【SSL】用Certbot生成免费HTTPS证书

这篇具有很好参考价值的文章主要介绍了【SSL】用Certbot生成免费HTTPS证书。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

1. 实验背景

服务器:CentOS7.x
示例域名: www.example.com
域名对应的web站点目录: /usr/local/openresty/nginx/html

2. 安装docker

# yum -y  install  yum-utils

# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo 

# yum list docker-ce --showduplicates | sort -r

# yum -y install  docker-ce-17.12.0.ce

3. 添加镜像加速仓库


#   tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://m3e4jmm0.mirror.aliyuncs.com"]
}
EOF

# systemctl restart docker 
# systemctl restart docker 

4. 拉取 certbot 工具镜像

#  docker  pull  certbot/certbot:v1.11.0
v1.11.0: Pulling from certbot/certbot
801bfaa63ef2: Pull complete
7678dd7631a2: Pull complete
4c6139ab40d8: Pull complete
ff5ef8cd8062: Pull complete
73dee1f700a1: Pull complete
3dfb7190edf9: Pull complete
176bf1686307: Pull complete
fe1749c3045d: Pull complete
5a79fca54080: Pull complete
e57ac51359f9: Pull complete
88988e2ba14a: Pull complete
a916063ca8d3: Pull complete
168ae0b7107a: Pull complete
d0bd333abff4: Pull complete
Digest: sha256:fecbc1f03607f961d20a6c6b0624507e42e6dea7c7f1548e2cbb8c3782b35da9
Status: Downloaded newer image for certbot/certbot:v1.11.0

5 . 测试示例域名解析

# nslookup  www.exanple.com
Server:         114.114.114.114
Address:        114.114.114.114#53

Non-authoritative answer:
Name:   www.exanple.com
Address: 199.59.243.224

注意,示例域名 www.exanple.com在certbot机器上一定要解析在公网ip,而不是解析在内网ip,否则会报错无法解析:

Waiting for verification...
Challenge failed for domain www.example.com
http-01 challenge for www.example.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.example.com
   Type:   dns
   Detail: DNS problem: query timed out looking up A forwww.example.com; 
   DNS problem: query timed out looking up AAAA for www.example.com

6. 生成证书

#  mkdir   -p    /etc/letsencrypt

# docker run -it --rm  -v  /etc/letsencrypt:/etc/letsencrypt   -v /usr/local/openresty/nginx/html:/usr/local/openresty/nginx/html  certbot/certbot:v1.11.0  certonly --webroot -w  /usr/local/openresty/nginx/html  -d  www.example.com  -m  123456789@qq.com   --agree-tos


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for www.example.com
Performing the following challenges:
http-01 challenge for www.example.com
Using the webroot path /usr/local/openresty/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: 123456789@qq.com).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.example.com/privkey.pem
   Your certificate will expire on 2023-12-28. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Let’s Encrypt需要验证网站的所有权才能颁发证书, 官方称之为challenge(挑战)。

生成证书期间,Certbot工具在nginx的web目录 /usr/local/openresty/nginx/html/ 下创建隐藏临时文件夹 .well-known/acme-challenge,生成一个临时随机字符串文件 CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI

Certbot 会让 Let’s Encrypt 通过公网访问 http://www.example.com/.well-known/acme-challenge/CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI 校验,如果文件内容对得上就签发。

证书签发完成后,Certbot 会删除该临时文件夹,所以如果要观察这个文件,需要在证书签发期间去cat一下。

#  cat /usr/local/openresty/nginx/html/.well-known/acme-challenge/CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI

CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI.sHK8K8we80hc978Nkuo1I8tCjj8VA3D87bVwb7Y8ZwM

7. 验证证书

# ll /etc/letsencrypt/live/www.example.com/
total 4.0K
lrwxrwxrwx 1 root root  41 Sep 29 09:55 cert.pem -> ../../archive/www.example.com/cert1.pem
lrwxrwxrwx 1 root root  42 Sep 29 09:55 chain.pem -> ../../archive/www.example.com/chain1.pem
lrwxrwxrwx 1 root root  46 Sep 29 09:55 fullchain.pem -> ../../archive/www.example.com/fullchain1.pem
lrwxrwxrwx 1 root root  44 Sep 29 09:55 privkey.pem -> ../../archive/www.example.com/privkey1.pem
-rw-r----- 1 root root 692 Sep 29 09:55 README

证书: /etc/letsencrypt/live/www.example.com/fullchain.pem
私钥: /etc/letsencrypt/live/www.example.com/privkey.pem

