专注于前端开发, 追求更好的用户体验, 更好的开发体验 [长沙前端QQ群:234746733]

使用letsencrypt自动生成和续期HTTPS证书

相信一些同学注意到了, 本站启用了https, 域名改成了xhl.me, 服务也早就全都改用docker了.
顺带介绍下之前搞的两个个docker项目: alpine-tengine, docker-backup.

*本文主要介绍letsencrypt证书的创建和通配符HTTPS证书生成, 还有基于letsencrypt docker镜像实现证书自动续期.

Let's Encrypt 是一个自动签发免费HTTPS证书的非营利机构, 生成的证书有3个月有效期, 到期可以免费续期.
Certbot 是 Let's Encrypt 官方推荐的生成证书的客户端工具, 文档.

使用dnsrobocert生成证书(支持通配符域名证书), 并自动续期

这个项目, 集成了certbot(证书生成命令行工具), Lexicon(DNS记录修改工具, 主流DNS服务商都支持).
另外还自带了crontab 定时任务, 只要服务启动, 就会自动续期域名了.

1. 创建, /etc/dnsrobocert/config.yml, 内容类似这样:
  1. # https://git.io/JL1cD
  2. draft: false
  3. acme:
  4.   email_account: <youremail>
  5.   staging: false
  6. profiles:
  7. - name: cloudflare
  8.   provider: cloudflare
  9.   provider_options:
  10.     auth_username: <cloudflare_email>
  11.     auth_token: <cloudflare_token>
  12. - name: dnspod
  13.   provider: dnspod
  14.   provider_options:
  15.     auth_username: <dnspod_id>
  16.     auth_token: <dnspod_token>
  17. certificates:
  18. - domains:
  19.   - "*.xhl.me"
  20.   -  xhl.me
  21.   profile: cloudflare
  22.   # autorestart:
  23.   #   - containers:
  24.   #     - nginx
  25.   autocmd: # 自动重启
  26.     - cmd: nginx -s reload
  27.       containers:
  28.       - nginx
  29. # - domains:
  30. #   - "*.test.com"
  31. #   profile: dnspod
  32. #   ...
2. 根据DNS PROVIDER信息验证, 并自动创建和续期证书
  1. docker run -it --rm --name letsencrypt2 \
  2.   -v /etc/dnsrobocert:/etc/dnsrobocert \
  3.   -v /etc/letsencrypt:/etc/letsencrypt \
  4.   -v /var/run/docker.sock:/var/run/docker.sock \
  5.   adferrand/dnsrobocert

LEXICON_PROVIDER 主流的DNS服务都支持, 比如:

3. 进阶: 使用docker-compose

创建 /compose/letsencrypt/docker-compose.yml:

  1. version: '3'
  2. services:
  3.   letsencrypt:
  4.     container_name: letsencrypt
  5.     image: adferrand/dnsrobocert
  6.     # network_mode: "host"
  7.     volumes:
  8.       - /etc/dnsrobocert/:/etc/dnsrobocert
  9.       - /etc/letsencrypt/:/etc/letsencrypt
  10.       - /var/run/docker.sock:/var/run/docker.sock

启动服务执行: cd /compose/letsencrypt; docker-compose up -d --force-recreate -V;

5. 进阶: 开机自启服务

创建 /etc/systemd/system/letsencrypt.service, 内容:

  1. [Unit]
  2. Description=Letsencrypt Container
  3. After=docker.service
  4. Requires=docker.service

  6. [Service]
  7. Type=oneshot
  8. RemainAfterExit=yes
  9. TimeoutStartSec=0
  10. ExecStart=/usr/local/bin/docker-compose up -d --force-recreate
  11. ExecReload=/usr/local/bin/docker-compose up -d --force-recreate
  12. ExecStop=/usr/local/bin/docker-compose stop
  13. WorkingDirectory=/composes/letsencrypt

  15. [Install]
  16. WantedBy=multi-user.target

执行下, 下面的命令就可以成为自启的服务了:

  1. systemctl daemon-reload;
  2. systemctl enable letsencrypt; systemctl restart letsencrypt;

同理, 也可以把其他docker服务做成自启, 比如Nginx.

证书生成后 nginx 的配置

  1. server {
  2.   listen 80;
  3.   listen 443 ssl;
  4.   server_name xhl.me www.xhl.me;
  5.   ssl_certificate /etc/letsencrypt/live/xhl.me/fullchain.pem;
  6.   ssl_certificate_key /etc/letsencrypt/live/xhl.me/privkey.pem;
  7.   ssl_session_cache shared:SSL:50m;
  8.   ssl_session_timeout 5m;
  9.   ssl_stapling on;
  10.   ssl_stapling_verify on;

  12.   ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
  13.   ssl_prefer_server_ciphers on;
  14.   ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
  15.   ...
  16. }

可能用到的debug命令

  1. telnet xhl.me 443
  2. openssl s_client -connect xhl.me:443
  3. curl -vv -k https://xhl.me # 测试https
  4. docker exec -it letsencrypt sh # 进入容器执行shell命令
  5. docker logs letsencrypt -f # 查看letsencrypt输出的日志信息

tools

另外, 也可以使用certbot 生成证书, 但是没有dnsrobocert方便, 就不介绍了.

如果letsencrypt提示了lexicon执行错误, 看不到具体的错误, 比如: 422 Client Error: Unprocessable Entity for url: xxx, 这时可以看域名对应DNS服务商的API文档, 用curl直接调用接口来debug, 比如:

  1. // godaddy 获取域名的所有记录
  2. curl -X GET -H"Authorization: sso-key KEY:SECRET" https://api.godaddy.com/v1/domains/yourdomain.com/records
  3. // godaddy 批量修改域名记录
  4. curl -X PUT https://api.godaddy.com/v1/domains/yourdomain.com/records -H "Authorization: sso-key KEY:SECRET" \
  5. -H "Content-Type: application/json" -d '[....., {"data": "test", "type": "TXT", "name": "_acme-challenge", "ttl": 3600}]'

/ 分类: 工具,实践 / TrackBackhttps://xhl.me/archives/letsencrypt-ssl/trackback标签: docker, https

添加新评论 »