莫失莫忘

仙壽恒昌

前言

最近項(xiàng)目推進(jìn)，Boss要求為了跟上時(shí)代潮流，將組里所有Http項(xiàng)目全部升級(jí)為Https項(xiàng)目，因此學(xué)習(xí)并實(shí)踐了這方面的內(nèi)容，同時(shí)做了一個(gè)記錄。

介紹

HTTP與HTTPS

HTTP（超文本傳送協(xié)議）定義了瀏覽器怎樣向服務(wù)器請(qǐng)求資源，以及服務(wù)器如何將資源傳送給服務(wù)器。HTTP是面向事務(wù)的應(yīng)用層協(xié)議，它是網(wǎng)絡(luò)上可靠交換文件的基礎(chǔ)。HTTP使用了面向連接的TCP作為運(yùn)輸層協(xié)議，保證了數(shù)據(jù)的可靠傳輸，因此HTTP不必考慮丟失重傳的問(wèn)題（注：Http協(xié)議本身是無(wú)連接、無(wú)狀態(tài)的）。

image

HTTPS（提供安全服務(wù)的HTTP協(xié)議）則確保了（1）用戶請(qǐng)求的服務(wù)器屬于真正的服務(wù)商（2）報(bào)文內(nèi)容在傳輸過(guò)程中沒(méi)有被更改（3）傳輸過(guò)程中敏感信息不被竊聽(tīng)。要保證以上安全服務(wù)，需要使用運(yùn)輸層的安全協(xié)議，現(xiàn)在廣泛使用的有如下兩個(gè)：

• 安全套接字層SSL（Secure Socket Layer）
• 運(yùn)輸層安全TLS（Transport Layer Security）

SSL協(xié)議作用在端系統(tǒng)應(yīng)用層的HTTP和運(yùn)輸層之間，在TCP之上建立一個(gè)安全通道，為通過(guò)TCP傳輸?shù)膽?yīng)用層數(shù)據(jù)提供安全保障。之后，IETF在SSL 3.0的基礎(chǔ)上對(duì)其進(jìn)行了標(biāo)準(zhǔn)化，設(shè)計(jì)了TLS協(xié)議，為所有基于TCP的網(wǎng)絡(luò)應(yīng)用提供安全數(shù)據(jù)傳輸服務(wù)。（注：SSL應(yīng)該是運(yùn)輸層協(xié)議，然而實(shí)際上，需要使用安全運(yùn)輸?shù)膽?yīng)用程序（如HTTP）卻把SSL駐留在應(yīng)用層，因而應(yīng)用層擴(kuò)大了）

image

應(yīng)用層使用SSL最多的就是HTTP，但SSL并非僅用于HTTP，而是可用于任何應(yīng)用層的協(xié)議。HTTP調(diào)用SSL時(shí)，對(duì)整個(gè)網(wǎng)頁(yè)進(jìn)行加密。這時(shí)，在發(fā)送方，SSL從SSL套接字接收應(yīng)用層的數(shù)據(jù)（如HTTP報(bào)文或IMAP報(bào)文），對(duì)數(shù)據(jù)進(jìn)行加密，然后把加密的數(shù)據(jù)送往TCP套接字；在接收方，SSL從TCP套接字讀取數(shù)據(jù)，解密后，通過(guò)SSL套接字把數(shù)據(jù)交給應(yīng)用層。

SSL提供的安全服務(wù)可歸納為以下三種：

1. SSL服務(wù)器鑒別，允許用戶鑒別服務(wù)器身份。支持SSL的客戶端通過(guò)驗(yàn)證來(lái)自服務(wù)器的證書(shū)，來(lái)鑒別服務(wù)器的真實(shí)身份并獲得服務(wù)器的公鑰
2. SSL客戶鑒別，SSL的可選安全服務(wù)，允許服務(wù)器證實(shí)客戶的身份
3. 加密的SSL會(huì)話，對(duì)客戶和服務(wù)器之間發(fā)送的所用報(bào)文進(jìn)行加密，并檢測(cè)報(bào)文是否被篡改

image

Let's Encrypt

Let's Encrypt作為一個(gè)公共且免費(fèi)SSL的項(xiàng)目逐漸被廣大用戶傳播和使用，是由Mozilla、Cisco、Akamai、IdenTrust、EFF等組織人員發(fā)起，主要的目的也是為了推進(jìn)網(wǎng)站從HTTP向HTTPS過(guò)渡的進(jìn)程，目前已經(jīng)有越來(lái)越多的商家加入和贊助支持。

image

過(guò)程

1.安裝 Let’s Encrypt 客戶端

yum install git python#安裝git
git clone https://github.com/letsencrypt/letsencrypt#克隆倉(cāng)庫(kù)到本地

2.驗(yàn)證安裝是否成功

使用以下命令運(yùn)行一次客戶端，將自動(dòng)檢查更新并升級(jí)（letsencrypt啟動(dòng)后，總是會(huì)自動(dòng)檢查更新并升級(jí)，除非使用--no-self-upgrade參數(shù)顯示指定），如果一切正常（事實(shí)上，升級(jí)后letsencrypt在某些系統(tǒng)、某些云服務(wù)商的機(jī)器上常常不能正常運(yùn)行，因?yàn)樯婕暗礁鞣N源，版本依賴等問(wèn)題），將會(huì)顯示完整的幫助文檔。

cd letsencrypt
./letsencrypt-auto --help all

3.驗(yàn)證域名所有權(quán)并獲取證書(shū)