#  openssl   x509   -noout   -text  -in  /etc/letsencrypt/live/www.example.com/fullchain.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:bb:52:8d:5a:6f:03:cc:f1:06:12:75:b0:2f:1e:8a:e6:12
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Sep 29 00:55:29 2023 GMT
            Not After : Dec 28 00:55:28 2023 GMT
        Subject: CN=www.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:d4:38:10:96:f9:7a:ef:10:00:98:1d:a3:ed:
                    c8:96:71:60:02:ed:8d:32:99:0e:15:11:a4:14:e1:
                    32:c8:31:75:fa:90:b2:55:3e:c1:6a:2a:f6:3f:ac:
                    62:1b:f8:cc:0e:bc:4a:27:ea:94:2b:eb:78:49:d1:
                    f9:c4:5e:f0:12:7f:c5:95:0d:cc:31:b3:8e:f0:ec:
                    3e:55:b6:97:17:b0:0d:32:35:72:1a:82:87:4f:81:
                    a0:07:60:7b:b8:03:2e:75:e8:7a:3b:1d:69:40:04:
                    de:50:36:e8:49:b9:82:25:1d:30:3d:38:16:28:ad:
                    df:a3:c8:d1:80:a6:87:45:e9:6a:2c:75:5b:06:0f:
                    97:1e:15:d2:f9:c9:59:9a:9e:ee:5a:4f:bd:14:74:
                    36:d1:4b:47:0b:c5:8d:75:b7:e7:e0:53:28:41:1f:
                    b7:05:ae:2f:29:86:98:6f:75:64:e7:83:fd:ce:12:
                    e2:fc:12:5d:01:01:18:e6:74:1f:83:6a:58:21:01:
                    99:68:62:8c:29:82:7e:6e:ad:26:50:6b:5d:70:73:
                    21:5e:19:e1:0c:35:71:53:b7:de:21:66:6e:e4:d9:
                    32:5e:14:0c:24:2a:00:63:f9:8b:b7:84:12:28:1d:
                    90:99:4b:08:bc:82:f8:15:68:9d:64:09:ea:1f:bf:
                    97:3f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                9F:7A:1C:81:35:31:13:62:6E:F6:84:CB:5D:67:2A:41:A5:1C:6F:AC
            X509v3 Authority Key Identifier:
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name:
                DNS:www.example.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
                                5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
                    Timestamp : Sep 29 01:55:29.732 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:04:02:FF:43:4D:F2:B4:EA:9F:A0:22:F7:
                                5A:C6:81:48:C2:A2:91:FE:5C:D7:3D:19:8D:6E:58:64:
                                06:20:6E:4C:02:21:00:E0:AB:A8:2F:FD:D6:58:E1:62:
                                6F:A6:94:F3:D8:5D:02:5E:52:1E:00:06:BD:58:B5:00:
                                F5:8A:C1:7C:EB:33:B5
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
                                03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
                    Timestamp : Sep 29 01:55:29.706 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:CE:03:25:26:CF:0E:65:22:9B:9E:EF:
                                41:CE:6E:AD:EF:FE:B9:FB:66:4F:D9:0A:40:EE:A4:48:
                                C5:1D:2A:DD:98:02:20:55:84:8F:49:51:E7:47:B7:46:
                                A4:09:AB:C2:54:F1:65:79:67:C3:7F:DE:6B:9F:77:96:
                                CF:81:A4:0D:F1:A1:8F
    Signature Algorithm: sha256WithRSAEncryption
         2d:c1:21:8b:3e:68:d8:df:47:bd:2e:b9:50:ea:cb:23:8d:ba:
         ea:17:09:15:27:cb:74:6d:6b:83:9e:a8:19:e3:75:6a:e4:ac:
         d2:13:6c:a0:d7:b1:2f:63:f4:f4:6f:86:51:af:37:8f:04:63:
         7b:6b:df:93:87:56:a2:0a:1a:79:df:f5:9d:a8:2e:45:7f:83:
         3e:b7:d8:a5:5e:59:c3:27:b7:9f:59:24:bc:d5:22:05:db:84:
         8e:db:0f:c3:1b:50:d6:c2:3e:38:8c:6e:99:29:bf:42:f7:b2:
         52:36:91:58:6e:fc:cf:ef:dd:ef:45:4c:9c:b9:9e:bb:53:49:
         a1:98:7a:ce:3b:c2:dd:38:06:c5:45:06:74:1e:da:5b:30:43:
         1a:82:95:ff:2c:d0:aa:f2:96:a3:0d:50:90:d1:ec:2b:9e:a9:
         22:3a:0e:93:9a:5c:ce:4f:c8:74:e3:c0:37:cc:4d:6f:48:3f:
         aa:6e:11:2c:79:3b:ce:b9:30:13:78:96:e7:ce:89:c6:d4:63:
         7d:3a:97:83:97:f3:a6:f0:a5:46:6a:90:4e:cf:eb:c0:13:7e:
         a9:01:bd:a9:b8:e1:01:2f:21:84:6c:9b:0c:b3:48:9b:48:a9:
         5b:b6:e3:48:91:68:56:fa:3a:26:92:88:51:c8:a8:84:17:52:
         45:d9:77:6d

https://myssl.com/cert_decode.html

生成免费证书,ssl,ssl,https,网络协议

生成免费证书,ssl,ssl,https,网络协议

8. 参考

Linux上 基于x86 和 arm CPU架构安装 docker
https://www.jianshu.com/p/99373f14b990

CentOS7.x cerbot 安装使用
https://www.jianshu.com/p/735ed33feaa3文章来源地址https://www.toymoban.com/news/detail-717027.html

