HTTPs – Let’s Encrypt

測試環境為 Ubuntu 20.04 x86_64 + Apache2 (虛擬機平台 Linode)

主要要幫 http://benjr.tw (WordPress) 改成為 https://benjr.tw , 什麼是 https(http with SSL+CA) 可以參考 – https://benjr.tw/96655

https 需要 Root CA 幫忙驗證身分,如果要免費使用可以去 Let’s Encrypt – https://letsencrypt.org/zh-tw/ 申請 , 下面是透過 certbot 提共的工具來申請.參考步驟說明 – https://certbot.eff.org/instructions?ws=apache&os=ubuntufocal

安裝 certbot 套件

先確定你的 Ubuntu 套件都是最新的.

root@localhost:~# apt update && sudo apt upgrade

certbot 需要使用 snap 套件管理程式來安裝.

root@localhost:~# snap
The snap command lets you install, configure, refresh and remove snaps.
Snaps are packages that work across many different Linux distributions,
enabling secure delivery and operation of the latest apps and utilities.

Usage: snap <command> [<options>...]

Commonly used commands can be classified as follows:

         Basics: find, info, install, remove, list
        ...more: refresh, revert, switch, disable, enable, create-cohort
        History: changes, tasks, abort, watch
        Daemons: services, start, stop, restart, logs
    Permissions: connections, interface, connect, disconnect
  Configuration: get, set, unset, wait
    App Aliases: alias, aliases, unalias, prefer
        Account: login, logout, whoami
      Snapshots: saved, save, check-snapshot, restore, forget
         Device: model, reboot, recovery
      ... Other: warnings, okay, known, ack, version
    Development: download, pack, run, try

For more information about a command, run 'snap help <command>'.
For a short summary of all commands, run 'snap help --all'.

安裝所需套件.

root@localhost:~# snap install core; sudo snap refresh core
2022-02-09T03:42:13Z INFO Waiting for automatic snapd restart...
core 16-2.54.2 from Canonical✓ installed
snap "core" has no updates available

安裝 certbot

root@localhost:~# snap install --classic certbot
certbot 1.23.0 from Certbot Project (certbot-eff✓) installed
root@localhost:~# ln -s /snap/bin/certbot /usr/bin/certbot

設定 Let’s Encrypt

透過 certbot 程式來申請 Let’s Encrypt ,我的 web server 為 Apache .並回答下面相對應問題.

你的 E-mail

root@localhost:~# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): xxxxxxx@gmail.com

同意說明.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.

我的 Apache 裡面只有一個 benjr.tw 網頁.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: benjr.tw
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for benjr.tw

已經成功了,你的 CA 與加密 Key 存放在以下的路徑.

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/benjr.tw/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/benjr.tw/privkey.pem
This certificate expires on 2022-05-10.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for benjr.tw to /etc/apache2/sites-available/000-default-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://benjr.tw

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

檢視 設定檔,需手動增加 [[webroot_map]] 區塊.

root@localhost:~# cat /etc/letsencrypt/renewal/benjr.tw.conf
# renew_before_expiry = 30 days
version = 1.25.0
archive_dir = /etc/letsencrypt/archive/benjr.tw
cert = /etc/letsencrypt/live/benjr.tw/cert.pem
privkey = /etc/letsencrypt/live/benjr.tw/privkey.pem
chain = /etc/letsencrypt/live/benjr.tw/chain.pem
fullchain = /etc/letsencrypt/live/benjr.tw/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = f1216512346c851a05c181f356fdc832
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa

[[webroot_map]]
benjr.tw = /var/www/html

編輯 Apache2 https 設定檔
在 /etc/apache2/sites-available/000-default.conf 設定檔 後面加入 https 443 的內容.

root@localhost:~# vi /etc/apache2/sites-available/000-default.conf
<VirtualHost *:443>
       SSLEngine On
       SSLCertificateFile      /etc/letsencrypt/live/benjr.tw/cert.pem
       SSLCertificateKeyFile   /etc/letsencrypt/live/benjr.tw/privkey.pem
       SSLCertificateChainFile /etc/letsencrypt/live/benjr.tw/chain.pem
       DocumentRoot /var/www/html
       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

並 Reload 服務.

root@localhost:~# systemctl reload apache2
root@localhost:~# systemctl status apache2
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-03-29 00:51:19 UTC; 2h 13min ago
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 1643448 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
   Main PID: 1615340 (apache2)
      Tasks: 6 (limit: 2282)
     Memory: 62.4M
     CGroup: /system.slice/apache2.service
             ├─1615340 /usr/sbin/apache2 -k start
             ├─1643452 /usr/sbin/apache2 -k start
             ├─1643453 /usr/sbin/apache2 -k start
             ├─1643454 /usr/sbin/apache2 -k start
             ├─1643455 /usr/sbin/apache2 -k start
             └─1643456 /usr/sbin/apache2 -k start

可以透過 https://crt.sh/?q=benjr.tw 來檢視你的 https 認證的使用期限.

