星期二, 9月 15, 2020

使用 certbot 申請 SSL 憑證 with openSUSE in Azure 小記

使用 certbot 申請 SSL 憑證 with openSUSE in Azure 小記


OS: openSUSE Leap 15.2 in Azure

Nginx: 1.16.1

DNS provider: gandi.net


今天來測試使用 certbot 這個 ACME 客戶端來進行 Let’s Encrypt 憑證的申請.


Let’s Encrypt  官網入門網頁


參考 Certbot 網頁上, openSUSE leap 15 與 nginx 的文件




先來安裝 certbot 套件


使用 zypper 指令安裝

# zypper  install  python3-certbot


  • 這邊我是指定 python3-certbot, 因為如果是裝 certbot 會裝到 python2 的版本, 希望 certbot 用 python3 就要進行指定


因爲今天是要透過 certbot 來申請 SSL 憑證, 所以會執行 certonly 方式來執行



# certbot  certonly  --manual  --preferred-challenges=dns  -d   ines.tw


Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

Enter email address (used for urgent renewal and security notices)

 (Enter 'c' to cancel):  sakana@study-area.org ( 聯絡信件 )


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(A)gree/(C)ancel: A (同意協議)


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y (同意分享 email, 這個看個人)

Obtaining a new certificate

Performing the following challenges:

dns-01 challenge for ines.tw


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you're running certbot in manual mode on a machine that is not

your server, please ensure you're okay with that.


Are you OK with your IP being logged?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y (同意 IP 被記錄, 一樣看個人)


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name

_acme-challenge.ines.tw with the following value:


gVIVkBS2LLHzu1HSqOTUwE3LOddA3jhtAgPkDL1wosw


Before continuing, verify the record is deployed 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue (按下 Enter 之前, 要確認 DNS 供應商那邊已經設定 TXT 紀錄, value 是上面紫色的內容)

Waiting for verification...

Cleaning up challenges


IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/ines.tw/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/ines.tw/privkey.pem

   Your cert will expire on 2020-12-06. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot

   again. To non-interactively renew *all* of your certificates, run

   "certbot renew"

 - Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:


   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le


  • certonly 只申請憑證

  • --manual  手動方式

  • --preferred-challenges=dns 

    • 使用 DNS 進行驗證 

  • -d   ines.tw

    • 要申請的網域名稱

  • 相關憑證會存放在 /etc/letsencrypt/live/你的網域下

  • 一次簽發 90 天


觀察相關資訊


# ls  -lh  /etc/letsencrypt/live/ines.tw/


total 4.0K


-rw-r--r-- 1 root root 692 Sep  7 15:01 README

lrwxrwxrwx 1 root root  31 Sep  7 15:01 cert.pem -> ../../archive/ines.tw/cert1.pem

lrwxrwxrwx 1 root root  32 Sep  7 15:01 chain.pem -> ../../archive/ines.tw/chain1.pem

lrwxrwxrwx 1 root root  36 Sep  7 15:01 fullchain.pem -> ../../archive/ines.tw/fullchain1.pem

lrwxrwxrwx 1 root root  34 Sep  7 15:01 privkey.pem -> ../../archive/ines.tw/privkey1.pem


主要有 4 個檔案


cert.pem: 申請的網域的SSL憑證 (Your domain's certificate)

  • 可以對應到之前sslforfree的 certificate.crt - 公鑰


chain.pem: Let's Encrypt 的 鏈證書 (The Let's Encrypt chain certificate)

  • 可以對應到之前sslforfree的ca_bundle.crt - 中繼憑證

 

fullchain.pem: 公鑰與中繼憑證合併 (cert.pem and chain.pem combined)

  • Nginx 如果要設定 ssl, 就會使用這個檔案 


privkey.pem: SSL憑證的私鑰 (Your certificate's private key)

  • 可以對應到之前sslforfree的private.key - 私鑰


這樣就算申請完畢, 但是要如何知道目前申請了那些憑證呢?

