地址珍昨。
還有兩種方式是:基于 IP 地址 和基于端口县耽。
先創(chuàng)建保存虛擬主機(jī)配置的文件夾
// 虛擬主機(jī)的配置文件
[root@~]# mkdir -p /etc/httpd/conf/vhost
然后創(chuàng)建域名網(wǎng)站的內(nèi)容文件夾
// 使用域名方便以后添加新的域名,不會(huì)產(chǎn)生沖突镣典,不要隨意命名兔毙,你會(huì)后悔的
[root@~]# mkdir -p /var/www/deepppixel.com
添加域名的 log 日志文件
[root@~]# touch /etc/httpd/logs/deepppixel.com-error_log
[root@~]# touch /etc/httpd/logs/deepppixel.com-access_log
把上面創(chuàng)建的虛擬主機(jī)路徑添加到 Apache 的配置文件中
[root@~]# vim /etc/httpd/conf/httpd.conf
......
# vhost
Include conf/vhost/*.conf
開始添加虛擬主機(jī)文件
[root@~]# vim /etc/httpd/conf/vhost/deepppixel.com.conf
<VirtualHost 私網(wǎng) IP:80>
ServerName deepppixel.com
ServerAlias deepppixel.com *.deepppixel.com
DocumentRoot "/www/deepppixel.com"
ErrorLog "/logs/deepppixel.com-error_log"
CustomLog "/logs/deepppixel.com-access_log"
<Directory "/www/deepppixel.com">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
檢查 httpd.conf 是否有錯(cuò)
[root@~]# httpd -t
// 沒有找到文件夾
AH00112: Warning: DocumentRoot [/www/deepppixel.com] does not exist
// CustomLog 后面需要跟 兩個(gè)或三個(gè)參數(shù)
AH00526: Syntax error on line 7 of /etc/httpd/conf/vhost/deepppixel.com.conf:
CustomLog takes two or three arguments, a file name, a custom log format string or format name, and an optional "env=" or "expr=" clause (see docs)
出現(xiàn)了兩個(gè)錯(cuò)誤,修改如下
2 <VirtualHost 私網(wǎng) IP:80>
3 ServerName deepppixel.com
4 ServerAlias deepppixel.com *.deepppixel.com
// 修改的 AH00112
5 DocumentRoot "/var/www/deepppixel.com"
6 ErrorLog "logs/deepppixel.com-error_log"
// 修改的 AH00526
7 CustomLog "logs/deepppixel.com-access_log" "%h %l %u %t \"%r\" %>s %b"
8 <Directory "/www/deepppixel.com">
9 Options Indexes FollowSymLinks
10 AllowOverride None
11 Require all granted
12 </Directory>
13 </VirtualHost>
重新檢查即可
[root@~]# httpd -t
Syntax OK
重啟 Apache 服務(wù)器
[root@~]# systemctl restart httpd.service
刷新網(wǎng)頁兄春,啊哦
403
首先澎剥,在沒有配置虛擬機(jī)的時(shí)候,我們的網(wǎng)站是直接訪問 var/www/html/ 下的文件赶舆,但是 Apache 在配置虛擬機(jī)后會(huì)直接訪問虛擬機(jī)的配置哑姚,而忽略默認(rèn)的配置信息;也就是說現(xiàn)在網(wǎng)站是直接訪問 /var/www/deepppixel.com 目錄下的文件的芜茵,但是下面什么也沒有叙量。
開始修復(fù)問題
// 權(quán)限沒問題
[root@~]# ls -la /var/www/
total 20
drwxr-xr-x 5 root root 4096 Sep 13 16:44 .
drwxr-xr-x. 20 root root 4096 Sep 5 11:54 ..
drwxr-xr-x 2 root root 4096 Jun 27 21:49 cgi-bin
drwxr-xr-x 2 root root 4096 Sep 13 16:44 deepppixel.com
drwxr-xr-x 2 root root 4096 Sep 13 16:14 html
lrwxrwxrwx 1 root root 15 Sep 7 12:38 public -> /vagrant/public
// 開始創(chuàng)建 index.html 首頁文件
[root@~]# touch /var/www/deepppixel.com/index.html
[root@~]# echo 'Apache HTTP Server... deepppixel.com Hello World !' > /var/www/deepppixel.com/index.html
[root@~]# cat /var/www/deepppixel.com/index.html
Apache HTTP Server... deepppixel.com Hello World !
