Let's Encrypt與Certbot

[toc]

1 Let's Encrypt

1.1 About Let's Encrypt

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.

The key principles behind Let’s Encrypt are:
Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

We have a page with more detailed information about how the Let’s Encrypt CA works.

1.2 Getting Started

為了在網站上啟用https，我們需要從CA(Certificate Authority)申請一個證書，Let’s Encrypt是一個CA 。為了從Let's Encrypt獲取我們網站域名的證書，我們必須證明對域名的控制權。使用Let's Encrypt，我們可以使用使用ACME協議的軟件來執行此操作，該協議通常在我們的Web主機上運行。

如果有用shell訪問web主機的權限，推薦使用Certbot ACME客戶端，它可以自動執行證書頒發和安裝，無需停機。它還為不想要自動配置的人提供專家模式。它易于使用，適用于許多操作系統，并且具有出色的文檔。
如果Certbot不滿足你的需求， 還有其他的ACME客戶端 供選擇。

2 Certbot

Certbot 官網

2.1 安裝Certbot

Get Certbot

2.1.1 使用certbot-auto方式安裝

推薦使用certbot-auto，使用它會自動創建python venv虛擬環境，并在其中安裝certbot及其依賴

user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
user@webserver:~$ ./certbot-auto --help
Usage: certbot-auto [OPTIONS]
A self-updating wrapper script for the Certbot ACME client. When run, updates
to both this script and certbot will be downloaded and installed. After
ensuring you have the latest versions installed, certbot will be invoked with
all arguments you have provided.

Help for certbot itself cannot be provided until it is installed.

  --debug                                   attempt experimental installation
  -h, --help                                print this help
  -n, --non-interactive, --noninteractive   run without asking for user input
  --no-bootstrap                            do not install OS dependencies
  --no-self-upgrade                         do not download updates
  --os-packages-only                        install OS dependencies and exit
  --install-only                            install certbot, upgrade if needed, and exit
  -v, --verbose                             provide more output
  -q, --quiet                               provide only update/error output;
                                            implies --non-interactive

可以創建 certbot-auto 軟鏈接到 /usr/bin/ 或者 /usr/local/bin/ 下，這樣就可以直接執行命令

根據提示安裝certbot和依賴，需要使用root用戶

user@webserver:~# ./certbot-auto --install-only

查看certbot幫助

user@webserver:~# ./certbot-auto -h

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  --nginx           Use the Nginx plugin for authentication & installation
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-path or --cert-name)
    delete          Delete a certificate

manage your account with Let's Encrypt:
    register        Create a Let's Encrypt ACME account
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

運行certbot命令查看現有證書

user@webserver:~# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - 
No certs found.
- - - - - - - - - - - - - - - - - - - - - - 

文件certbot-auto中有venv的位置

 if [ -z "$VENV_PATH" ]; then
   # We export these values so they are preserved properly if this script is
   # rerun with sudo/su where $HOME/$XDG_DATA_HOME may have a different value.
   export OLD_VENV_PATH="$XDG_DATA_HOME/letsencrypt"
   export VENV_PATH="/opt/eff.org/certbot/venv"
 fi

我們可以嘗試運行venv環境，檢查安裝的包

[root@journal certbot]# pwd
/opt/eff.org/certbot
[root@journal certbot]# ll
drwxr-xr-x 5 root root 4096 Dec 19 11:33 venv
[root@journal certbot]# source venv/bin/activate
(venv) [root@journal certbot]# pip list |grep certbot
certbot (0.29.1)
certbot-apache (0.29.1)
certbot-nginx (0.29.1)
(venv) [root@journal certbot]# deactivate
[root@journal certbot]# 

2.1.2 使用Ansible批量安裝

certbot-auto是官方給出的使用vitrualenv方式安裝certbot的方法，此方法簡單易用，但是由于對腳本邏輯不太了解，可能會對管理上帶來困難。
我們自己用vitrualenv方式安裝certbot，下面是Ansible批量安裝的一個playbook：

install-certbot.yml

---
- hosts: webpool-qa:webpool-live
  become: yes 
  gather_facts: false
  tasks:
    - name: 1. Install certbot into virtualenv
      pip: 
        name: certbot
        state: present
        virtualenv: /root/python-certbot
    - name: 2. Ensure logger(util-linux) have been installed
      yum: 
         name: util-linux
         state: present
    - name: 3. Install cert_renew.sh script
      copy: 
        src: ./scripts/cert_renew.sh
        dest: /root/cert_renew.sh
        mode: 0755
    - name: 4. Copy cert_posthook.sh if it not exists
      copy:
        src: ./scripts/cert_posthook.sh
        dest: /root/cert_posthook.sh
        mode: 0755
        force: no
    - name: 5. Create certbot job on root account
      cron: 
        name: "certbot renew job"
        state: present
        minute: 45
        hour: 14
        job: "/root/cert_renew.sh 2>&1 | /usr/bin/logger -t certbot"

cert_renew.sh

#!/bin/bash

source /root/python-certbot/bin/activate
certbot renew --post-hook "/root/cert_posthook.sh"

cert_posthook.sh

#!/bin/bash

#Restart local httpd
/sbin/service httpd restart

執行下列命令進行安裝

# ansible install-certbot.yml

2.1.3 其他方式安裝

我們還可以使用git版本的Certbot Use git version certbot

2.2 申請證書

Certbot User Guide

申請證書腳本

[root@journal ~]# mkdir certbot
[root@journal ~]# mv certbot-auto certbot/
[root@journal ~]# cd certbot/

[root@journal ~]# vim cert_apply.sh 
#!/bin/bash
./certbot-auto certonly --webroot \
    -w /data/web -d example.demo.com \

自動renew腳本

[root@journal ~]# vim cert_renew.sh
#!/bin/bash
./certbot-auto renew --post-hook "service httpd restart"
# certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

有效期在30天以上的證書，可使用--force-renewal強制更新；
注意：證書更新過一次之后，會在/etc/letsencrypt/renewal目錄下生成對應證書名稱的配置文件，記錄更新時使用的參數、配置等。

renew腳本定時任務

(需要logger命令)，最好觸發測試一下

[root@journal certbot]# crontab -l

# renew letsencrpyt SSL certificate 
36 15 * * 1-5 /root/certbot/cert_renew.sh 2>&1 | /usr/bin/logger -t certbot

2.3 為網站添加證書流程

查看原證書信息

# ./certbot-auto certificates

編輯申請證書腳本，添加新網站

# vim cert_apply.sh

確認vhost配置文件內原證書位置

# cd /etc/httpd/conf.d/
# grep .pem . -R 
或
# grep .pem domain.demo.com.conf

如果提示會生成新的證書，而不是擴展原有證書，則刪除原有證書 ，在重啟apache之短時間內原證書仍然生效

# ./certbot-auto delete

生成新證書 ，確保證書位置與原來的一致

# ./cert_apply.sh

檢查apache配置文件語法

# apachectl -t

如果Syntax OK，重啟apache服務

# systemctl restart httpd