認(rèn)證插件通過(guò)certonly命令啟用，認(rèn)證功能用于確認(rèn)你是域名的所有者，并為你的域名獲取證書(shū)，證書(shū)被放置在你的域名所在服務(wù)器的/etc/letsencrypt/live/[domain]目錄。如果你一次性對(duì)多個(gè)域名進(jìn)行認(rèn)證，則這些域名將共用一個(gè)證書(shū)文件。

./letsencrypt-auto certonly

正常情況下，進(jìn)入交互式界面，提示你輸入郵箱（在證書(shū)失效前收到通知郵件），并同意官方協(xié)議

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): ********

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

驗(yàn)證域名，選擇方式3，文件驗(yàn)證

Requesting to rerun ./letsencrypt-auto with root privileges...
[sudo] password for zfy:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): lilab.jysw.suda.edu.cn
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for lilab.jysw.suda.edu.cn
Input the webroot for lilab.jysw.suda.edu.cn: (Enter 'c' to cancel): /home/web/public/htdocs
Waiting for verification...
Cleaning up challenges

驗(yàn)證成功，獲得證書(shū)

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/lilab.jysw.suda.edu.cn/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/lilab.jysw.suda.edu.cn/privkey.pem
   Your cert will expire on 2019-04-04. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

4.安裝證書(shū)（基于nginx）

./letsencrypt-auto install --nginx --nginx-server-root <nginx conf path> --nginx-ctl <nginx binary path>

證書(shū)生成成功后，會(huì)讓你選擇是否將所有的 HTTP 請(qǐng)求重定向到 HTTPS（輸入 1 或者 2）。如果選 1，則通過(guò) HTTP 和 HTTPS 都可以訪問(wèn)。如果選 2，則所有通過(guò) HTTP 來(lái)的請(qǐng)求，都會(huì)被 301 重定向到 HTTPS。

Requesting to rerun ./letsencrypt-auto with root privileges...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator None, Installer nginx

Which certificate would you like to install?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: lilab.jysw.suda.edu.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Deploying Certificate to VirtualHost /usr/local/nginx/conf/nginx.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

nginx配置文件如下：

server {
    listen       443 ssl;
    server_name  localhost;

    ssl_certificate /etc/letsencrypt/live/lilab.jysw.suda.edu.cn/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/lilab.jysw.suda.edu.cn/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location / {
        root   /home/web/htdocs;
        index  index.html index.htm;
    }
}

安裝成功

image

5.證書(shū)管理

1. 查看letsencrypt在當(dāng)前服務(wù)器獲取的證書(shū)

./letsencrypt-auto certificates

返回：

Found the following certs:
  Certificate Name: lilab.jysw.suda.edu.cn
    Domains: lilab.jysw.suda.edu.cn
    Expiry Date: 2019-04-04 00:39:44+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/lilab.jysw.suda.edu.cn/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/lilab.jysw.suda.edu.cn/privkey.pem

2. 基本操作
   通過(guò)--cert-name來(lái)指定證書(shū)的名稱，并對(duì)證書(shū)執(zhí)行操作，可選的操作有run、certonly、certificates、renew、delete

./letsencrypt-auto certonly --cert-name <name> [operate]

run：獲取和安裝證書(shū)
certonly：獲取證書(shū)
certificates：查看和--cert-name指定的名稱匹配的證書(shū)信息
renew：更新快要過(guò)期的證書(shū)
delete：刪除證書(shū)

3. 更新證書(shū)
   證書(shū)的更新命令是renew，renew命令會(huì)在本機(jī)找出所有的證書(shū)，并檢查證書(shū)的過(guò)期時(shí)間，它只會(huì)對(duì)有效期不足30天的證書(shū)執(zhí)行更新。如果證書(shū)不需要更新，它不會(huì)和letsencrypt服務(wù)器產(chǎn)生通信，因此，renew命令可以頻繁地執(zhí)行而不會(huì)受到letsencrypt服務(wù)器的連接次數(shù)限制的影響。也是基于這一特點(diǎn)，可以在crontab設(shè)置定期任務(wù)，頻繁地執(zhí)行renew操作，確保證書(shū)不會(huì)過(guò)期。

./letsencrypt-auto renew

設(shè)置定時(shí)任務(wù)

crontab -e

0 3 * * * ./letsencrypt-auto renew#在每天凌晨3點(diǎn)運(yùn)行。該命令將檢查服務(wù)器上的證書(shū)是否將在未來(lái)30天內(nèi)過(guò)期，如果是，則進(jìn)行更新

資料

1. 《計(jì)算機(jī)網(wǎng)絡(luò)》——謝希仁
2. Nginx 實(shí)現(xiàn) HTTPS（基于 Let's Encrypt 的免費(fèi)證書(shū)）
3. https 證書(shū)工具 Letsencrypt 簡(jiǎn)單教程