使用 certbot 申請 SSL 憑證 with openSUSE in Azure 小記

使用 certbot 申請 SSL 憑證 with openSUSE in Azure 小記

OS: openSUSE Leap 15.2 in Azure

Nginx: 1.16.1

DNS provider: gandi.net

今天來測試使用 certbot 這個 ACME 客戶端來進行 Let’s Encrypt 憑證的申請.

Let’s Encrypt  官網入門網頁

• https://letsencrypt.org/zh-tw/getting-started/

參考 Certbot 網頁上, openSUSE leap 15 與 nginx 的文件

• https://certbot.eff.org/lets-encrypt/leap-nginx

先來安裝 certbot 套件

使用 zypper 指令安裝

# zypper  install  python3-certbot

• 這邊我是指定 python3-certbot, 因為如果是裝 certbot 會裝到 python2 的版本, 希望 certbot 用 python3 就要進行指定

因爲今天是要透過 certbot 來申請 SSL 憑證, 所以會執行 certonly 方式來執行

# certbot  certonly  --manual  --preferred-challenges=dns  -d   ines.tw

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

Enter email address (used for urgent renewal and security notices)

 (Enter 'c' to cancel):  sakana@study-area.org ( 聯絡信件 )

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(A)gree/(C)ancel: A (同意協議)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y (同意分享 email, 這個看個人)

Obtaining a new certificate

Performing the following challenges:

dns-01 challenge for ines.tw

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you're running certbot in manual mode on a machine that is not

your server, please ensure you're okay with that.

Are you OK with your IP being logged?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y (同意 IP 被記錄, 一樣看個人)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name

_acme-challenge.ines.tw with the following value:

gVIVkBS2LLHzu1HSqOTUwE3LOddA3jhtAgPkDL1wosw

Before continuing, verify the record is deployed  . 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue (按下 Enter 之前, 要確認 DNS 供應商那邊已經設定 TXT 紀錄, value 是上面紫色的內容)

Waiting for verification...

Cleaning up challenges

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/ines.tw/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/ines.tw/privkey.pem

   Your cert will expire on 2020-12-06. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot

   again. To non-interactively renew *all* of your certificates, run

   "certbot renew"

 - Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

• certonly 只申請憑證

• --manual  手動方式

• --preferred-challenges=dns 

• 使用 DNS 進行驗證 

• -d   ines.tw

• 要申請的網域名稱

• 相關憑證會存放在 /etc/letsencrypt/live/你的網域下

• 一次簽發 90 天

觀察相關資訊

# ls  -lh  /etc/letsencrypt/live/ines.tw/

total 4.0K

-rw-r--r-- 1 root root 692 Sep  7 15:01 README

lrwxrwxrwx 1 root root  31 Sep  7 15:01 cert.pem -> ../../archive/ines.tw/cert1.pem

lrwxrwxrwx 1 root root  32 Sep  7 15:01 chain.pem -> ../../archive/ines.tw/chain1.pem

lrwxrwxrwx 1 root root  36 Sep  7 15:01 fullchain.pem -> ../../archive/ines.tw/fullchain1.pem

lrwxrwxrwx 1 root root  34 Sep  7 15:01 privkey.pem -> ../../archive/ines.tw/privkey1.pem

主要有 4 個檔案

cert.pem: 申請的網域的SSL憑證 (Your domain's certificate)

• 可以對應到之前sslforfree的 certificate.crt - 公鑰

chain.pem: Let's Encrypt 的 鏈證書 (The Let's Encrypt chain certificate)

• 可以對應到之前sslforfree的ca_bundle.crt - 中繼憑證

 

fullchain.pem: 公鑰與中繼憑證合併 (cert.pem and chain.pem combined)

• Nginx 如果要設定 ssl, 就會使用這個檔案 

privkey.pem: SSL憑證的私鑰 (Your certificate's private key)

• 可以對應到之前sslforfree的private.key - 私鑰

這樣就算申請完畢, 但是要如何知道目前申請了那些憑證呢?

