合规国际互联网加速 OSASE为企业客户提供高速稳定SD-WAN国际加速解决方案。 广告
[TOC] ## 1. 条件 1. 可用的域名 2. 在域名绑定的服务器上 3. 域名绑定服务器在申请免费证书时,80和443端口是没有被占用的(最主要的是80) ## 2. 实施 ### 2.1 准备工具 #### 2.1.1 下载 https://codeload.github.com/certbot/certbot/zip/master #### 2.1.2 安装 ~~~ unzip certbot-master.zip cd certbot-master ~~~ 1. letsencrypt-auto申请证书主要用的工具 使用说明: ~~~ run:获取并安装证书到当前的Web服务器 certonly:获取或续期证书,但是不安装 renew:在证书快过期时,续期之前获取的所有证书 -d DOMAINS:一个证书支持多个域名,用逗号分隔 --apache:使用 Apache 插件来认证和安装证书 --standalone:运行独立的 web server 来验证 --nginx:使用 Nginx 插件来认证和安装证书 --webroot:如果目标服务器已经有 web server 运行且不能关闭,可以通过往服务器的网站根目录放置文件的方式来验证 --manual:通过交互式方式,或 Shell 脚本手动获取证书 ~~~ ### 2.2 获取证书 此命令代表仅仅获取证书而已 ~~~ ./letsencrypt-auto certonly --standalone --email lovetocar@aexit.net -d 域名(多个用逗号隔开) ~~~ 期间输入: ~~~ ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: http-01 challenge for lovetocar.cn Waiting for verification... Cleaning up challenges ~~~ 见到如下,代表证书生成成功了 ~~~ IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/lovetocar.cn/fullchain.pem Your key file has been saved at: ~~~ 在/etc/letsencrypt/live/lovetocar.cn/ 目录下生成四个文件 ~~~ cert.pem: Your domain's certificate(公钥) chain.pem: The Let's Encrypt chain certificate fullchain.pem: cert.pem and chain.pem combined(包含公钥和 Let's Encrypt的证书文件) privkey.pem: Your certificate's private key (私钥) ~~~ ### 2.3 配置haproxy #### 2.3.1 条件 1. haproxy支持ssl(不支持就去编译安装) 2. 需要合并上一步生成的证书 #### 2.3.2 合并证书 haproxy负载下的web,需要为haproxy指定一个包含公钥和私钥的pem,此时合并fullchain.pem和privkey.pem ~~~ cat privkey.pem fullchain.pem | tee timing-prod.pem ~~~ #### 2.3.4 配置haproxy ~~~ frontend frontend_web80 bind *:80 redirect scheme https if !{ ssl_fc } bind 0.0.0.0:443 ssl crt /home/timing/https/lovetocar.cn/lovetocar.pem acl is_timing hdr(host) -i lovetocar.cn lovetocar.cn:443 www.lovetocar.cn www.lovetocar.cn:443 use_backend timing if is_timing acl is_hicar hdr(host) -i lovetocar.net lovetocar.net:443 www.lovetocar.net www.lovetocar.net:443 default_backend backend_hicarwx backend backend_hicarwx balance source server hicar1 10.30.46.xx:8090 weight 1 maxconn 10000 check inter 10s server hicar2 10.30.48.xx:8090 weight 1 maxconn 10000 check inter 10s backend timing balance source server timing1 10.30.46.xx:31001 weight 1 maxconn 10000 check inter 10s server timing2 10.30.48.xx:31001 weight 1 maxconn 10000 check inter 10s ~~~ #### 2.3.5 pem转成KeyStore 如果有需要的话,pem可以转成KeyStore ~~~ openssl pkcs12 -export -in cert.pem -inkey timing-prod.pem -out timing-prod.pk12 -name timing keytool -importkeystore -deststorepass '4rfv$RFV' -destkeypass '4rfv$RFV' -destkeystore timing-prod.keystore -srckeystore timing-prod.pk12 -srcstoretype PKCS12 -srcstorepass '4rfv$RFV' -alias timing ~~~ ## 3. 申请延期 ### 3.1 查看证书过期时间 包含公钥的pem ~~~ openssl x509 -in ./fullchain2.pem -noout -dates notBefore=Feb 28 01:54:56 2018 GMT notAfter=May 29 01:54:56 2018 GMT ~~~ 证书有效期是 2018-2-28到2018-5-29 ### 3.2 申请延期 ~~~ certbot renew ~~~