安全的HTTPS协议离不开可信的CA证书颁发机构。
SSL证书与CA数字证书有什么区别?
SSL证书和CA证书是从属关系,因为SSL是众多CA证书中的一种。CA是数字证书管理机构,SSL证书一种数字证书,SSL证书由CA机构签发的。不过CA机构签发的证书有很多种,都叫CA证书,所以SSL证书只是其中一种。- SSL证书与CA数字证书的主要功能都是一样的:数据加密传输和服务器认证。
对于预算有限的个人或机构,怎么免费的申请到CA证书,给网站加上HTTPS协议呢?
- 向云服务器厂商申请。像国内的阿里云、腾讯云等云服务厂商,都会提供免费版SSL证书的申请,前提是你得有已经备案的域名。海外的AWS、谷歌云、微软的Azure等,也提供免费的SSL证书和服务器部署工具。
- 免费的CA机构。有些CA机构是提供免费证书的。比如:Let's Encrypt,提供免费的SSL证书。
Let's Encrypt 官方文档 https://letsencrypt.org/zh-cn/docs/
1 下载安装ACME客户端
ACME是协议,是与Let's Encrypt的服务器端交互的。官方推荐客户端:Certbot。
Certbot 代码库:https://github.com/certbot/certbot
Certbot 下载安装文档:https://eff-certbot.readthedocs.io/en/latest/install.html#
Certbot 官网(看看就好):https://certbot.eff.org/
更多ACME客户端,请查看官方文档:https://letsencrypt.org/zh-cn/docs/client-options/
Ubuntu
先安装snap。
安装文档:https://snapcraft.io/docs/installing-snap-on-ubuntu
环境信息:ubuntu:18.04
证书安装到
nginxhttps://certbot.eff.org/instructions?ws=nginx&os=ubuntubionic
# 移除 certbot 相关的包
sudo apt-get remove certbot
# 安装 Certbot
sudo snap install --classic certbot
Windows
最新版本的Certbot:https://github.com/certbot/certbot/releases/latest/download/certbot-beta-installer-win_amd64_signed.exe
2 申请证书
2.1 命令行发起申请
Certbot 的命令行-官方文档:https://eff-certbot.readthedocs.io/en/latest/using.html
sudo certbot certonly -d "*.yourdomain.com" -d yourdomain.com \
--manual --preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory
certonly只生成证书-d即domain,域名--manual用手动插件的话,要加这个参数--preferred-challenges域名的验证方式。Certbot默认的应该是http-01,比较方便。由于本文中的服务端的80和443端口受限,故选择了dns-01的方式。
官网对于验证方式的介绍:https://letsencrypt.org/zh-cn/docs/challenge-types/
--serverACME协议的API地址(受理证书申请的URL)
关于 API 网址 https://letsencrypt.org/zh-cn/docs/acme-protocol-updates/
注册用户
首次执行申请证书,就会自动走注册流程。按提示输入邮箱地址(your_email,后续Certbot会发邮件给到地址),和同意注册条款就行。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): you_email@qq.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for *.ragnar.website and www.ragnar.website
2.2 域名验证
http-01方式下,只要服务器的80端口可以访问,就可以自动完成验证,向Let's Encrypt证明了对域名的控制权。
选择了dns-01的方式,需求根据命令行返回的提示设置DNS的TXT记录 be like:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.yourdomain.com and yourdomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.yourdomain.com.
with the following value:
zNdzJb5MdEum7xeRdUlvSrUa-E_lTxB0pM9SNUChla4
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.vikingblog.top.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
你开你的域名管理,加入如下解析记录:
PS:注意要在解析生效后,再到命令行界面按回车键(Enter)
怎么确认解析生效?
nslookup -q=TXT _acme-challenge.yourdomain.com
2.3 证书保存
经过上述步骤,终于得到经过权威认证的SSL证书,Certbot自动保存到/etc/letsencrypt/live/目录下,be like:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/yourdomain.com/privkey.pem
This certificate expires on 2024-03-11.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- fullchain.pem 是证书
- privkey.pem 是私钥
参考
- SSL证书与CA数字证书有什么区别? https://zhuanlan.zhihu.com/p/354620755
- 使用 certbot 申请泛域名证书和自动续签 https://blog.csdn.net/qq_36840228/article/details/121038844
注意:本文归作者所有,未经作者允许,不得转载
