使用 certbot 申請 SSL 憑證 with openSUSE Leap 15.3 in GCP 小記
OS: openSUSE Leap 15.3 in GCP ( Preemptible )
DNS provider: gandi.net
上次寫這篇文章已經是 2020/9
可以參考之前的文章 https://sakananote2.blogspot.com/2020/09/certbot-ssl-with-opensuse-in-azure.html
那個時候如果要申請憑證還可以用 python3-certbot, 現在是用 snapd
今天再次測試使用 certbot 這個 ACME 客戶端來進行 Let’s Encrypt 憑證的申請.
因為要使用 certbot 配合 DNS 驗證來取得憑證, 之後要放在 GCP 的 Load Balancer 上面, 所以我在 GCP 上面建立 Preemptible GCE 來取得憑證, Preemptible 的好處就是費用便宜 :)
Let’s Encrypt 官網入門網頁
參考 Certbot 網頁上, openSUSE leap 15 與 nginx 的文件
首先登入到 GCP 上面的 openSUSE Leap 15.3
因為是 Lab 文件, 然後 Preemptible 不會超過 24 小時, 我就先切換為 root
> sudo su -
要安裝 certbot 套件, 現在要使用 snapd
參考 snapd 的安裝網頁
新增 repository
# zypper addrepo --refresh https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_15.3 snappy
匯入 GPG Key
# zypper --gpg-auto-import-keys refresh
Retrieving repository 'Update repository of openSUSE Backports' metadata .[done]
Building repository 'Update repository of openSUSE Backports' cache ......[done]
Retrieving repository 'Debug Repository' metadata ........................[done]
Building repository 'Debug Repository' cache .............................[done]
Retrieving repository 'Update Repository (Debug)' metadata ...............[done]
Building repository 'Update Repository (Debug)' cache ....................[done]
Retrieving repository 'Non-OSS Repository' metadata ......................[done]
Building repository 'Non-OSS Repository' cache ...........................[done]
Retrieving repository 'Main Repository' metadata .........................[done]
Building repository 'Main Repository' cache ..............................[done]
Retrieving repository 'Update repository with updates from SUSE Linux Ente[done]
Building repository 'Update repository with updates from SUSE Linux Enterpris[-]
最近會遇到要 update SUSE Linux Enterprise 會比較久, 這個真的要看時段 QQ
# zypper dup --from snappy
Loading repository data...
Reading installed packages...
Computing distribution upgrade...
Nothing to do.
安裝 snapd
# zypper install -y snapd
設定 開機會啟動 snapd ( 我這個 case 其實不用, 但是也是紀錄一下 )
# systemctl enable --now snapd
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.service → /usr/lib/systemd/system/snapd.service.
openSUSE Leap 15.3 以及 Tumbleweed 要多執行以下指令
# systemctl enable --now snapd.apparmor
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.apparmor.service → /usr/lib/systemd/system/snapd.apparmor.service.
接下來確認 snapd 已經是最新
# snap install core; snap refresh core
2022-04-30T14:38:36Z INFO Waiting for automatic snapd restart...
Warning: /snap/bin was not found in your $PATH. If you've not restarted your
session since you installed snapd, try doing that. Please see
https://forum.snapcraft.io/t/9469 for more details.
core 16-2.54.4 from Canonical* installed
snap "core" has no updates available
接下來安裝 Certbot
# snap install --classic certbot
Warning: /snap/bin was not found in your $PATH. If you've not restarted your
session since you installed snapd, try doing that. Please see
https://forum.snapcraft.io/t/9469 for more details.
certbot 1.26.0 from Certbot Project (certbot-eff*) installed
處理上面提到的指令路徑
# ln -s /snap/bin/certbot /usr/bin/certbot
因爲今天是要透過 certbot 來申請 SSL 憑證, 所以會執行 certonly 方式來執行
# certbot certonly --manual --preferred-challenges=dns -d *.ines.tw
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): sakana@study-area.org ( 聯絡信件 )
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y (同意協議)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y (同意分享 email, 這個看個人)
Account registered.
Requesting a certificate for *.ines.tw
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.ines.tw.
with the following value:
pGNqhluMQ3u-ejpPOMOdUG-ZO2gPrptWzyGmxYNyKpA
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.ines.tw.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue (按下 Enter 之前, 要確認 DNS 供應商那邊已經設定 TXT 紀錄, value 是上面紫色的內容)
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ines.tw/fullchain.pem
Key is saved at: /etc/letsencrypt/live/ines.tw/privkey.pem
This certificate expires on 2022-07-29.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certonly 只申請憑證
--manual 手動方式
--preferred-challenges=dns
使用 DNS 進行驗證
-d *.ines.tw
要申請的網域名稱
相關憑證會存放在 /etc/letsencrypt/live/你的網域下
一次簽發 90 天
觀察相關資訊
# ls -lh /etc/letsencrypt/live/ines.tw/
total 4.0K
-rw-r--r-- 1 root root 692 Apr 30 14:50 README
lrwxrwxrwx 1 root root 31 Apr 30 14:50 cert.pem -> ../../archive/ines.tw/cert1.pem
lrwxrwxrwx 1 root root 32 Apr 30 14:50 chain.pem -> ../../archive/ines.tw/chain1.pem
lrwxrwxrwx 1 root root 36 Apr 30 14:50 fullchain.pem -> ../../archive/ines.tw/fullchain1.pem
lrwxrwxrwx 1 root root 34 Apr 30 14:50 privkey.pem -> ../../archive/ines.tw/privkey1.pem
主要有 4 個檔案
cert.pem: 申請的網域的SSL憑證 (Your domain's certificate)
可以對應到之前sslforfree的 certificate.crt - 公鑰
chain.pem: Let's Encrypt 的 鏈證書 (The Let's Encrypt chain certificate)
可以對應到之前sslforfree的ca_bundle.crt - 中繼憑證
fullchain.pem: 公鑰與中繼憑證合併 (cert.pem and chain.pem combined)
Nginx 如果要設定 ssl, 就會使用這個檔案
privkey.pem: SSL憑證的私鑰 (Your certificate's private key)
可以對應到之前sslforfree的private.key - 私鑰
這樣就算申請完畢, 但是要如何知道目前申請了那些憑證呢?
可以使用下列指令列出相關資訊
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: ines.tw
Serial Number: 3b21ee0374642cba9403c35278cb94e5923
Key Type: RSA
Domains: *.ines.tw
Expiry Date: 2022-07-29 13:50:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/ines.tw/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ines.tw/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
觀察憑證上面的資訊, 其實真正存放路徑是在 /etc/letsencrypt/archive/你的網域
# ls -l /etc/letsencrypt/archive/ines.tw/
total 20
-rw-r--r-- 1 root root 1830 Apr 30 14:50 cert1.pem
-rw-r--r-- 1 root root 3749 Apr 30 14:50 chain1.pem
-rw-r--r-- 1 root root 5579 Apr 30 14:50 fullchain1.pem
-rw------- 1 root root 1704 Apr 30 14:50 privkey1.pem
把相關憑證複製到使用者家目錄, 方便等等下載
# cp /etc/letsencrypt/archive/ines.tw/* /home/max
然後將 privkey1.pem 更改擁有人, 等等才有權限下載
# chown max /home/max/privkey1.pem
下載的方式有好幾種
回到自己的機器
方式 1: 使用 Web SSH 上面的下載按鈕
點選 GCE 服務頁面, 使用 WebSSH 登入後, 點選下載按鈕
輸入檔案名稱 , 點選 Download
預設的下載目錄應該是 ~/下載
方式 2: 使用 gcloud 指令
> gcloud compute scp test20220430:/home/max/cert1.pem /tmp/cert1.pem --zone asia-east1-b --project speedy-bazaar-245112
test20220430:/home/max/cert1.pem 這邊請換成 你的GCE名稱:路徑/檔案名稱
如果 zone 與 project 沒有預設設定, 請進行指定
方式 2 相對於方式 1 的好處是可以指定下載路徑
方式 3: 使用 scp 指令
> scp -i css_id_rsa 使用者@公共IP:/home/max/cert1.pem /tmp/cert1.pem
下載檔案如下
> ls -l
總用量 20
-rw-r--r-- 1 sakana users 1830 4月 30 23:27 cert1.pem
-rw-r--r-- 1 sakana users 3749 4月 30 23:27 chain1.pem
-rw-r--r-- 1 sakana users 5579 4月 30 23:28 fullchain1.pem
-rw------- 1 sakana users 1704 4月 30 23:29 privkey1.pem
下載完成後就可以關閉 / 刪除 GCE 了
接下來就可以後續放在 GCP Load Balancer 上使用了
又前進一步了 :)
Reference:
https://sakananote2.blogspot.com/2020/09/certbot-ssl-with-opensuse-in-azure.html
http://sakananote2.blogspot.com/2020/02/nginx-with-opensuse-leap-151-in-azure.html
http://sakananote2.blogspot.com/2020/03/nginx-ssl-with-opensuse-leap-151-in.html