参考文章:https://www.cnblogs.com/wzlinux/p/11188454.html
参考文章https://blog.csdn.net/lyq8479/article/details/79022888
1.1、什么是通配符证书
通配符证书,又叫泛域名证书,一张通配符的证书可以保护一个域名下同级子域名,使他们都变成 https 加密链接,不需要配置一个子域名再申请一个新证书了,而且不限制子域名数量,这也使得随时增加子域名的同时并不需要额外的付费,对于有多个子域名尤其是子域名数量很多的用户,性价比很高,大大的节约了大量的时间和金钱成本。
1.2、什么是 Let’s Encrypt
部署 HTTPS 网站的时候需要证书,证书由 CA 机构签发,大部分传统 CA 机构签发证书是需要收费的,这不利于推动 HTTPS 协议的使用。
Let’s Encrypt 也是一个 CA 机构,但这个 CA 机构是免费的!!!也就是说签发证书不需要任何费用。
Let’s Encrypt 由于是非盈利性的组织,需要控制开支,他们搞了一个非常有创意的事情,设计了一个 ACME 协议,目前该协议的版本是 v1。
那为什么要创建 ACME 协议呢,传统的 CA 机构是人工受理证书申请、证书更新、证书撤销,完全是手动处理的。而 ACME 协议规范化了证书申请、更新、撤销等流程,只要一个客户端实现了该协议的功能,通过客户端就可以向 Let’s Encrypt 申请证书,也就是说 Let’s Encrypt CA 完全是自动化操作的。
任何人都可以基于 ACME 协议实现一个客户端,官方推荐的客户端是 Certbot 。
官方客户端列表请查看 https://letsencrypt.org/docs/client-options/ 。
二、证书申请(certbot)
2.1、系统确定
我们使用的是 aws 的 lightsail 服务创建的系统,系统是 CentOS 7。
2.2、工具安装
首先给系统添加 epel 源。
curl -o /etc/yum.repos.d/epel-7.repo https://mirrors.aliyun.com/repo/epel-7.repo安装证书申请工具 Certbot。
yum install -y certbot2.3、证书申请
hlvy.com是域名 比如www.baidu.com 需要填写baidu.com就好了 可以匹配任意xxx.baidu.com
certbot certonly -d *.hlvy.com --manual \
--preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory- --manual交互式获取,
- --preferred-challenges dns使用DNS验证的方式(泛域名只能使用DNS验证),如果取消此选项,将会默认使用 http 形式认证(.well-known),
- --server指明支持acme-v02的Server地址,默认是acme-v01的地址。
申请过程如下,为了确保域名是在你的管理权限之内,我们中间需要做一条 TXT 的 DNS 解析。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for wzlinux.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.wzlinux.com with the following value:
EFC5zDV4Yyz1DY6796qHlUCS-TBWQCuxj3Re_-kTiiI
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hlvy.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hlvy.com/privkey.pem
Your cert will expire on 2019-09-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le我们看到上面有一条 DNS 解析需求,我这里是在阿里云进行设定的。 在执行到Press Enter to Continue先别敲回车
先在阿里云配置域名
EFC5zDV4Yyz1DY6796qHlUCS-TBWQCuxj3Re_-kTiiI 这个是解析路径 是复制上面生成出来的
解析好之后,我们在服务器上面验证一下解析记录。
[root@ip-172-26-5-120 ~]# dig -t txt _acme-challenge.hlvy.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -t txt _acme-challenge.hlvy.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47252
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.hlvy.com.INTXT
;; ANSWER SECTION:
_acme-challenge.hlvy.com. 58INTXT"EFC5zDV4Yyz1DY6796qHlUCS-TBWQCuxj3Re_-kTiiI"
;; Query time: 0 msec
;; SERVER: 172.26.0.2#53(172.26.0.2)
;; WHEN: Thu Jun 06 07:04:07 UTC 2019
;; MSG SIZE rcvd: 1122.4、证书查看
[root@ip-172-26-5-120 ~]# ll /etc/letsencrypt/live/hlvy.com/
total 4
lrwxrwxrwx. 1 root root 35 Jun 6 06:53 cert.pem -> ../../archive/hlvy.com/cert1.pem
lrwxrwxrwx. 1 root root 36 Jun 6 06:53 chain.pem -> ../../archive/hlvy.com/chain1.pem
lrwxrwxrwx. 1 root root 40 Jun 6 06:53 fullchain.pem -> ../../archive/hlvy.com/fullchain1.pem
lrwxrwxrwx. 1 root root 38 Jun 6 06:53 privkey.pem -> ../../archive/hlvy.com/privkey1.pem
-rw-r--r--. 1 root root 692 Jun 6 06:53 READMETomcat7配置Let's Encrypt免费SSL证书
从上图(证书获取成功的提示信息)可以看出,获取到的 Let's Encrypt 证书保存在 /etc/letsencrypt/live/hlvy.com/ 目录下,相关的证书文件有4个:
cert.pem
chain.pem
fullchain.pem
privkey.pem
我们需要用到的是后面两个证书文件: fullchain.pem 和 privkey.pem。接下来,还需要用到 Linux 下的 openssl 和 keytool 工具,将SSL证书由 .pem 格式转换成 Tomcat 所支持的 .jks 格式。
# 导出.p12格式的证书
$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out hlvy_letsencrypt.p12 -name tomcat_letsencrypt
# 再将证书由.p12格式转换成.jks格式
$ keytool -importkeystore -deststorepass '123456' -destkeypass '123456' -destkeystore hlvy_letsencrypt.jks -srckeystore zyxx_letsencrypt.p12 -srcstoretype PKCS12 -srcstorepass '123456' -alias tomcat_letsencrypt
说明:执行 openssl 命令导出 .p12 格式证书时会要求设置密钥,执行 keytool 命令时也有3处要写密钥,最简单的方式就是所有需要密钥的地方,都使用同一个,这样也不会搞混。
经过上面的两步操作,/etc/letsencrypt/live/hlvy.com/ 目录下就生成了一个新的证书 hlvy_letsencrypt.jks。接下来,修改 %tomcat%/conf/server.xml 文件,添加 keystoreFile 和 keystorePass 两行配置。其中,keystoreFile 指向 jks 证书文件,而 keystorePass 则为证书的密钥。修改后的关键配置如下:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/test/hlvy_letsencrypt.jks"
keystorePass="123456"
/>这样访问项目地址查看浏览器证书
2.6、证书更新
可以使用指令certbot renew进行更新,添加一个定时任务。
[root@ip-172-26-5-120 ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/hlvy.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/hlvy.com/fullchain.pem expires on 2019-09-04 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
定时任务。
certbot renew 30 1 10 * * /usr/bin/certbot renew && systemctl reload nginx