自動更新

這樣就結束了,不過 Let’s Encrypt 憑證會在 90 天後到期,自動更新方式有兩種

  1. Crontab
    可以透過 Crontab (cron.monthly 每個月自動執行一次) 來自動更新.

    root@localhost:~# vi /etc/cron.monthly/benjr
    #! /bin/bash
    certbot renew --webroot --dry-run
    
    root@localhost:~# chmod a+x /etc/cron.monthly/benjr
    

    編輯完可以測試一下 cron.monthly 目錄裡的檔案使否正常.

    root@localhost:~#  run-parts --test /etc/cron.monthly/
    /etc/cron.monthly//benjr
    
  2. snap.certbot.renew.timer
    snap.certbot.renew.timer 這個服務可以自動更新.
    預設每天 在 09:23 與 17:43 自動更新.

    [Timer]
    root@localhost:~# cat /etc/systemd/system/timers.target.wants/snap.certbot.renew.timer
    [Unit]
    # Auto-generated, DO NOT EDIT
    Description=Timer renew for snap application certbot.renew
    Requires=snap-certbot-1888.mount
    After=snap-certbot-1888.mount
    X-Snappy=yes
    
    [Timer]
    Unit=snap.certbot.renew.service
    OnCalendar=*-*-* 09:23
    OnCalendar=*-*-* 17:43
    
    [Install]
    WantedBy=timers.target
    

    檢視一下服務狀態.

    root@localhost:~# systemctl status snap.certbot.renew.timer
    ● snap.certbot.renew.timer - Timer renew for snap application certbot.renew
         Loaded: loaded (/etc/systemd/system/snap.certbot.renew.timer; enabled; vendor preset: enabled)
         Active: active (waiting) since Wed 2022-03-16 22:48:03 UTC; 1 weeks 5 days ago
        Trigger: Tue 2022-03-29 09:23:00 UTC; 6h left
       Triggers: ● snap.certbot.renew.service
    
    Mar 16 22:48:03 localhost systemd[1]: Started Timer renew for snap application certbot.renew.
    
    root@localhost:~# systemctl list-timers --no-pager | grep -i snap.certbot.renew.timer
    Tue 2022-03-29 09:23:00 UTC 6h left       Tue 2022-03-29 00:47:04 UTC 2h 32min ago       snap.certbot.renew.timer     snap.certbot.renew.service
    

遇過的問題

  1. 無法透過 apt 安裝 certbot
    參考 Linode 文章 – https://www.linode.com/docs/guides/install-lets-encrypt-to-create-ssl-certificates/ 卻遇到以下的問題,後來使用上面的方式才成功.

    root@localhost:~# apt-get install git
    root@localhost:~# git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
    root@localhost:~# cd /opt/letsencrypt
    root@localhost:/opt/letsencrypt# sudo -H ./letsencrypt-auto-source/letsencrypt-auto certonly --standalone -d example.com
     -d benjr.tw
    Skipping bootstrap because certbot-auto is deprecated on this system.
    Your system is not supported by certbot-auto anymore.
    Certbot cannot be installed.
    Please visit https://certbot.eff.org/ to check for other alternatives.
    
    root@localhost:/opt/letsencrypt# wget https://raw.githubusercontent.com/certbot/certbot/7f0fa18c570942238a7de73ed99945c3710408b4/letsencrypt-auto-source/letsencrypt-auto /opt/letsencrypt/
    --2022-02-09 02:23:12--  https://raw.githubusercontent.com/certbot/certbot/7f0fa18c570942238a7de73ed99945c3710408b4/letsencrypt-auto-source/letsencrypt-auto
    Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 2606:50c0:8003::154, 2606:50c0:8002::154, 2606:50c0:8001::154, ...
    Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8003::154|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 80017 (78K) 
    Saving to: ‘letsencrypt-auto’
    
    letsencrypt-auto              100%[=================================================>]  78.14K  --.-KB/s    in 0.001s
    
    2022-02-09 02:23:12 (97.4 MB/s) - ‘letsencrypt-auto’ saved [80017/80017]
    
