STUDY WHILE YOU ARE BORING


  • 首頁

  • 搜索

  • 技术

  • Tags

  • 关于我

Get your free SSL certification and extend it automatically

發表於 May 27, 2019   |   作者: Tim   |   分类: 技术   |   评论

Why SSL?

The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can access it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves.

请输入图片描述

Why letsencrypt.org ?

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
https://letsencrypt.org/about/
Advantage:

  • Subdomain support
  • Wildcard support
  • API support
  • Free

Disadvantage:

  • Short period, 3 months mostly
  • Command line skill needed

How to

We set up certification for apache as an example.

  1. Generate your certificaton

    wget https://dl.eff.org/certbot-auto
    chmod a+x certbot-auto
    sudo ./certbot-auto --manual certonly

    Note:

    Separate sub-domain by comma
    Wildcard only support validate through DNS 

    In the end, you could find your cert in

    /etc/letsencrypt/live/www.yourdomain.com/

  2. Apply it to Apache

    yum install mod_ssl openssl

    Edit the configuration file

    vi /etc/httpd/conf.d/ssl.conf

    Find and update

    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
    
    SSLCertificateKeyFile /etc/letsencrypt/live/www.yourdomain.com/privkey.pem
    SSLCertificateFile /etc/letsencrypt/live/www.yourdomain.com/cert.pem
    SSLCertificateChainFile /etc/letsencrypt/live/www.yourdomain.com/chain.pem

    Save and restart Apache

    service restart httpd

Renew the certification

As we told, we need to renew the certification almost every 3 months.

Manually

./certbot-auto renew

Automatically

Setting up some hooks, we could make the domain validation automatically.

  1. Set up and DSN modifying hook base on cloudflare.com

    vi /etc/letsencrypt/renewal/msg2.xyz.sh

    #!/bin/bash
    curl --tlsv1.2   -X PUT "https://api.cloudflare.com/client/v4/zones/ZONEID/dns_records/RECORDID" \
     -H "X-Auth-Email: myemail@gmail.com" \
     -H "X-Auth-Key: APIAUTHKEY" \
     -H "Content-Type: application/json" \
     --data '{"type":"TXT","name":"_acme-challenge.msg2.xyz","content":"'${CERTBOT_VALIDATION}'","ttl":120,"proxied":false}'
    sleep 5

    More about the API https://api.cloudflare.com/#dns-records-for-a-zone-update-dns-record

  2. Run renew with --manual-auth-hook

    ./certbot-auto renew --manual-auth-hook /etc/letsencrypt/renewal/msg2.xyz.sh

    The validation will go through automatically with our hook. Just like:

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    ` - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/msg2.xyz.conf
    `- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Plugins selected: Authenticator manual, Installer None
    Renewing an existing certificate
    Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/httpd.sh
    `- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    new certificate deployed without reload, fullchain is
    /etc/letsencrypt/live/msg2.xyz/fullchain.pem
    `- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
    `- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
    Congratulations, all renewals succeeded. The following certs have been renewed:
      /etc/letsencrypt/live/msg2.xyz/fullchain.pem (success)
    `- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Note: Certbo will remember the hook in the next time

Restart Apache with the renewal-hooks

Although the certification is in the newest version, we need to restart httpd service to make it effect the frontend. We could also do it automatically by the renewal-hooks.

vi /etc/letsencrypt/renewal-hooks/deploy/httpd.sh

#!/bin/sh
set -e
service httpd restart > /dev/null

Don't forget

chmod +x /etc/letsencrypt/renewal-hooks/deploy/httpd.sh

Make it as a cron job

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /path/to/certbot-auto renew
apache, https, centos, letsencrypt, ssl, free, certification, certbo, wildcard, cloudflare, renew
underconstruct.io a free and none-hosting solution for under construction page
申请免费的SSL证书构建HTTPS站点并自动续订

钜添

54 文章
2 分類
1 页面
GitHub 日记技术
php apache centos macos mysql https shadowsocks mac 微信 ups svn javascript outline accesskey Chrome Extension letsencrypt ssl free certification certbo wildcard renew cloudflare pgsql 归档 binlog isset array_key_exists redmine axure
© 2022 钜添   |   文章 RSS     |  登录
由 Typecho 强力驱动
主題 - NexT
Send message encrypted and private - Msg2
Build your Under Construction Page without hosting - UnderConstruct.IO