可以使用下列指令列出相關資訊

# certbot  certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Found the following certs:

  Certificate Name: ines.tw

    Serial Number: 4c5679bc25190a70e2e9072885094771114

    Domains: ines.tw

    Expiry Date: 2020-12-06 14:01:32+00:00 (VALID: 89 days)

    Certificate Path: /etc/letsencrypt/live/ines.tw/fullchain.pem

    Private Key Path: /etc/letsencrypt/live/ines.tw/privkey.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

接下來思考, 如果要加入其他的 FQDN或是想要加入 *.ines.tw 呢？

加入 *.ines.tw

# certbot  certonly  --manual  --preferred-challenges=dns --cert-name  ines.tw  -d ines.tw,*.ines.tw

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

You are updating certificate ines.tw to include new domain(s):

+ *.ines.tw

You are also removing previously included domain(s):

(None)

Did you intend to make this change?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(U)pdate cert/(C)ancel: U

Renewing an existing certificate

Performing the following challenges:

dns-01 challenge for ines.tw

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you're running certbot in manual mode on a machine that is not

your server, please ensure you're okay with that.

Are you OK with your IP being logged?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name

_acme-challenge.ines.tw with the following value:

AFatx1Qx8ylhYIPmnSFIAFktRQ00GI7SbzUtHqTADJc

Before continuing, verify the record is deployed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue  (按下 Enter 之前, 要確認 DNS 供應商那邊已經設定 TXT 紀錄, value 是上面紫色的內容)

Waiting for verification...

Cleaning up challenges

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/ines.tw/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/ines.tw/privkey.pem

   Your cert will expire on 2020-12-06. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot

   again. To non-interactively renew *all* of your certificates, run

   "certbot renew"

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

觀察憑證資訊

# certbot  certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Found the following certs:

  Certificate Name: ines.tw

    Serial Number: 4d2c4a18b7d8f375fca8d127cefc677e152

    Domains: ines.tw *.ines.tw

    Expiry Date: 2020-12-06 14:21:22+00:00 (VALID: 89 days)

    Certificate Path: /etc/letsencrypt/live/ines.tw/fullchain.pem

    Private Key Path: /etc/letsencrypt/live/ines.tw/privkey.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Lab2 : 驗證 SSL 憑證

那如果驗證真的有效呢？

我使用 nginx 來驗證, 先設定好預設網頁

可以參考 http://sakananote2.blogspot.com/2020/02/nginx-with-opensuse-leap-151-in-azure.html 

為了管理方便我在 /etc/nginx 目錄下建立一個 ssl  目錄

# mkdir  /etc/nginx/ssl

將之前產出的憑證複製到資料夾

# cp  /etc/letsencrypt/live/ines.tw/fullchain.pem  /etc/nginx/ssl/

# cp  /etc/letsencrypt/live/ines.tw/privkey.pem  /etc/nginx/ssl/

修改 nginx 設定檔

# vim  /etc/nginx/nginx.conf

worker_processes  1;

events {

    worker_connections  1024;

    use epoll;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    include conf.d/*.conf;

    server {

        listen       80;

        listen       443 ssl;

        server_name  ines.tw;

ssl_certificate /etc/nginx/ssl/fullchain.pem;

ssl_certificate_key /etc/nginx/ssl/privkey.pem;

        location / {

            root   /srv/www/htdocs/;

            index  index.html index.htm;

        }

        error_page   500 502 503 504  /50x.html;

        location = /50x.html {

            root   /srv/www/htdocs/;

        }

    }

    

    include vhosts.d/*.conf;

}

• 加入上面紅色部分

將 nginx 服務 reload

# systemctl   reload   nginx

因為是走 HTTPS, 所以記得要開 port 443 

在 Azure 該 VM 的網路設定內, 點選 新增輸入連接埠規則,設定 port 443 可以連線

開啟瀏覽器, 輸入 https://YOUR_DOMAIN

就可以看到可愛的鎖頭符號了

又前進一步了 :)

Reference:

• https://letsencrypt.org/zh-tw/getting-started/

• https://certbot.eff.org/lets-encrypt/leap-nginx

• https://haway.30cm.gg/certbot-plugins-dns-gandi-livedns/

• https://ezbox.idv.tw/52/free-ssl-lets-encrypt-certbot/

• http://sakananote2.blogspot.com/2020/02/nginx-with-opensuse-leap-151-in-azure.html

• http://sakananote2.blogspot.com/2020/03/nginx-ssl-with-opensuse-leap-151-in.html