可以使用下列指令列出相關資訊


# certbot  certificates


Saving debug log to /var/log/letsencrypt/letsencrypt.log


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Found the following certs:

  Certificate Name: ines.tw

    Serial Number: 4c5679bc25190a70e2e9072885094771114

    Domains: ines.tw

    Expiry Date: 2020-12-06 14:01:32+00:00 (VALID: 89 days)

    Certificate Path: /etc/letsencrypt/live/ines.tw/fullchain.pem

    Private Key Path: /etc/letsencrypt/live/ines.tw/privkey.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


接下來思考, 如果要加入其他的 FQDN或是想要加入 *.ines.tw 呢?


加入 *.ines.tw


# certbot  certonly  --manual  --preferred-challenges=dns --cert-name  ines.tw  -d ines.tw,*.ines.tw


Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

You are updating certificate ines.tw to include new domain(s):

+ *.ines.tw


You are also removing previously included domain(s):

(None)


Did you intend to make this change?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(U)pdate cert/(C)ancel: U

Renewing an existing certificate

Performing the following challenges:

dns-01 challenge for ines.tw


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you're running certbot in manual mode on a machine that is not

your server, please ensure you're okay with that.


Are you OK with your IP being logged?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name

_acme-challenge.ines.tw with the following value:


AFatx1Qx8ylhYIPmnSFIAFktRQ00GI7SbzUtHqTADJc


Before continuing, verify the record is deployed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue  (按下 Enter 之前, 要確認 DNS 供應商那邊已經設定 TXT 紀錄, value 是上面紫色的內容)

Waiting for verification...

Cleaning up challenges


IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/ines.tw/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/ines.tw/privkey.pem

   Your cert will expire on 2020-12-06. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot

   again. To non-interactively renew *all* of your certificates, run

   "certbot renew"

 - If you like Certbot, please consider supporting our work by:


   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le


觀察憑證資訊


# certbot  certificates


Saving debug log to /var/log/letsencrypt/letsencrypt.log


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Found the following certs:

  Certificate Name: ines.tw

    Serial Number: 4d2c4a18b7d8f375fca8d127cefc677e152

    Domains: ines.tw *.ines.tw

    Expiry Date: 2020-12-06 14:21:22+00:00 (VALID: 89 days)

    Certificate Path: /etc/letsencrypt/live/ines.tw/fullchain.pem

    Private Key Path: /etc/letsencrypt/live/ines.tw/privkey.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



Lab2 : 驗證 SSL 憑證


那如果驗證真的有效呢?

我使用 nginx 來驗證, 先設定好預設網頁

可以參考 http://sakananote2.blogspot.com/2020/02/nginx-with-opensuse-leap-151-in-azure.html 


為了管理方便我在 /etc/nginx 目錄下建立一個 ssl  目錄

# mkdir  /etc/nginx/ssl


將之前產出的憑證複製到資料夾


# cp  /etc/letsencrypt/live/ines.tw/fullchain.pem  /etc/nginx/ssl/

# cp  /etc/letsencrypt/live/ines.tw/privkey.pem  /etc/nginx/ssl/


修改 nginx 設定檔

# vim  /etc/nginx/nginx.conf


worker_processes  1;

events {

    worker_connections  1024;

    use epoll;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    include conf.d/*.conf;

    server {

        listen       80;

        listen       443 ssl;

        server_name  ines.tw;

ssl_certificate /etc/nginx/ssl/fullchain.pem;

ssl_certificate_key /etc/nginx/ssl/privkey.pem;

        location / {

            root   /srv/www/htdocs/;

            index  index.html index.htm;

        }

        error_page   500 502 503 504  /50x.html;

        location = /50x.html {

            root   /srv/www/htdocs/;

        }

    }

    

    include vhosts.d/*.conf;

}



  • 加入上面紅色部分


將 nginx 服務 reload


# systemctl   reload   nginx


因為是走 HTTPS, 所以記得要開 port 443 


在 Azure 該 VM 的網路設定內, 點選 新增輸入連接埠規則,設定 port 443 可以連線


開啟瀏覽器, 輸入 https://YOUR_DOMAIN

就可以看到可愛的鎖頭符號了



又前進一步了 :)



Reference: