markdown 在Easy Engine Powered Setup中手动安装Let's Encrypt的SSL证书
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了markdown 在Easy Engine Powered Setup中手动安装Let's Encrypt的SSL证书相关的知识,希望对你有一定的参考价值。
# Implement Let's Encrypt Manually in an Easy Engine Powered setup
- OS : Ubuntu Server 16.04 LTS
- Web Server : Nginx via Easy Engine
Ref :
- https://letsencrypt.org/
- https://easyengine.io/
## Install certbot
Certbot is a tool to obtain Let's Encrypt certificate ref: https://certbot.eff.org/ , you can install certbot in your local machine, but to enjoy the benefit of it's available plugin for nginx, you need to install it on the same machine as your web server.
``` bash
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
```
Certbot will be our main tool which will handle all of the processes required to implement the cert.
```bash
$ which certbot
/usr/bin/certbot
$ certbot --help
-------------------------------------------------------------------------------
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:
obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near
expiry
-d DOMAINS Comma-separated list of domains to obtain a certificate for
...
```
## Obtain the Certificates
Assumed that you are already familiar with setting up easy engine on hosting your websites, we will walk through the steps on how to obtain the certificate for a specific installed domain or sub.domain. These method will modify Nginx vhost configuration set up by Easy Engine on the existing config utilizing hooks provided by Easy Engine.
**Certbot Syntax**
```bash
certbot certonly --pre-hook "service nginx stop" --standalone --cert-name yourdomain.tld -d yourdomain.tld -d www.yourdomain.tld --post-hook "service nginx start" --rsa-key-size 4096 -n --agree-tos -m me@yourdomain.tld
```
**NOTE**
- Change www.domain.com into your domain, and put the primary domain as the cert's name
- Put more than 1 -d for multiple domains / sub domains under 1 certificate (optional), or you can also easily generate 1 cert for 1 domain / sub domain, Let's Encrypt not yet can signed a wildcard cert
- Don't use -n to turn off interactive mode in cases like you have more than 1 Let's Encrypt account in the existing server
- Modify the email address for generating the cert into your email address, it will be use for expiry notification in case you forget to renew
On a successful attempt certbot will display the information on the location of your certs.
```bash
Running pre-hook command: service nginx stop
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for chat.xxxxxxx.pro
Waiting for verification...
Cleaning up challenges
Running post-hook command: service nginx start
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/chat.xxxxxxx.pro/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/chat.xxxxxxx.pro/privkey.pem
Your cert will expire on 2018-03-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
```
## Implement the Cert into Nginx Vhost Setup
Since we are using Easy Engine, we don't have to modify the vhost configuration manually, we will use `ee site update` command which will do these for us;
- Create a new `server { }` directive inside the vhost.conf file which will holds the configs of the secured website, basically the same with before SSL implemented with changes on port setup (using 443), host setup using HTTP2 (optional), turn on SSL and let Nginx know where to find the certs for the domain.
- Redirect old web (non http) to the new (https) web site via a seperate file in /etc/nginx/ directory, you will have to manually configure these 2 files if still want to keep the configuration of a non http website.
**ee site update command**
``` bash
$ ee site update chat.xxxxxx.pro --letsencrypt
Letsencrypt is currently in beta phase.
Do you wish to enable SSl now for chat.xxxxxx.pro?
Type "y" to continue [n]:y ## ==> type y to continue
You already have an existing certificate for the domain requested.
(ref: /etc/letsencrypt/renewal/chat.xxxxxx.pro.conf)
Please select an option from below?
1: Reinstall existing certificate
2: Keep the existing certificate for now ## ==> choose number 2
3: Renew & replace the certificate (limit ~5 per 7 days)
Type the appropriate number [1-3] or any other key to cancel: 2
Using Existing Certificate files
Let's Encrypt successfully setup for your site
Your certificate and chain have been saved at /etc/letsencrypt/live/chat.xxxxxx.pro/fullchain.pem
Configuring Nginx SSL configuration
Adding /var/www/chat.xxxxxx.pro/conf/nginx/ssl.conf
Adding /etc/nginx/conf.d/force-ssl-chat.xxxxxx.pro.conf
Added HTTPS Force Redirection for Site http://chat.xxxxxx.pro
Creating Cron Job for cert auto-renewal
Reload : nginx [OK]
Congratulations! Successfully Configured SSl for Site https://chat.xxxxxx.pro
Your cert will expire within 89 days.
```
**NOTES**
- Choose yes when it ask for your confirmation to continue
- Keep the existing certificate to use the cert we obtain previously, select number 2
- Notice that our cert is implemented if successed via /var/www/chat.xxxxxx.pro/conf/nginx/ssl.conf (included in the main nginx vhost config file in /etc/nginx/sites-enabled/) and /etc/nginx/conf.d/force-ssl-chat.xxxxxx.pro.conf for http to https redirection
- Plus it creates a cronjob for automatic renewal
``` bash
$ curl -I https://chat.xxxxxx.pro
HTTP/2 403
server: nginx
date: Sun, 24 Dec 2017 09:26:07 GMT
content-type: text/html
content-length: 162
vary: Accept-Encoding
$ crontab -l
0 0 * * 0 ee site update --le=renew --all 2> /dev/null # Renew all letsencrypt SSL cert. Set by EasyEngine
```
以上是关于markdown 在Easy Engine Powered Setup中手动安装Let's Encrypt的SSL证书的主要内容,如果未能解决你的问题,请参考以下文章
markdown Docker Engine与Docker Machine
markdown 用于在Centos 7上创建VSI和安装Docker Engine的Terraform示例文件
markdown easy and clear lessons three table and formula
markdown the_browser_and_js_engine_DRAFT.md