免费制作 HTTPS 证书

背景

近期在准备小程序的开发，同学报告说微信正式环境强制 HTTPS，否则只能在开发或者以调试模式访问 HTTP 的后台接口。于是想到自制 HTTPS 证书，因为搜了一下，外面的 HTTPS 证书太贵，而我们目前的项目只是学习用的。

解决方案

看了一下大家常用的免费方式，决定使用 Lets Encrypt

• [官方文档](https://letsencrypt.org/zh-cn/getting-started/#
• 其它
  • 免费https/ssl通配证书(letsencrypt)安装
  • 免费https/ssl通配证书(letsencrypt)安装

执行过程

总体过程比较简单

• 下载命令包

• 执行证书生成的命令

• 其它事项

  • 如何更新过期的证书
  • 关闭 letsEncrypt 自动更新的功能

• 安装过程

前置条件
开发443端口
关闭nginx

1、获取脚本
wget https://dl.eff.org/certbot-auto

2、执行权限  
sudo chmod a+x ./certbot-auto
 
3、运行certbot命令生成证书
./certbot-auto certonly -d "*.zmbh.cn" -d "zmbh.cn"  --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory

• 执行过程示例

[root@mail2 letencrypt]# ./certbot-auto certonly -d "*.irain.top" -d "irain.top"  --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): ywkmc@163.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A  

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for irain.top
dns-01 challenge for irain.top

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.irain.top with the following value:

hDZlXuW70kvKyS54X3OrZScl472hiQDy1SULUgZ1Uuw

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.irain.top with the following value:

o-q1huwpSYax0_dCmaeLdVDvVZfDG_91690BfLubD6s

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/irain.top/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/irain.top/privkey.pem
   Your cert will expire on 2020-09-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

总结

• 安装完成后，证书及公私钥信息，失效时间，都在最后结果显示, 注意及时更新证书。

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/irain.top/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/irain.top/privkey.pem
   Your cert will expire on 2020-09-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

• 使用 NGINX 来测试 HTTPS， ngix 配置示例

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    # HTTPS server
    #
    server {
       listen       443 ssl;
       server_name  www.irain.top;

       ssl_certificate      /etc/letsencrypt/live/irain.top/fullchain.pem;
       ssl_certificate_key  /etc/letsencrypt/live/irain.top/privkey.pem;

       ssl_session_cache    shared:SSL:1m;
       ssl_session_timeout  5m;

       ssl_ciphers  HIGH:!aNULL:!MD5;
       ssl_prefer_server_ciphers  on;

       location / {
           root   html;
           index  index.html index.htm;
       }
    }
}

• 自定义任务，定时更新证书

crontab -e
# 每月1号晚更新证书                                                                                                                                                                       
59 23 1 * * /root/letencrypt/certbot-auto renew --renew-hook "/usr/local/nginx/sbin/nginx -s reload"                                                                                      

更新

在后期自动更新证书过程中，遇到了几个问题，补记一下。

• [更新过程中，出现网络连接失败的问题 ] (https://www.tpxhm.com/fdetail/475.html)
• 更新Let's Encrypt SSL证书提示certbot-auto无法升级怎么办