SSL 介紹

https 早已成為當今 web 主流捡絮，最近給自己的網(wǎng)站升級了 https。
Let’s Encrypt是一個非盈利性的證書頒發(fā)機構(gòu)书聚，為1.8億個網(wǎng)站提供TLS證書煞檩。它是開源定鸟，并且完全免費的稿存，它頒發(fā)的證書已經(jīng)被幾乎所有的瀏覽器所認可笨篷。

本文用到的腳本是 acmesh-official/acme.sh

準備

環(huán)境

操作環(huán)境：Ubuntu 18.04 x64
webserver：Nginx

域名

需要自己在服務(wù)商購買域名瞳秽，本文不表

安裝腳本 acmesh-official/acme.sh

在線安裝

    curl https://get.acme.sh | sh

官方推薦的方法，如果擔心網(wǎng)站被運營商劫持率翅，可以使用以下 git 方法

從 git 倉庫安裝

clone git 倉庫:

[root@Ubuntu:~]# git clone https://github.com/acmesh-official/acme.sh.git
Cloning into 'acme.sh'...
remote: Enumerating objects: 49, done.
remote: Counting objects: 100% (49/49), done.
remote: Compressing objects: 100% (34/34), done.
remote: Total 10098 (delta 30), reused 30 (delta 15), pack-reused 10049
Receiving objects: 100% (10098/10098), 3.92 MiB | 18.41 MiB/s, done.
Resolving deltas: 100% (5951/5951), done.

執(zhí)行安裝腳本

[root@Ubuntu:~]# cd ./acme.sh/
[root@Ubuntu:acme.sh]# crontab -l
no crontab for root
[root@Ubuntu:acme.sh]# ./acme.sh --install
[Thu Feb 20 01:55:27 CST 2020] It is recommended to install socat first.
[Thu Feb 20 01:55:27 CST 2020] We use socat for standalone server if you use standalone mode.
[Thu Feb 20 01:55:27 CST 2020] If you don't use standalone mode, just ignore this warning.
[Thu Feb 20 01:55:27 CST 2020] Installing to /root/.acme.sh
[Thu Feb 20 01:55:27 CST 2020] Installed to /root/.acme.sh/acme.sh
[Thu Feb 20 01:55:27 CST 2020] Installing alias to '/root/.bashrc'
[Thu Feb 20 01:55:27 CST 2020] OK, Close and reopen your terminal to start using acme.sh
[Thu Feb 20 01:55:27 CST 2020] Installing cron job
no crontab for root
no crontab for root
[Thu Feb 20 01:55:27 CST 2020] Good, bash is found, so change the shebang to use bash as preferred.
[Thu Feb 20 01:55:28 CST 2020] OK

安裝詳情

執(zhí)行此安裝腳本不要求必須使用 root 用戶练俐，建議使用。

當前用戶至少要有執(zhí)行 nginx 權(quán)限

安裝程序?qū)?zhí)行3個操作：

• 創(chuàng)建和復制acme.sh到你的主目錄（$HOME）~/.acme.sh/ 所有證書也將放置在此文件夾中安聘。
• 創(chuàng)建別名：acme.sh=~/.acme.sh/acme.sh.
• 如果需要痰洒，創(chuàng)建每日Cron作業(yè)以檢查并更新證書。

安裝過程中會自動為你創(chuàng)建 cronjob, 每天 0:00 點自動檢測所有的證書, 如果快過期了, 需要更新, 則會自動更新證書(可執(zhí)行 crontab -l 查看)浴韭。

[root@Ubuntu:acme.sh]# crontab -l
27 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

安裝后，必須關(guān)閉當前終端脯宿，然后重新打開以使別名生效念颈。

之后可以準備頒發(fā)證書了

顯示幫助信息：

[root@Ubuntu:acme.sh]# acme.sh -h

申請簽發(fā) SSL 證書

acme.sh 實現(xiàn)了 acme 協(xié)議支持的所有驗證協(xié)議. 一般有兩種方式驗證: http 和 dns 驗證

本文不建議用 dns 方式申請， dns 手動模式连霉，不能自動更新證書榴芳。在續(xù)訂證書時，您必須手動向域中添加新的 txt 記錄跺撼。

Nginx模式

由于網(wǎng)站運行的是 nginx 服務(wù)器窟感，acme.sh 可以使用 nginx 服務(wù)器頒發(fā)證書。頒發(fā)證書后歉井，acme.sh 會還原 nginx conf柿祈，請放心。

官方提供以下命令

acme.sh  --issue  -d example.com  --nginx

有時哩至，無法自動找到nginx conf文件躏嚎，您可以指定以下文件之一：

acme.sh  --issue  -d example.com  --nginx /etc/nginx/nginx.conf

您還可以指定網(wǎng)站conf：

acme.sh  --issue  -d example.com  --nginx /etc/nginx/conf.d/example.com.conf

執(zhí)行看到以下結(jié)果即成功

[root@Ubuntu:~]# acme.sh  --issue  -d www.kangxuanpeng.com --nginx
[Thu Feb 20 01:59:28 CST 2020] Creating domain key
[Thu Feb 20 01:59:28 CST 2020] The domain key is here: /root/.acme.sh/www.kangxuanpeng.com/www.kangxuanpeng.com.key
[Thu Feb 20 01:59:28 CST 2020] Single domain='www.kangxuanpeng.com'
[Thu Feb 20 01:59:28 CST 2020] Getting domain auth token for each domain
[Thu Feb 20 01:59:29 CST 2020] Getting webroot for domain='www.kangxuanpeng.com'
[Thu Feb 20 01:59:29 CST 2020] Verifying: www.kangxuanpeng.com
[Thu Feb 20 01:59:29 CST 2020] Nginx mode for domain:www.kangxuanpeng.com
[Thu Feb 20 01:59:29 CST 2020] Found conf file: /etc/nginx/sites-enabled/www.kangxuanpeng.com.conf
[Thu Feb 20 01:59:29 CST 2020] Backup /etc/nginx/sites-enabled/www.kangxuanpeng.com.conf to /root/.acme.sh/www.kangxuanpeng.com/backup/www.kangxuanpeng.com.nginx.conf
[Thu Feb 20 01:59:29 CST 2020] Check the nginx conf before setting up.
[Thu Feb 20 01:59:29 CST 2020] OK, Set up nginx config file
[Thu Feb 20 01:59:29 CST 2020] nginx conf is done, let's check it again.
[Thu Feb 20 01:59:29 CST 2020] Reload nginx
[Thu Feb 20 01:59:34 CST 2020] Success
[Thu Feb 20 01:59:34 CST 2020] Restoring from /root/.acme.sh/www.kangxuanpeng.com/backup/www.kangxuanpeng.com.nginx.conf to /etc/nginx/sites-enabled/www.kangxuanpeng.com.conf
[Thu Feb 20 01:59:34 CST 2020] Reload nginx
[Thu Feb 20 01:59:34 CST 2020] Verify finished, start to sign.
[Thu Feb 20 01:59:34 CST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/78572851/2382115231
[Thu Feb 20 01:59:35 CST 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/03e350b1498cdf3776887b8ffebf902dc4b7
[Thu Feb 20 01:59:35 CST 2020] Cert success.
...
-----END CERTIFICATE-----
[Thu Feb 20 01:59:35 CST 2020] Your cert is in  /root/.acme.sh/www.kangxuanpeng.com/www.kangxuanpeng.com.cer 
[Thu Feb 20 01:59:35 CST 2020] Your cert key is in  /root/.acme.sh/www.kangxuanpeng.com/www.kangxuanpeng.com.key 
[Thu Feb 20 01:59:35 CST 2020] The intermediate CA cert is in  /root/.acme.sh/www.kangxuanpeng.com/ca.cer 
[Thu Feb 20 01:59:35 CST 2020] And the full chain certs is there:  /root/.acme.sh/www.kangxuanpeng.com/fullchain.cer 

生成 dhparam.pem 文件

[root@Ubuntu:sites-enabled]# openssl dhparam -out /root/.acme.sh/dhparam.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...

ssl_dhparam 之后要 restart nginx，不能用nginx -s reload

將證書安裝到 Nginx

官方不建議直接使用以上生成的證書 生成證書后菩貌，您可能希望將證書安裝/復制到Apache / Nginx或其他服務(wù)器卢佣。您必須使用此命令將證書復制到目標文件，請勿使用 ~/.acme.sh/ 文件夾中的證書文件箭阶，這些文件僅供內(nèi)部使用虚茶，將來文件夾結(jié)構(gòu)可能會更改。

[root@Ubuntu:~]# acme.sh --install-cert -d www.kangxuanpeng.com \
> --keypath /etc/nginx/ssl-key-files/www.kangxuanpeng.com.key \
> --fullchainpath /etc/nginx/ssl-key-files/www.kangxuanpeng.com.key.pem \
> --reloadcmd "nginx -s reload"
[Thu Feb 20 02:30:33 CST 2020] Installing key to:/etc/nginx/ssl-key-files/www.kangxuanpeng.com.key
[Thu Feb 20 02:30:33 CST 2020] Installing full chain to:/etc/nginx/ssl-key-files/www.kangxuanpeng.com.key.pem
[Thu Feb 20 02:30:33 CST 2020] Run reload cmd: nginx -s reload
[Thu Feb 20 02:30:33 CST 2020] Reload success

命令格式為：

acme.sh --install-cert -d example.com \
--key-file       /path/to/keyfile/in/nginx/key.pem  \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd     "nginx -s reload"

只有域名是必需的仇参，所有其他參數(shù)都是可選的嘹叫。
現(xiàn)有文件的所有權(quán)和許可信息將保留。您可以預先創(chuàng)建文件以定義所有權(quán)和權(quán)限冈敛。
將證書/密鑰安裝/復制到生產(chǎn)Apache或Nginx路徑待笑。
默認情況下，證書將每60天更新一次（可配置）抓谴。一旦證書被更新暮蹂，在Apache / Nginx的服務(wù)將自動被重新裝載命令：nginx -s reload
請注意：reloadcmd非常重要寞缝。該證書可以自動更新，但是如果沒有正確的“ reloadcmd”仰泻，該證書可能無法刷新到您的服務(wù)器（例如nginx或apache）荆陆，那么您的網(wǎng)站將無法在60天內(nèi)顯示更新的證書。

更改 Nginx 配置

啟用 SSL集侯，監(jiān)聽 443端口并且配置證書位置

http {
    ...
    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;
    ...
}

server {
    listen 80;
    listen 443 ssl;

    server_name www.kangxuanpeng.com;
    if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

    ssl_certificate_key     /etc/nginx/ssl-key-files/www.kangxuanpeng.com.key;
    ssl_certificate     /etc/nginx/ssl-key-files/www.kangxuanpeng.com.key.pem;
    # ssl_dhparam
    ssl_dhparam             /etc/nginx/ssl-key-files/dhparam.pem;
    ...
}

檢查 Nginx 配置是否正確后重啟

[root@Ubuntu:sites-enabled]# nginx -s reload //或者 service nginx restart

驗證 SSL

訪問 ssllabs.com 輸入你的域名被啼，檢查 SSL 的配置是否都正常：

https://www.ssllabs.com/ssltest/analyze.html?d=www.kangxuanpeng.com&hideResults=on&latest

確保驗證結(jié)果有 A 以上，否則根據(jù)提示調(diào)整問題

image.png

自動續(xù)期

Let's Encrypt 的證書有效期是 90 天的棠枉，你需要定期 renew 重新申請浓体，這部分 acme.sh 以及幫你做了，在安裝的時候往 crontab 增加了一行每天執(zhí)行的命令 acme.sh --cron:
27 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