[root@~]# systemctl restart httpd.service
403 ok
重新運(yùn)行 sudo certbot --apache 指令
[root@~]# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: deepppixel.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
我們剛才配置的虛擬機(jī)已經(jīng)識(shí)別出來了
1: deepppixel.com
我們這里只有一個(gè)選項(xiàng),所以填 1
......
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for deepppixel.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf/vhost/deepppixel.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/vhost/deepppixel.com-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
// 不重定向 HTTP 到 HTTPS
1: No redirect - Make no further changes to the webserver configuration.
// 全部把 HTTP 重定向到 HTTPS九串,并禁止 HTTP 的訪問
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
看看新的問題绞佩,我們是要做 HTTPS 的,所以直接選擇 2
......
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf/vhost/deepppixel.com.conf to ssl vhost in /etc/httpd/conf/vhost/deepppixel.com-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://deepppixel.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=deepppixel.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/deepppixel.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/deepppixel.com/privkey.pem
Your cert will expire on 2018-12-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
如果你也看到了以上的信息 Congratulations! You have successfully enabled https://deepppixel.com 那么你成功了猪钮。證書就保存在 /etc/letsencrypt/live/deepppixel.com/ 下面
現(xiàn)在刷新你的網(wǎng)頁
https
現(xiàn)在查看一個(gè)證書 ( Chrome 瀏覽器 )
https
因?yàn)?SSL 證書默認(rèn) 90 天有效征炼,所以要自己過期前更新證書,以下使用自動(dòng)更新躬贡,每一天的半夜會(huì)自動(dòng)運(yùn)行更新操作
[root@~]# 0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
你是不是已經(jīng)認(rèn)為完了呢谆奥?
當(dāng)然還沒有啦!現(xiàn)在創(chuàng)建的只是 ACME 證書拂玻,現(xiàn)在最新的是 ACME v2 可以支持通配符 *.deepppixel.com 酸些。
Step 04
我在 Certbot-DNS 里面選擇了一個(gè)可以使用第三方登錄的 DNS 插件宰译,你也可以自行選擇你喜歡的 DNS 伤靠。
我一開始選擇的插件是 certbot-dns-cloudxns 但是要實(shí)名認(rèn)證蓖乘,其實(shí)沒什么,只是實(shí)名認(rèn)證老是提示信息錯(cuò)誤沒有具體原因质礼,多次嘗試無果市栗,客服無果后缀拭,只能更換一個(gè)了。
我現(xiàn)在選用的是 certbot-dns-cloudflare 填帽,先注冊(cè)再看下面的圖片蛛淋,進(jìn)行選擇。
【圖-01】中篡腌,紅色框那里是可以跳轉(zhuǎn)到一次添加多個(gè)域名的功能褐荷,這里只演示添加一個(gè),所以我們填上面的框框嘹悼,再點(diǎn)擊確認(rèn)叛甫。
圖-01 Cloudflare - Web Performance & Security
【圖-01】Add Site 后,直接 next 【圖-02】再選擇付費(fèi)項(xiàng) 【圖-03】杨伙,我選的是免費(fèi)其监,之后它會(huì)自動(dòng)加載你之前在注冊(cè)商那邊對(duì)應(yīng)的域名所添加的 HTTP 解析記錄【圖-04】,如果還想增加解析限匣,可以自行增加棠赛。
圖-02 Cloudflare - Web Performance & Security next
圖-03 Cloudflare - Web Performance & Security money
圖-04 Cloudflare - Web Performance & Security 解析
直接點(diǎn)擊 help 【圖-05】選擇 other 就會(huì)跳轉(zhuǎn)到【圖-06】按照 Setp 1 / 2 去域名注冊(cè)服務(wù)商那里修改 DNS,我的域名是在騰訊那里注冊(cè)的膛腐,所以我得去騰訊那里修改睛约,修改方法【圖-07】,修改完成后再回到 Cloudflare【圖-06】點(diǎn)擊 i`m done 即可哲身。
圖-05 Cloudflare - Web Performance & Security help nameservers
圖-06 Cloudflare - Web Performance & Security 改 namexxx 步驟.jpg
圖-07 cloudflare nameservers
完成修改后 點(diǎn)擊 I`m done 后辩涝,會(huì)出現(xiàn)【圖-08】。我們做那么多的目的就是要拿到 API key 勘天,滾動(dòng)到下面找到 Get your API Key 【圖-09】(圖8和圖9是同一個(gè)頁面)怔揩,點(diǎn)開后進(jìn)入 My Profile 滾動(dòng)到最下面找到 API Keys 【圖-10】點(diǎn)擊 view 就可以拿到 API Keys 了。
這里有兩個(gè) API Keys 脯丝,Origin 是在公共服務(wù)器上使用的商膊,我這邊是個(gè)人的服務(wù)器,所以選擇 Global 的 Keys宠进。
圖-08 Cloudflare - Web Performance & Security done
圖-09 Cloudflare - Web Performance & Security api get
圖-10 My Profile _ Cloudflare - Web Performance & Security