    /opt/letsencrypt/: Scheme missing.
    FINISHED --2022-02-09 02:23:12--
    Total wall clock time: 0.01s
    Downloaded: 1 files, 78K in 0.001s (97.4 MB/s)
    
    root@localhost:/opt/letsencrypt# chmod a+x letsencrypt-auto
    root@localhost:/opt/letsencrypt# sudo -H ./letsencrypt-auto certonly --standalone -d example.com -d benjr.tw
    Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
    Hit:1 http://mirrors.linode.com/ubuntu focal InRelease
    Hit:2 http://security.ubuntu.com/ubuntu focal-security InRelease
    Hit:3 http://mirrors.linode.com/ubuntu focal-updates InRelease
    Hit:4 http://mirrors.linode.com/ubuntu focal-backports InRelease
    Reading package lists... Done
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    Note, selecting 'python-is-python2' instead of 'python'
    Note, selecting 'python-dev-is-python2' instead of 'python-dev'
    Package python-virtualenv is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source
    
    E: Package 'python-virtualenv' has no installation candidate
    
  2. Renew 失敗1
    root@localhost:~# certbot renew --webroot --dry-runewal/benjr.tw.conf
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/benjr.tw.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Simulating renewal of an existing certificate for benjr.tw
    
    Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
      Domain: benjr.tw
      Type:   unauthorized
      Detail: Invalid response from https://benjr.tw/.well-known/acme-challenge/c7Mbza-MumwtaOGsp0oWBaHTt6i0CFrahE3Xpyc0p8I [172.105.215.98]: 404
    
    Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
    
    Failed to renew certificate benjr.tw with error: Some challenges have failed.
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    All simulated renewals failed. The following certificates could not be renewed:
      /etc/letsencrypt/live/benjr.tw/fullchain.pem (failure)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1 renew failure(s), 0 parse failure(s)
    Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
    

    指定錯誤的 webroot , 需指定正確的 [[webroot_map]]

    root@localhost:~# vi /etc/letsencrypt/renewal/benjr.tw.conf
    # renew_before_expiry = 30 days
    version = 1.25.0
    archive_dir = /etc/letsencrypt/archive/benjr.tw
    cert = /etc/letsencrypt/live/benjr.tw/cert.pem
    privkey = /etc/letsencrypt/live/benjr.tw/privkey.pem
    chain = /etc/letsencrypt/live/benjr.tw/chain.pem
    fullchain = /etc/letsencrypt/live/benjr.tw/fullchain.pem
    
    # Options used in the renewal process
    [renewalparams]
    account = f1216512346c851a05c181f356fdc832
    authenticator = webroot
    server = https://acme-v02.api.letsencrypt.org/directory
    key_type = rsa
    
    [[webroot_map]]
    benjr.tw = /var/www/html
    
  3. Renew 失敗2
    certbot renew --webroot --dry-run
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/benjr.tw.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Simulating renewal of an existing certificate for benjr.tw
    Failed to renew certificate benjr.tw with error: Missing command line flag or config entry for this setting:
    Input the webroot for benjr.tw:
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    All simulated renewals failed. The following certificates could not be renewed:
      /etc/letsencrypt/live/benjr.tw/fullchain.pem (failure)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1 renew failure(s), 0 parse failure(s)
    Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
    

    須指定 webroot 為正確的 [[webroot_map]] 路徑,並重新申請一次.

    root@localhost:~# vi /etc/letsencrypt/renewal/benjr.tw.conf
    # renew_before_expiry = 30 days
    version = 1.25.0
    archive_dir = /etc/letsencrypt/archive/benjr.tw
    cert = /etc/letsencrypt/live/benjr.tw/cert.pem
    privkey = /etc/letsencrypt/live/benjr.tw/privkey.pem
    chain = /etc/letsencrypt/live/benjr.tw/chain.pem
    fullchain = /etc/letsencrypt/live/benjr.tw/fullchain.pem
    
    # Options used in the renewal process
    [renewalparams]
    account = f1216512346c851a05c181f356fdc832
    authenticator = webroot
    server = https://acme-v02.api.letsencrypt.org/directory
    key_type = rsa
    
    [[webroot_map]]
    benjr.tw = /var/www/html
    
    root@localhost:~# certbot renew --webroot --dry-run
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/benjr.tw.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Simulating renewal of an existing certificate for benjr.tw
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Congratulations, all simulated renewals succeeded:
      /etc/letsencrypt/live/benjr.tw/fullchain.pem (success)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
沒有解決問題,試試搜尋本站其他內容

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料