使用 certbot 申請 SSL 憑證 with openSUSE in Azure 小記
OS: openSUSE Leap 15.2 in Azure
Nginx: 1.16.1
DNS provider: gandi.net
今天來測試使用 certbot 這個 ACME 客戶端來進行 Let’s Encrypt 憑證的申請.
Let’s Encrypt 官網入門網頁
參考 Certbot 網頁上, openSUSE leap 15 與 nginx 的文件
先來安裝 certbot 套件
使用 zypper 指令安裝
# zypper install python3-certbot
這邊我是指定 python3-certbot, 因為如果是裝 certbot 會裝到 python2 的版本, 希望 certbot 用 python3 就要進行指定
因爲今天是要透過 certbot 來申請 SSL 憑證, 所以會執行 certonly 方式來執行
# certbot certonly --manual --preferred-challenges=dns -d ines.tw
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): sakana@study-area.org ( 聯絡信件 )
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A (同意協議)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y (同意分享 email, 這個看個人)
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for ines.tw
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y (同意 IP 被記錄, 一樣看個人)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.ines.tw with the following value:
gVIVkBS2LLHzu1HSqOTUwE3LOddA3jhtAgPkDL1wosw
Before continuing, verify the record is deployed .
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue (按下 Enter 之前, 要確認 DNS 供應商那邊已經設定 TXT 紀錄, value 是上面紫色的內容)
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ines.tw/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ines.tw/privkey.pem
Your cert will expire on 2020-12-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
certonly 只申請憑證
--manual 手動方式
--preferred-challenges=dns
使用 DNS 進行驗證
-d ines.tw
要申請的網域名稱
相關憑證會存放在 /etc/letsencrypt/live/你的網域下
一次簽發 90 天
觀察相關資訊
# ls -lh /etc/letsencrypt/live/ines.tw/
total 4.0K
-rw-r--r-- 1 root root 692 Sep 7 15:01 README
lrwxrwxrwx 1 root root 31 Sep 7 15:01 cert.pem -> ../../archive/ines.tw/cert1.pem
lrwxrwxrwx 1 root root 32 Sep 7 15:01 chain.pem -> ../../archive/ines.tw/chain1.pem
lrwxrwxrwx 1 root root 36 Sep 7 15:01 fullchain.pem -> ../../archive/ines.tw/fullchain1.pem
lrwxrwxrwx 1 root root 34 Sep 7 15:01 privkey.pem -> ../../archive/ines.tw/privkey1.pem
主要有 4 個檔案
cert.pem: 申請的網域的SSL憑證 (Your domain's certificate)
可以對應到之前sslforfree的 certificate.crt - 公鑰
chain.pem: Let's Encrypt 的 鏈證書 (The Let's Encrypt chain certificate)
可以對應到之前sslforfree的ca_bundle.crt - 中繼憑證
fullchain.pem: 公鑰與中繼憑證合併 (cert.pem and chain.pem combined)
Nginx 如果要設定 ssl, 就會使用這個檔案
privkey.pem: SSL憑證的私鑰 (Your certificate's private key)
可以對應到之前sslforfree的private.key - 私鑰
這樣就算申請完畢, 但是要如何知道目前申請了那些憑證呢?
可以使用下列指令列出相關資訊
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: ines.tw
Serial Number: 4c5679bc25190a70e2e9072885094771114
Domains: ines.tw
Expiry Date: 2020-12-06 14:01:32+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/ines.tw/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ines.tw/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
接下來思考, 如果要加入其他的 FQDN或是想要加入 *.ines.tw 呢?
加入 *.ines.tw
# certbot certonly --manual --preferred-challenges=dns --cert-name ines.tw -d ines.tw,*.ines.tw
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate ines.tw to include new domain(s):
+ *.ines.tw
You are also removing previously included domain(s):
(None)
Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: U
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for ines.tw
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.ines.tw with the following value:
AFatx1Qx8ylhYIPmnSFIAFktRQ00GI7SbzUtHqTADJc
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue (按下 Enter 之前, 要確認 DNS 供應商那邊已經設定 TXT 紀錄, value 是上面紫色的內容)
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ines.tw/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ines.tw/privkey.pem
Your cert will expire on 2020-12-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
觀察憑證資訊
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: ines.tw
Serial Number: 4d2c4a18b7d8f375fca8d127cefc677e152
Domains: ines.tw *.ines.tw
Expiry Date: 2020-12-06 14:21:22+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/ines.tw/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ines.tw/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Lab2 : 驗證 SSL 憑證
那如果驗證真的有效呢?
我使用 nginx 來驗證, 先設定好預設網頁
可以參考 http://sakananote2.blogspot.com/2020/02/nginx-with-opensuse-leap-151-in-azure.html
為了管理方便我在 /etc/nginx 目錄下建立一個 ssl 目錄
# mkdir /etc/nginx/ssl
將之前產出的憑證複製到資料夾
# cp /etc/letsencrypt/live/ines.tw/fullchain.pem /etc/nginx/ssl/
# cp /etc/letsencrypt/live/ines.tw/privkey.pem /etc/nginx/ssl/
修改 nginx 設定檔
# vim /etc/nginx/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
include conf.d/*.conf;
server {
listen 80;
listen 443 ssl;
server_name ines.tw;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
location / {
root /srv/www/htdocs/;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /srv/www/htdocs/;
}
}
include vhosts.d/*.conf;
}
加入上面紅色部分
將 nginx 服務 reload
# systemctl reload nginx
因為是走 HTTPS, 所以記得要開 port 443
在 Azure 該 VM 的網路設定內, 點選 新增輸入連接埠規則,設定 port 443 可以連線
開啟瀏覽器, 輸入 https://YOUR_DOMAIN
就可以看到可愛的鎖頭符號了
又前進一步了 :)
Reference:
http://sakananote2.blogspot.com/2020/02/nginx-with-opensuse-leap-151-in-azure.html
http://sakananote2.blogspot.com/2020/03/nginx-ssl-with-opensuse-leap-151-in.html