到了这里,关于【SSL】用Certbot生成免费HTTPS证书的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • 腾讯云免费SSL证书申请流程_每年免费50个HTTPS证书

    2023腾讯云免费SSL证书申请流程,一个腾讯云账号可以申请50张免费SSL证书,免费SSL证书为DV证书,仅支持单一域名,申请腾讯云免费SSL证书3分钟即可申请成功,免费SSL证书品牌为TrustAsia亚洲诚信,腾讯云百科分享腾讯云免费SSL证书申请流程,3分钟搞定: 目录 腾讯云免费SSL证

    2024年02月09日
    浏览(68)
  • 3分钟:腾讯云免费SSL证书申请教程_免费HTTPS证书50张

    2023腾讯云免费SSL证书申请流程,一个腾讯云账号可以申请50张免费SSL证书,免费SSL证书为DV证书,仅支持单一域名,申请腾讯云免费SSL证书3分钟即可申请成功,免费SSL证书品牌为TrustAsia亚洲诚信,腾讯云百科分享腾讯云免费SSL证书申请流程,3分钟搞定: 目录 腾讯云免费SSL证

    2024年02月10日
    浏览(79)
  • Https域名解析——腾讯云免费SSL证书申请流程

    最近购买了一台腾讯云服务器,采用腾讯免费域名解析,只是绑定成功http请求及www请求。网站地址为:http://kalehu.com https一直不能访问,一直以为腾讯云与阿里虚拟主机绑定一样,只需勾选一个选项,可以直接完成,后来发现思路是错误。服务器绑定https,需要申请SSL证书之

    2024年02月09日
    浏览(64)
  • http升级https图文,免费证书ssl下载安装

    登录数字证书管理服务控制台》点击 立即购买 (免费)》购买成功后》 创建证书 》 申请证书 》申请成功后》 下载证书 ***注意 **** 1.先登录阿里云官网 2.再访问该网址

    2024年02月12日
    浏览(170)
  • 七牛云如何配置免费 https 阿里云SSL证书

    七牛云注册链接:https://s.qiniu.com/yaQ3am 我之前有个项目是走的 https,这个项目作了一些印刷品,二维码的内容就是 https 的,后来为了适配七牛云的图片服务,就改成了 http。导致再扫二维码的时候都会提示不安全。 以 https 地址进入网站,网站却服务在 http 的时候,证书不匹

    2024年02月07日
    浏览(58)
  • certbot 申请免费SSL证书、自动续期

    Let’s Encrypt是证书颁发机构,Certbot是Let’s Encrypt的客户端,它们之间使用ACME协议通信,除了Certbot还有其他客户端,但官方推荐CertBot,Certbot是一个免费、开源的软件,它能自动从Let’s Encrypt下载证书、证书自动续期,支持nginx/tomcat,以往我们都从阿里云、腾讯云买证书,有

    2024年02月10日
    浏览(55)
  • Certbot免费的HTTPS证书

    一般的 SSL 安全证书签发服务都需要付费,且价格昂贵,不过为了加快推广 https 的普及, EEF 电子前哨基金会、 Mozilla 基金会和美国密歇根大学成立了一个公益组织叫 ISRG ( Internet Security Research Group ),这个组织从 2015 年开始推出了 Let’s Encrypt 免费证书。这个免费证书不仅

    2024年02月08日
    浏览(47)
  • 什么是HTTPS加密协议?HTTPS安全传输原理,SSL和TLS介绍,NGINX如何配置SSL证书

    HTTPS是超文本传输协议(HTTP)的安全版本。它使用SSL(安全套接层)或TLS(传输层安全)加密协议来保护数据传输的安全性和机密性,以防止未经授权的访问和窃听。HTTPS协议通常用于处理敏感信息,如在线支付或登录凭证等。可以通过URL的前缀来识别一个网站是否使用了H

    2024年02月03日
    浏览(60)
  • 为harbor仓库添加https,新增DigiCert 免费版SSL证书

     完成效果:   前言: 在本地搭建好docker的镜像仓库harbor后,当我们登录docker login时,会提示证书问题 x509: cannot validate certificate 登录本地报错X509 无法登录仓库也无法上传和拉取镜像,虽然有本机的解决方法,那就是在docker配置中增加 vim /usr/lib/systemd/system/docker.service ExecS

    2024年02月16日
    浏览(47)
  • IP SSL证书免费申请教程(给IP地址开启https)

    首先IP地址申请的前提:80端口有打开,或者可以短暂的打开10分钟左右等验证完IP管理权再关掉。 一:打开JoySSL官网选择IP地址证书并下单加入购物车,之后结账后就会跳转到证书申请界面。 二:填写需要申请证书的IP信息 三:填写单位信息,并提交CSR,JoySSL是自动给您生成

    2024年04月15日
    浏览(46)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包