Step 05
開始進(jìn)行 DNS 的安裝
先安裝 Certbot DNS 插件
yum 查找
[root@~]# yum search dns-cloudflare dns-cloudxns dns-digitalocean dns-dnsimple dns-dnsmadeeasy dns-google dns-linode dns-luadns dns-nsone dns-ovh dns-rfc2136 dns-route53
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* remi-php72: mirrors.tuna.tsinghua.edu.cn
* remi-safe: mirrors.tuna.tsinghua.edu.cn
* webtatic: uk.repo.webtatic.com
======================================== N/S matched: dns-cloudflare =========================================
python2-certbot-dns-cloudflare.noarch : Cloudflare DNS Authenticator plugin for Certbot
========================================= N/S matched: dns-cloudxns ==========================================
python2-certbot-dns-cloudxns.noarch : CloudXNS DNS Authenticator plugin for Certbot
======================================= N/S matched: dns-digitalocean ========================================
python2-certbot-dns-digitalocean.noarch : DigitalOcean DNS Authenticator plugin for Certbot
========================================= N/S matched: dns-dnsimple ==========================================
python2-certbot-dns-dnsimple.noarch : DNSimple DNS Authenticator plugin for Certbot
======================================== N/S matched: dns-dnsmadeeasy ========================================
python2-certbot-dns-dnsmadeeasy.noarch : DNS Made Easy DNS Authenticator plugin for Certbot
========================================== N/S matched: dns-google ===========================================
python2-certbot-dns-google.noarch : Google Cloud DNS Authenticator plugin for Certbot
========================================== N/S matched: dns-linode ===========================================
python2-certbot-dns-linode.noarch : Linode DNS Authenticator plugin for Certbot
========================================== N/S matched: dns-luadns ===========================================
python2-certbot-dns-luadns.noarch : LuaDNS Authenticator plugin for Certbot
=========================================== N/S matched: dns-nsone ===========================================
python2-certbot-dns-nsone.noarch : NS1 DNS Authenticator plugin for Certbot
============================================ N/S matched: dns-ovh ============================================
python2-certbot-dns-ovh.noarch : OVH DNS Authenticator plugin for Certbot
========================================== N/S matched: dns-rfc2136 ==========================================
python2-certbot-dns-rfc2136.noarch : RFC 2136 DNS Authenticator plugin for Certbot
========================================== N/S matched: dns-route53 ==========================================
python2-certbot-dns-route53.noarch : Route53 DNS Authenticator plugin for Certbot
Name and summary matches mostly, use "search all" for everything.
或 pip 查找
[root@izwz9dnfbgdn5tleje5eitz ~]# pip search certbot | grep "certbot-dns-"
certbot-dns-luadns (0.27.1) - LuaDNS Authenticator plugin for Certbot
certbot-dns-alwaysdata (0.24.0) - Alwaysdata DNS Authenticator plugin for Certbot
certbot-dns-cloudflare (0.27.1) - Cloudflare DNS Authenticator plugin for Certbot
certbot-dns-cloudxns (0.27.1) - CloudXNS DNS Authenticator plugin for Certbot
certbot-dns-conoha (0.1.0) - ConoHa DNS Authenticator plugin for certbot.
certbot-dns-digitalocean (0.27.1) - DigitalOcean DNS Authenticator plugin for Certbot
certbot-dns-dnsimple (0.27.1) - DNSimple DNS Authenticator plugin for Certbot
certbot-dns-dnspod (0.1.0) - DNSPOD DNS Authenticator plugin for Certbot
certbot-dns-linode (0.27.1) - Linode DNS Authenticator plugin for Certbot
certbot-dns-netcup (0.27.0.dev4) - netcup DNS Authenticator plugin for Certbot
certbot-dns-nsone (0.27.1) - NS1 DNS Authenticator plugin for Certbot
certbot-dns-openstack (0.0.1) - OpenStack DNS Authenticator plugin for Certbot
certbot-dns-ovh (0.27.1) - OVH DNS Authenticator plugin for Certbot
certbot-dns-route53 (0.27.1) - Route53 DNS Authenticator plugin for Certbot
certbot-dns-google (0.27.1) - Google Cloud DNS Authenticator plugin for Certbot
certbot-dns-rfc2136 (0.27.1) - RFC 2136 DNS Authenticator plugin for Certbot
certbot-dns-sakuracloud (0.27.1) - Sakura Cloud DNS Authenticator plugin for Certbot
certbot-dns-dnsmadeeasy (0.27.1) - DNS Made Easy DNS Authenticator plugin for Certbot
certbot-dns-gehirn (0.27.1) - Gehirn Infrastracture Service DNS Authenticator plugin for Certbot
certbot-dns-cpanel (0.2.0) - certbot plugin to allow acme dns-01 authentication of a name managed in cPanel.
查看 certbot 的插件表
[root@~]# certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
安裝方案一: yum
yum 安裝 certbot-dns-cloudflare
[root@~]# yum -y install python2-certbot-dns-cloudflare
......
Total 1.7 MB/s | 281 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : python2-zope-interface-4.0.5-0.el7.noarch 1/5
Installing : libyaml-0.1.4-11.el7_0.x86_64 2/5
Installing : PyYAML-3.10-11.el7.x86_64 3/5
Installing : python2-cloudflare-2.1.0-2.el7.noarch 4/5
Installing : python2-certbot-dns-cloudflare-0.26.1-1.el7.noarch 5/5
Verifying : python2-cloudflare-2.1.0-2.el7.noarch 1/5
Verifying : libyaml-0.1.4-11.el7_0.x86_64 2/5
Verifying : PyYAML-3.10-11.el7.x86_64 3/5
Verifying : python2-certbot-dns-cloudflare-0.26.1-1.el7.noarch 4/5
Verifying : python2-zope-interface-4.0.5-0.el7.noarch 5/5
Installed:
python2-certbot-dns-cloudflare.noarch 0:0.26.1-1.el7
Dependency Installed:
PyYAML.x86_64 0:3.10-11.el7 libyaml.x86_64 0:0.1.4-11.el7_0
python2-cloudflare.noarch 0:2.1.0-2.el7 python2-zope-interface.noarch 0:4.0.5-0.el7
Complete!
重新查看 Certbot 的插件列表會(huì)報(bào)錯(cuò)
[root@site-packages]# certbot plugins
An unexpected error occurred:
DistributionNotFound: The 'cloudflare>=1.5.1' distribution was not found and is required by the application
Please see the logfile '/tmp/tmpdXjGyi' for more details.
錯(cuò)誤信息提示找不到 cloudflare晕拆,去除報(bào)錯(cuò)
[root@~]# yum -y install python2-cloudflare
重新查看 Certbot 的插件列表
[root@~]# certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
* dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using
Cloudflare for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-cloudflare =
certbot_dns_cloudflare.dns_cloudflare:Authenticator
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
安裝方案二:pip
使用 pip 安裝 certbot-dns-cloudflare
[root@~]# pip search certbot-dns-cloudflare | grep "certbot-dns-cloudflare"
certbot-dns-cloudflare (0.27.1) - Cloudflare DNS Authenticator plugin for Certbot
[root@~]# pip install certbot-dns-cloudflare
......
Installing collected packages: jsonlines, cloudflare, certbot-dns-cloudflare
Running setup.py install for cloudflare ... done
Successfully installed certbot-dns-cloudflare-0.27.1 cloudflare-2.1.0 jsonlines-1.2.0
安裝完成后重新查看 Certbot 的插件列表
[root@~]# certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
* dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using
Cloudflare for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-cloudflare =
certbot_dns_cloudflare.dns_cloudflare:Authenticator
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
還有 pip 的問題,我一開始的時(shí)候用 pip 可以安裝成功材蹬,為了演示我刪除了实幕,重新安裝的時(shí)候提示 TypeError: cannot concatenate 'str' and 'NoneType' objects 就是很奇怪的問題吝镣,python 本身沒有問題,所以我重新移除了 pip , 再安裝 pip 昆庇,用 pip 安裝 certbot-dns-cloudflare 就可以了末贾。【可能是因?yàn)槲业?pip 是從低版本直接升級(jí)引起的問題整吆,這個(gè)錯(cuò)誤信息官方提示已經(jīng)修復(fù)過了拱撵,還有的話,肯定是 pip 自己的問題了】
移除 pip表蝙,并重新安裝
[root@~]# yum list installed | grep "pip"
yum list installed *pip
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* remi-php72: mirrors.tuna.tsinghua.edu.cn
* remi-safe: mirrors.tuna.tsinghua.edu.cn
* webtatic: uk.repo.webtatic.com
Installed Packages
python2-pip.noarch 8.1.2-6.el7 @epel
[root@~]# yum remove python2-pip
[root@~]# yum search pip | grep 'python.*\-pip'
python-django-pipeline.noarch : An asset packaging library for Django
python2-pip.noarch : A tool for installing and managing Python 2 packages
python34-pip.noarch : A tool for installing and managing Python3 packages
選擇相應(yīng)的 Python 版本拴测,安裝即可
[root@~]# yum -y install python2-pip
如果 pip 安裝 cloudflare 最后的安裝信息是
......
Installing collected packages: certbot-dns-cloudflare
Successfully installed certbot-dns-cloudflare-0.27.1
證明還沒有安裝完成,還需要安裝一些依賴
[root@~]# pip install cloudflare jsonlines
安裝方案三:python [不推薦]
直接使用 git 下載到本地勇哗,再使用 python 安裝
[root@~]# git clone https://github.com/certbot/certbot/
[root@~]# cd certbot/certbot-dns-cloudflare
[root@~]# python setup.py install
如果你上面沒有安裝成功,就要檢查一下 Certbot 使用的版本啦寸齐!
[root@~]# head /usr/bin/certbot
#!/usr/bin/python2
......
我這邊是 Python 2.x 欲诺,所以沒有問題,如果檢查出來是 Python 3 要注意版本問題渺鹦,反過來道理也是一樣的扰法,反正就要用同一個(gè)版本的 Python 。
利用 API Keys 構(gòu)建 ini 文件毅厚,首先創(chuàng)建一個(gè)隱藏的文件夾方便管理塞颁,再構(gòu)建文件
[root@~]# mkdir -p ~/.secrets/certbot
[root@~]# vim ~/.secrets/certbot/cloudflare.ini
ini 文件中輸入以下內(nèi)容
# Cloudflare API credentials used by Certbot
dns_cloudflare_email = xxx@xxx.com // 你注冊(cè) Cloudflare 的郵箱
dns_cloudflare_api_key = API Keys // 上面得到的 API Keys
使用 Certbot 進(jìn)行配置和安裝
[root@~]# certbot -a dns-cloudflare -i apache --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini --dns-cloudflare-propagation-seconds 60 -d "*.deepppixel.com" -d deepppixel.com --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/deepppixel.com.conf)
It contains these names: deepppixel.com
You requested these names for the new certificate: *.deepppixel.com,
deepppixel.com.
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel:
由于我們有了 ACME 的證書,所以會(huì)有覆蓋和擴(kuò)展的問題吸耿。
先解釋一下先(可以直接復(fù)制下面的指令粘貼運(yùn)行的)
[root@~]# certbot \
-a dns-cloudflare \
-i apache \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
--dns-cloudflare-propagation-seconds 60 \
-d "*.deepppixel.com" \
-d deepppixel.com \
--server https://acme-v02.api.letsencrypt.org/directory
-a dns-cloudflare: 使用 certbot-dns-cloudflare DNS 插件祠锣,要改成你安裝的 DNS 哦;
-i apache: 因?yàn)槲覀兪褂玫氖?Apache HTTP Server , 所以使用 Apache咽安;
--dns-cloudflare-credentials: API Keys 的文件路徑伴网;
--dns-cloudflare-propagation-seconds 60: DNS 超時(shí)時(shí)間,默認(rèn)就是 10s 可以不寫妆棒;
-d "*.deepppixel.com":添加的域名澡腾,這個(gè)就是通配符的域名;
-d deepppixel.com: 裸域名糕珊;
--server https://acme-v02.api.letsencrypt.org/directory: 指定使用 ACME v2 动分,如果不寫就是 ACME (v1) 。
OK ! 繼續(xù)红选,選擇 e
......
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate
Resetting dropped connection: acme-v02.api.letsencrypt.org
Performing the following challenges:
dns-01 challenge for deepppixel.com
dns-01 challenge for deepppixel.com
Unsafe permissions on credentials configuration file: /root/.secrets/certbot/cloudflare.ini
Starting new HTTPS connection (1): api.cloudflare.com
Starting new HTTPS connection (1): api.cloudflare.com
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
Starting new HTTPS connection (1): api.cloudflare.com
Starting new HTTPS connection (1): api.cloudflare.com
Which VirtualHosts would you like to install the wildcard certificate for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/httpd/conf/vhost/deepppixel.com-le-ssl.conf
Addresses: xxx:443
Names: deepppixel.com, *.deepppixel.com
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
看到這個(gè)信息 Waiting 60 seconds for DNS changes to propagate 不要胡亂操作澜公,等就行了。
喜提新坑 Unsafe permissions on credentials configuration file: /root/.secrets/certbot/cloudflare.ini
先鍵入 c 取消操作
......
blank to select all options shown (Enter 'c' to cancel): c
No vhost exists with servername or alias for domain *.deepppixel.com. No vhost was selected. Please specify ServerName or ServerAlias in the Apache config.
No vhost selected
IMPORTANT NOTES:
- Unable to install the certificate
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/deepppixel.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/deepppixel.com/privkey.pem
Your cert will expire on 2018-12-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
需要修改 ini 的文件權(quán)限喇肋,修改權(quán)限
[root@~]# chmod 600 ~/.secrets/certbot/cloudflare.ini
重新運(yùn)行指令
[root@~]# certbot -a dns-cloudflare -i apache --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini --dns-cloudflare-propagation-seconds 60 -d "*.deepppixel.com" -d deepppixel.com --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/deepppixel.com.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
// 用已經(jīng)存在的證書重新安裝
2: Renew & replace the cert (limit ~5 per 7 days)
// 更新或替換證書(只保存5~7天)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
我們選擇 2玛瘸,又回到上面取消的步驟
......
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for deepppixel.com
dns-01 challenge for deepppixel.com
Starting new HTTPS connection (1): api.cloudflare.com
Starting new HTTPS connection (1): api.cloudflare.com
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
Starting new HTTPS connection (1): api.cloudflare.com
Starting new HTTPS connection (1): api.cloudflare.com
Which VirtualHosts would you like to install the wildcard certificate for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/httpd/conf/vhost/deepppixel.com-le-ssl.conf
Addresses: xxx:443
Names: deepppixel.com, *.deepppixel.com
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
如果有兩個(gè)以上的話蜕青,如:1:Filexxx 2:Filexxx 3: Filexxx ... 可以使用 1 空格 3 的方式只安裝 1 和 3 ,如果想全部安裝就直接 Enter 回車就可以了糊渊。因?yàn)槲抑挥幸粋€(gè)右核,所以我選擇 1 并回車。
繼續(xù)
......
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Deploying Certificate to VirtualHost /etc/httpd/conf/vhost/deepppixel.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/vhost/deepppixel.com-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
上面的提示信息是不是很熟悉啊渺绒,直接選擇 2 就可以啦
......
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enhancement redirect was already set.
Enhancement redirect was already set.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.
The new certificate covers the following domains: https://*.deepppixel.com and
https://deepppixel.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=*.deepppixel.com
https://www.ssllabs.com/ssltest/analyze.html?d=deepppixel.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/deepppixel.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/deepppixel.com/privkey.pem
Your cert will expire on 2018-12-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
直接刷新你的 https://www.deepppixel.com 網(wǎng)頁贺喝,就可以啦!
重新查看一下證書
acme v2.jpg
當(dāng)然也可以使用上面提到的網(wǎng)址 https://www.ssllabs.com/ssltest/analyze.html?d=你的的域名 去測(cè)試 SSL ,可以看到更多的信息宗兼。
SSL Server Test (Powered by Qualys SSL Labs)
SSL Server Test_ www.deepppixel.com (Powered by Qualys SSL Labs)
要等待它 100% complete 之后就會(huì)出現(xiàn)躏鱼,下面還有很多信息的。