手動驗證

[root@Ubuntu:nginx]# "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
[Thu Feb 20 17:08:49 CST 2020] ===Starting cron===
[Thu Feb 20 17:08:49 CST 2020] Renew: 'blog.kangxuanpeng.com'
[Thu Feb 20 17:08:49 CST 2020] Skip, Next renewal time is: Sun Apr 19 18:00:48 UTC 2020
[Thu Feb 20 17:08:49 CST 2020] Add '--force' to force to renew.
[Thu Feb 20 17:08:49 CST 2020] Skipped blog.kangxuanpeng.com
[Thu Feb 20 17:08:49 CST 2020] Renew: 'kangxuanpeng.com'
[Thu Feb 20 17:08:49 CST 2020] Skip invalid cert for: kangxuanpeng.com
[Thu Feb 20 17:08:49 CST 2020] Skipped kangxuanpeng.com
[Thu Feb 20 17:08:49 CST 2020] Renew: 'me.kangxuanpeng.com'
[Thu Feb 20 17:08:49 CST 2020] Skip, Next renewal time is: Sun Apr 19 19:04:51 UTC 2020
[Thu Feb 20 17:08:49 CST 2020] Add '--force' to force to renew.
[Thu Feb 20 17:08:49 CST 2020] Skipped me.kangxuanpeng.com
[Thu Feb 20 17:08:49 CST 2020] Renew: 'www.kangxuanpeng.com'
[Thu Feb 20 17:08:49 CST 2020] Skip, Next renewal time is: Sun Apr 19 17:59:35 UTC 2020
[Thu Feb 20 17:08:49 CST 2020] Add '--force' to force to renew.
[Thu Feb 20 17:08:49 CST 2020] Skipped www.kangxuanpeng.com
[Thu Feb 20 17:08:49 CST 2020] ===End cron===

驗證 acme.sh --cron 的流程

[root@Ubuntu:nginx]# acme.sh --cron -f
[Thu Feb 20 17:10:57 CST 2020] ===Starting cron===
[Thu Feb 20 17:10:57 CST 2020] Renew: 'blog.kangxuanpeng.com'
[Thu Feb 20 17:10:58 CST 2020] Single domain='blog.kangxuanpeng.com'
[Thu Feb 20 17:10:58 CST 2020] Getting domain auth token for each domain
[Thu Feb 20 17:10:59 CST 2020] Getting webroot for domain='blog.kangxuanpeng.com'
[Thu Feb 20 17:10:59 CST 2020] blog.kangxuanpeng.com is already verified, skip http-01.
[Thu Feb 20 17:10:59 CST 2020] Verify finished, start to sign.
[Thu Feb 20 17:10:59 CST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/78572851/2388621838
[Thu Feb 20 17:11:00 CST 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/0425b2165b01e91823130a37ee094b60fb66
...
[Thu Feb 20 17:11:06 CST 2020] Your cert is in  /root/.acme.sh/www.kangxuanpeng.com/www.kangxuanpeng.com.cer 
[Thu Feb 20 17:11:06 CST 2020] Your cert key is in  /root/.acme.sh/www.kangxuanpeng.com/www.kangxuanpeng.com.key 
[Thu Feb 20 17:11:06 CST 2020] The intermediate CA cert is in  /root/.acme.sh/www.kangxuanpeng.com/ca.cer 
[Thu Feb 20 17:11:06 CST 2020] And the full chain certs is there:  /root/.acme.sh/www.kangxuanpeng.com/fullchain.cer 
[Thu Feb 20 17:11:06 CST 2020] Installing key to:/etc/nginx/ssl-key-files/www.kangxuanpeng.com.key
[Thu Feb 20 17:11:06 CST 2020] Installing full chain to:/etc/nginx/ssl-key-files/www.kangxuanpeng.com.key.pem
[Thu Feb 20 17:11:06 CST 2020] Run reload cmd: nginx -s reload
[Thu Feb 20 17:11:06 CST 2020] Reload success
[Thu Feb 20 17:11:06 CST 2020] ===End cron===

至此配置 SSL 已完成

SSL 優(yōu)化

chrome 證書緩存

如果配置不正確的時候用 chrome 打開網(wǎng)站辈讶，瀏覽器會緩存證書命浴，證書配置正確后驗證則需要清除瀏覽器證書緩存
chrome://net-internals

DNS CAA

添加一條 CAA 記錄
CAA data 填寫 0 issue "證書頒發(fā)機構(gòu)域名"。
用 Let's Encrypt 頒發(fā)的免費證書贱除，CAA data 部分直接填寫 0 issue "letsencrypt.org" 即可生闲。

ssl 緩存

修改配置 nginx 增加緩存配置

ssl_session_cache shared:SSL:20m; 
# SSL session 緩存區(qū)大小
# 這條語句加在server段里話，在SSL Lab的測試中識別不出來月幌，因為它假設(shè)客戶端不支持SNI協(xié)議碍讯，但實際上是可以加在server段的
 
ssl_session_tickets on;
# 開啟瀏覽器的 Session Ticket 緩存
 
ssl_session_timeout 60m; 
# 過期時間，分鐘