星期六, 4月 30, 2022

使用 certbot 申請 SSL 憑證 with openSUSE Leap 15.3 in GCP 小記

使用 certbot 申請 SSL 憑證 with openSUSE Leap 15.3 in GCP 小記


OS: openSUSE Leap 15.3 in GCP ( Preemptible )

DNS provider: gandi.net


上次寫這篇文章已經是 2020/9


今天再次測試使用 certbot 這個 ACME 客戶端來進行 Let’s Encrypt 憑證的申請.

  • 因為要使用 certbot 配合 DNS 驗證來取得憑證, 之後要放在 GCP 的 Load Balancer 上面, 所以我在 GCP 上面建立 Preemptible GCE 來取得憑證, Preemptible 的好處就是費用便宜 :)


Let’s Encrypt  官網入門網頁


參考 Certbot 網頁上, openSUSE leap 15 與 nginx 的文件




首先登入到 GCP 上面的 openSUSE Leap 15.3

  • 因為是 Lab 文件, 然後 Preemptible 不會超過 24 小時, 我就先切換為 root

    • > sudo su -


要安裝 certbot 套件, 現在要使用 snapd


參考 snapd 的安裝網頁


新增 repository

# zypper  addrepo  --refresh  https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_15.3  snappy


匯入 GPG Key

# zypper  --gpg-auto-import-keys  refresh


Retrieving repository 'Update repository of openSUSE Backports' metadata .[done]

Building repository 'Update repository of openSUSE Backports' cache ......[done]

Retrieving repository 'Debug Repository' metadata ........................[done]

Building repository 'Debug Repository' cache .............................[done]

Retrieving repository 'Update Repository (Debug)' metadata ...............[done]

Building repository 'Update Repository (Debug)' cache ....................[done]

Retrieving repository 'Non-OSS Repository' metadata ......................[done]

Building repository 'Non-OSS Repository' cache ...........................[done]

Retrieving repository 'Main Repository' metadata .........................[done]

Building repository 'Main Repository' cache ..............................[done]

Retrieving repository 'Update repository with updates from SUSE Linux Ente[done]

Building repository 'Update repository with updates from SUSE Linux Enterpris[-]


  • 最近會遇到要 update SUSE Linux Enterprise 會比較久, 這個真的要看時段 QQ


# zypper  dup  --from  snappy


Loading repository data...

Reading installed packages...

Computing distribution upgrade...

Nothing to do.


安裝 snapd

# zypper  install  -y  snapd


設定 開機會啟動 snapd ( 我這個 case 其實不用, 但是也是紀錄一下 )


# systemctl  enable --now  snapd


Created symlink /etc/systemd/system/multi-user.target.wants/snapd.service → /usr/lib/systemd/system/snapd.service.


openSUSE Leap 15.3 以及 Tumbleweed 要多執行以下指令


# systemctl  enable --now  snapd.apparmor


Created symlink /etc/systemd/system/multi-user.target.wants/snapd.apparmor.service → /usr/lib/systemd/system/snapd.apparmor.service.


接下來確認 snapd 已經是最新


# snap  install  core;  snap  refresh  core


2022-04-30T14:38:36Z INFO Waiting for automatic snapd restart...

Warning: /snap/bin was not found in your $PATH. If you've not restarted your

         session since you installed snapd, try doing that. Please see

         https://forum.snapcraft.io/t/9469 for more details.


core 16-2.54.4 from Canonical* installed

snap "core" has no updates available



接下來安裝 Certbot

# snap  install  --classic  certbot


Warning: /snap/bin was not found in your $PATH. If you've not restarted your

         session since you installed snapd, try doing that. Please see

         https://forum.snapcraft.io/t/9469 for more details.


certbot 1.26.0 from Certbot Project (certbot-eff*) installed


處理上面提到的指令路徑

# ln  -s  /snap/bin/certbot  /usr/bin/certbot


因爲今天是要透過 certbot 來申請 SSL 憑證, 所以會執行 certonly 方式來執行


# certbot  certonly  --manual  --preferred-challenges=dns  -d   *.ines.tw


Saving debug log to /var/log/letsencrypt/letsencrypt.log

Enter email address (used for urgent renewal and security notices)

 (Enter 'c' to cancel):  sakana@study-area.org ( 聯絡信件 )


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server. Do you agree?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y (同意協議)


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let's Encrypt project and the non-profit

organization that develops Certbot? We'd like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y (同意分享 email, 這個看個人)

Account registered.

Requesting a certificate for *.ines.tw


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name:


_acme-challenge.ines.tw.


with the following value:


pGNqhluMQ3u-ejpPOMOdUG-ZO2gPrptWzyGmxYNyKpA


Before continuing, verify the TXT record has been deployed. Depending on the DNS

provider, this may take some time, from a few seconds to multiple minutes. You can

check if it has finished deploying with aid of online tools, such as the Google

Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.ines.tw.

Look for one or more bolded line(s) below the line ';ANSWER'. It should show the

value(s) you've just added.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue (按下 Enter 之前, 要確認 DNS 供應商那邊已經設定 TXT 紀錄, value 是上面紫色的內容)


Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/ines.tw/fullchain.pem

Key is saved at:         /etc/letsencrypt/live/ines.tw/privkey.pem

This certificate expires on 2022-07-29.

