Let's Encrypt免費ssl證書（基于haproxy負載） · TUNA-daily

[TOC] ## 1. 條件 1. 可用的域名 2. 在域名綁定的服務器上 3. 域名綁定服務器在申請免費證書時，80和443端口是沒有被占用的（最主要的是80） ## 2. 實施 ### 2.1 準備工具 #### 2.1.1 下載 https://codeload.github.com/certbot/certbot/zip/master #### 2.1.2 安裝 ~~~ unzip certbot-master.zip cd certbot-master ~~~ 1. letsencrypt-auto申請證書主要用的工具使用說明： ~~~ run：獲取并安裝證書到當前的Web服務器 certonly：獲取或續期證書，但是不安裝 renew：在證書快過期時，續期之前獲取的所有證書 -d DOMAINS：一個證書支持多個域名，用逗號分隔 --apache：使用 Apache 插件來認證和安裝證書 --standalone：運行獨立的 web server 來驗證 --nginx：使用 Nginx 插件來認證和安裝證書 --webroot：如果目標服務器已經有 web server 運行且不能關閉，可以通過往服務器的網站根目錄放置文件的方式來驗證 --manual：通過交互式方式，或 Shell 腳本手動獲取證書 ~~~ ### 2.2 獲取證書此命令代表僅僅獲取證書而已 ~~~ ./letsencrypt-auto certonly --standalone --email lovetocar@aexit.net -d 域名（多個用逗號隔開） ~~~ 期間輸入： ~~~ ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: http-01 challenge for lovetocar.cn Waiting for verification... Cleaning up challenges ~~~ 見到如下，代表證書生成成功了 ~~~ IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/lovetocar.cn/fullchain.pem Your key file has been saved at: ~~~ 在/etc/letsencrypt/live/lovetocar.cn/ 目錄下生成四個文件 ~~~ cert.pem: Your domain's certificate（公鑰） chain.pem: The Let's Encrypt chain certificate fullchain.pem: cert.pem and chain.pem combined（包含公鑰和 Let's Encrypt的證書文件） privkey.pem: Your certificate's private key （私鑰） ~~~ ### 2.3 配置haproxy #### 2.3.1 條件 1. haproxy支持ssl（不支持就去編譯安裝） 2. 需要合并上一步生成的證書 #### 2.3.2 合并證書 haproxy負載下的web，需要為haproxy指定一個包含公鑰和私鑰的pem，此時合并fullchain.pem和privkey.pem ~~~ cat privkey.pem fullchain.pem | tee timing-prod.pem ~~~ #### 2.3.4 配置haproxy ~~~ frontend frontend_web80 bind *:80 redirect scheme https if !{ ssl_fc } bind 0.0.0.0:443 ssl crt /home/timing/https/lovetocar.cn/lovetocar.pem acl is_timing hdr(host) -i lovetocar.cn lovetocar.cn:443 www.lovetocar.cn www.lovetocar.cn:443 use_backend timing if is_timing acl is_hicar hdr(host) -i lovetocar.net lovetocar.net:443 www.lovetocar.net www.lovetocar.net:443 default_backend backend_hicarwx backend backend_hicarwx balance source server hicar1 10.30.46.xx:8090 weight 1 maxconn 10000 check inter 10s server hicar2 10.30.48.xx:8090 weight 1 maxconn 10000 check inter 10s backend timing balance source server timing1 10.30.46.xx:31001 weight 1 maxconn 10000 check inter 10s server timing2 10.30.48.xx:31001 weight 1 maxconn 10000 check inter 10s ~~~ #### 2.3.5 pem轉成KeyStore 如果有需要的話，pem可以轉成KeyStore ~~~ openssl pkcs12 -export -in cert.pem -inkey timing-prod.pem -out timing-prod.pk12 -name timing keytool -importkeystore -deststorepass '4rfv$RFV' -destkeypass '4rfv$RFV' -destkeystore timing-prod.keystore -srckeystore timing-prod.pk12 -srcstoretype PKCS12 -srcstorepass '4rfv$RFV' -alias timing ~~~ ## 3. 申請延期 ### 3.1 查看證書過期時間包含公鑰的pem ~~~ openssl x509 -in ./fullchain2.pem -noout -dates notBefore=Feb 28 01:54:56 2018 GMT notAfter=May 29 01:54:56 2018 GMT ~~~ 證書有效期是 2018-2-28到2018-5-29 ### 3.2 申請延期 ~~~ certbot renew ~~~