markdown 在Easy Engine Powered Setup中手动安装Let's Encrypt的SSL证书

Posted 2021-05-06

# Implement Let's Encrypt Manually in an Easy Engine Powered setup

- OS : Ubuntu Server 16.04 LTS
- Web Server : Nginx via Easy Engine

Ref : 
- https://letsencrypt.org/
- https://easyengine.io/

## Install certbot

Certbot is a tool to obtain Let's Encrypt certificate ref: https://certbot.eff.org/ , you can install certbot in your local machine, but to enjoy the benefit of it's available plugin for nginx, you need to install it on the same machine as your web server.

``` bash
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx 
```
Certbot will be our main tool which will handle all of the processes required to implement the cert.

```bash
$ which certbot
/usr/bin/certbot

$ certbot --help

-------------------------------------------------------------------------------

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

...
```
## Obtain the Certificates

Assumed that you are already familiar with setting up easy engine on hosting your websites, we will walk through the steps on how to obtain the certificate for a specific installed domain or sub.domain. These method will modify Nginx vhost configuration set up by Easy Engine on the existing config utilizing hooks provided by Easy Engine.

**Certbot Syntax**

```bash
certbot certonly --pre-hook "service nginx stop" --standalone --cert-name yourdomain.tld -d yourdomain.tld -d www.yourdomain.tld --post-hook "service nginx start" --rsa-key-size 4096 -n --agree-tos -m me@yourdomain.tld
```

**NOTE** 
- Change www.domain.com into your domain, and put the primary domain as the cert's name
- Put more than 1 -d for multiple domains / sub domains under 1 certificate (optional), or you can also easily generate 1 cert for 1 domain / sub domain, Let's Encrypt not yet can signed a wildcard cert
- Don't use -n to turn off interactive mode in cases like you have more than 1 Let's Encrypt account in the existing server
- Modify the email address for generating the cert into your email address, it will be use for expiry notification in case you forget to renew

On a successful attempt certbot will display the information on the location of your certs.

```bash
Running pre-hook command: service nginx stop
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for chat.xxxxxxx.pro
Waiting for verification...
Cleaning up challenges
Running post-hook command: service nginx start

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/chat.xxxxxxx.pro/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/chat.xxxxxxx.pro/privkey.pem
   Your cert will expire on 2018-03-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
```
## Implement the Cert into Nginx Vhost Setup

Since we are using Easy Engine, we don't have to modify the vhost configuration manually, we will use `ee site update` command which will do these for us;
- Create a new `server { }` directive inside the vhost.conf file which will holds the configs of the secured website, basically the same with before SSL implemented with changes on port setup (using 443), host setup using HTTP2 (optional), turn on SSL and let Nginx know where to find the certs for the domain.
- Redirect old web (non http) to the new (https) web site via a seperate file in /etc/nginx/ directory, you will have to manually configure these 2 files if still want to keep the configuration of a non http website.

**ee site update command**
``` bash
$ ee site update chat.xxxxxx.pro --letsencrypt
Letsencrypt is currently in beta phase.
Do you wish to enable SSl now for chat.xxxxxx.pro?
Type "y" to continue [n]:y ## ==> type y to continue
You already have an existing certificate for the domain requested.
(ref: /etc/letsencrypt/renewal/chat.xxxxxx.pro.conf)
Please select an option from below?
	1: Reinstall existing certificate
	2: Keep the existing certificate for now ## ==> choose number 2
	3: Renew & replace the certificate (limit ~5 per 7 days)

Type the appropriate number [1-3] or any other key to cancel: 2
Using Existing Certificate files
Let's Encrypt successfully setup for your site
Your certificate and chain have been saved at /etc/letsencrypt/live/chat.xxxxxx.pro/fullchain.pem
Configuring Nginx SSL configuration
Adding /var/www/chat.xxxxxx.pro/conf/nginx/ssl.conf
Adding /etc/nginx/conf.d/force-ssl-chat.xxxxxx.pro.conf
Added HTTPS Force Redirection for Site  http://chat.xxxxxx.pro
Creating Cron Job for cert auto-renewal
Reload : nginx     [OK]
Congratulations! Successfully Configured SSl for Site  https://chat.xxxxxx.pro
Your cert will expire within 89 days.
```

**NOTES**
- Choose yes when it ask for your confirmation to continue
- Keep the existing certificate to use the cert we obtain previously, select number 2
- Notice that our cert is implemented if successed via /var/www/chat.xxxxxx.pro/conf/nginx/ssl.conf (included in the main nginx vhost config file in /etc/nginx/sites-enabled/) and /etc/nginx/conf.d/force-ssl-chat.xxxxxx.pro.conf for http to https redirection
- Plus it creates a cronjob for automatic renewal

``` bash 
$ curl -I https://chat.xxxxxx.pro
HTTP/2 403
server: nginx
date: Sun, 24 Dec 2017 09:26:07 GMT
content-type: text/html
content-length: 162
vary: Accept-Encoding

$ crontab -l
0 0 * * 0 ee site update --le=renew --all 2> /dev/null # Renew all letsencrypt SSL cert. Set by EasyEngine
```