These files will be updated when the certificate renews.


NEXT STEPS:

- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If you like Certbot, please consider supporting our work by:

 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

 * Donating to EFF:                    https://eff.org/donate-le

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


  • certonly 只申請憑證

  • --manual  手動方式

  • --preferred-challenges=dns 

    • 使用 DNS 進行驗證 

  • -d   *.ines.tw

    • 要申請的網域名稱

  • 相關憑證會存放在 /etc/letsencrypt/live/你的網域下

  • 一次簽發 90 天


觀察相關資訊


# ls  -lh  /etc/letsencrypt/live/ines.tw/


total 4.0K

-rw-r--r-- 1 root root 692 Apr 30 14:50 README

lrwxrwxrwx 1 root root  31 Apr 30 14:50 cert.pem -> ../../archive/ines.tw/cert1.pem

lrwxrwxrwx 1 root root  32 Apr 30 14:50 chain.pem -> ../../archive/ines.tw/chain1.pem

lrwxrwxrwx 1 root root  36 Apr 30 14:50 fullchain.pem -> ../../archive/ines.tw/fullchain1.pem

lrwxrwxrwx 1 root root  34 Apr 30 14:50 privkey.pem -> ../../archive/ines.tw/privkey1.pem




主要有 4 個檔案


cert.pem: 申請的網域的SSL憑證 (Your domain's certificate)

  • 可以對應到之前sslforfree的 certificate.crt - 公鑰


chain.pem: Let's Encrypt 的 鏈證書 (The Let's Encrypt chain certificate)

  • 可以對應到之前sslforfree的ca_bundle.crt - 中繼憑證

 

fullchain.pem: 公鑰與中繼憑證合併 (cert.pem and chain.pem combined)

  • Nginx 如果要設定 ssl, 就會使用這個檔案 


privkey.pem: SSL憑證的私鑰 (Your certificate's private key)

  • 可以對應到之前sslforfree的private.key - 私鑰


這樣就算申請完畢, 但是要如何知道目前申請了那些憑證呢?

可以使用下列指令列出相關資訊


# certbot  certificates


Saving debug log to /var/log/letsencrypt/letsencrypt.log


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Found the following certs:

  Certificate Name: ines.tw

    Serial Number: 3b21ee0374642cba9403c35278cb94e5923

    Key Type: RSA

    Domains: *.ines.tw

    Expiry Date: 2022-07-29 13:50:52+00:00 (VALID: 89 days)

    Certificate Path: /etc/letsencrypt/live/ines.tw/fullchain.pem

    Private Key Path: /etc/letsencrypt/live/ines.tw/privkey.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



觀察憑證上面的資訊, 其實真正存放路徑是在  /etc/letsencrypt/archive/你的網域

# ls  -l  /etc/letsencrypt/archive/ines.tw/


total 20

-rw-r--r-- 1 root root 1830 Apr 30 14:50 cert1.pem

-rw-r--r-- 1 root root 3749 Apr 30 14:50 chain1.pem

-rw-r--r-- 1 root root 5579 Apr 30 14:50 fullchain1.pem

-rw------- 1 root root 1704 Apr 30 14:50 privkey1.pem


把相關憑證複製到使用者家目錄, 方便等等下載


# cp  /etc/letsencrypt/archive/ines.tw/*  /home/max


然後將 privkey1.pem 更改擁有人, 等等才有權限下載

# chown  max  /home/max/privkey1.pem


下載的方式有好幾種


回到自己的機器


方式 1: 使用 Web SSH 上面的下載按鈕


點選 GCE 服務頁面, 使用 WebSSH 登入後, 點選下載按鈕

輸入檔案名稱 , 點選 Download



  • 預設的下載目錄應該是 ~/下載


方式 2: 使用 gcloud 指令


> gcloud  compute  scp  test20220430:/home/max/cert1.pem  /tmp/cert1.pem  --zone  asia-east1-b  --project  speedy-bazaar-245112


  • test20220430:/home/max/cert1.pem 這邊請換成 你的GCE名稱:路徑/檔案名稱

  • 如果 zone 與 project 沒有預設設定, 請進行指定


方式 2 相對於方式 1 的好處是可以指定下載路徑



方式 3: 使用 scp 指令


> scp  -i  css_id_rsa  使用者@公共IP:/home/max/cert1.pem  /tmp/cert1.pem



下載檔案如下

> ls  -l


總用量 20

-rw-r--r-- 1 sakana users 1830  4月 30 23:27 cert1.pem

-rw-r--r-- 1 sakana users 3749  4月 30 23:27 chain1.pem

-rw-r--r-- 1 sakana users 5579  4月 30 23:28 fullchain1.pem

-rw------- 1 sakana users 1704  4月 30 23:29 privkey1.pem


下載完成後就可以關閉 / 刪除 GCE


接下來就可以後續放在 GCP Load Balancer 上使用了



又前進一步了 :)



Reference:



沒有留言: