使用ACME自动申请证书
为什么要申请证书
证书这个东西,据我粗浅的理解,使用于互联网上进行加密通信,可有效的保护个人隐私。
平时常用的http,ftp通信协议是进行明问传输,在使用这些协议提供的服务的时候,中间的所有网络设备都可以看到诸如用户名密码、访问的内容等信息。
所以,为了上网安全,不给别有用心的人有可乘之机。
在服务可以使用证书的时候,尽量使用证书;无法使用证书时,尽量选择安全的通信协议。
证书是什么
其实常说的证书,全名是数字证书。涉及三部分内容:证书颁发机构,公钥,私钥。
下面内容比较枯燥,请自行选择是否跳过:
证书颁发机构
Wiki原话:每个使用公开密钥的用户发放一个数字证书,数字证书的作用是证明证书中列出的用户合法拥有证书中列出的公开密钥。CA机构的数字签名使得攻击者不能伪造和篡改证书。它负责产生、分配并管理所有参与网上交易的个体所需的数字证书,因此是安全电子交易的核心环节。在SET交易中,CA不仅对持卡人、商户发放证书,还要对获款的银行、网关发放证书。
简而言之:确保公钥的安全性有效。
公钥和私钥
公钥:公开的密钥
私钥:私有的密钥
公钥和私钥成对出现,为非对称加密的形式。公钥加密的信息,只有用私钥才能打开,私钥加密的信息只有公钥才能打开。
数字证书
包含内容:由证书颁发机构认可的公钥,颁发机构信息,公司信息,域名,有效期....
证书加密信息传输的过程
以网络上最常见的ssl/tls加密过程为例,证书加密的过程是充分运用了非对称加密的安全性和对称加密的高效:
1. 同步tls版本和加密方式
a. 客户端—"客户端支持TLS版本和加密算法+随机字符串A"—>服务端
b. 客户端<—"服务器选择的TLS版本和加密算法+数字证书(含公钥)+随机字符串B"—服务端
2. 生成对称加密的KEY
c. 客户端(验证数字证书,获取公钥)—"公钥加密的随机字符串C"—>服务端(私钥解密获得随机字符串C)
d. 服务端和客户端生成相同的对称加密的KEY,生成方法:随机字符串A+随机字符串B+随机字符串C+相同加密算法
3. 建立安全通道
e. 客户端—"KEY加密的完成信号"—>服务端
f. 客户端<—"KEY加密的完成信号"—服务端
g. 客户端<—使用密钥KEY对称加密方式进行安全通信—>服务端
有关TLS加密的疑问:
- 以上a、b为明文传输。c开始为非对称加密传输。
- 为什么不一开始进行公钥发送请求的步骤,然后再进行数据传输,这样岂不是更安全。
申请证书的方法
我了解的证书申请方法有几种:
- 在域名托管商处申请下载,这个一般有效期为1年,为增值服务。
- 自己充当证书颁发机构,颁发证书。
- 使用脚本,申请证书,可以实现自动续期。
此文将演示使用ACME申请letsencrypt证书
使用ACME手动申请证书
安装并启用acme.sh脚本
apt install -y curl && curl https://get.acme.sh | sh && source .bashrc切换证书签发机构
acme.sh --set-default-ca --server letsencrypt签发证书
acme.sh --issue -d 域名 --standalone查看是否签发成功
ls -al ~/.acme.sh安装证书
acme.sh --install-cert -d 域名 \
--key-file 密钥存放路径和名字 \
--fullchain-file 证书存放路径就和名字根据每个应用程序不同,需要的证书类型也不一定相同
证书类型说明:
- --cert-file <file>
- cert.pem 服务端证书
- --key-file <file>
- privkey.pem 证书的私钥
- --ca-file <file>
- ca.pem 数字证书
- --fullchain-file <file>
- fullchain.pem 包括了 cert.pem 和 chain.pem 的内容
- chain.pem 浏览器需要的所有证书,比如根证书和中间证书,但不包括服务端证书
开启acme.sh自动升级
避免lets encrypt ca更新后,导致自己证书无法更新尴尬局面
acme.sh --upgrade --auto-upgrade
嗯,现在已经有了证书,该怎么用在应用程序中,可以自己慢慢探索了
设置证书自动更新
设置定时任务
crontab -e填入自动执行的命令:每月1日凌晨1点重新安装证书
0 1 1 * * acme.sh --install-cert -d 域名 --key-file 密钥存放路径和名字 --fullchain-file 证书存放路径就和名字
附:acme.sh命令表
https://github.com/acmesh-official/acme.sh
v3.0.2
Usage: acme.sh <command> ... [parameters ...]
Commands:
-h, --help Show this help message.
-v, --version Show version info.
--install Install acme.sh to your system.
--uninstall Uninstall acme.sh, and uninstall the cron job.
--upgrade Upgrade acme.sh to the latest code from https://github.com/acmesh-official/acme.sh.
--issue Issue a cert.
--deploy Deploy the cert to your server.
-i, --install-cert Install the issued cert to apache/nginx or any other server.
-r, --renew Renew a cert.
--renew-all Renew all the certs.
--revoke Revoke a cert.
--remove Remove the cert from list of certs known to acme.sh.
--list List all the certs.
--info Show the acme.sh configs, or the configs for a domain with [-d domain] parameter.
--to-pkcs12 Export the certificate and key to a pfx file.
--to-pkcs8 Convert to pkcs8 format.
--sign-csr Issue a cert from an existing csr.
--show-csr Show the content of a csr.
-ccr, --create-csr Create CSR, professional use.
--create-domain-key Create an domain private key, professional use.
--update-account Update account info.
--register-account Register account key.
--deactivate-account Deactivate the account.
--create-account-key Create an account private key, professional use.
--install-cronjob Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
--uninstall-cronjob Uninstall the cron job. The 'uninstall' command can do this automatically.
--cron Run cron job to renew all the certs.
--set-notify Set the cron notification hook, level or mode.
--deactivate Deactivate the domain authz, professional use.
--set-default-ca Used with '--server', Set the default CA to use.
See: https://github.com/acmesh-official/acme.sh/wiki/Server
--set-default-chain Set the default preferred chain for a CA.
See: https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain
Parameters:
-d, --domain <domain.tld> Specifies a domain, used to issue, renew or revoke etc.
--challenge-alias <domain.tld> The challenge domain alias for DNS alias mode.
See: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode
--domain-alias <domain.tld> The domain alias for DNS alias mode.
See: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode
--preferred-chain <chain> If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
If no match, the default offered chain will be used. (default: empty)
See: https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain
-f, --force Force install, force cert renewal or override sudo restrictions.
--staging, --test Use staging server, for testing.
--debug [0|1|2|3] Output debug info. Defaults to 1 if argument is omitted.
--output-insecure Output all the sensitive messages.
By default all the credentials/sensitive messages are hidden from the output/debug/log for security.
-w, --webroot <directory> Specifies the web root folder for web root mode.
--standalone Use standalone mode.
--alpn Use standalone alpn mode.
--stateless Use stateless mode.
See: https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode
--apache Use apache mode.
--dns [dns_hook] Use dns manual mode or dns api. Defaults to manual mode when argument is omitted.
See: https://github.com/acmesh-official/acme.sh/wiki/dnsapi
--dnssleep <seconds> The time in seconds to wait for all the txt records to propagate in dns api mode.
It's not necessary to use this by default, acme.sh polls dns status by DOH automatically.
-k, --keylength <bits> Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521.
-ak, --accountkeylength <bits> Specifies the account key length: 2048, 3072, 4096
--log [file] Specifies the log file. Defaults to "/root/.acme.sh/acme.sh.log" if argument is omitted.
--log-level <1|2> Specifies the log level, default is 1.
--syslog <0|3|6|7> Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.
--eab-kid <eab_key_id> Key Identifier for External Account Binding.
--eab-hmac-key <eab_hmac_key> HMAC key for External Account Binding.
These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:
--cert-file <file> Path to copy the cert file to after issue/renew..
--key-file <file> Path to copy the key file to after issue/renew.
--ca-file <file> Path to copy the intermediate cert file to after issue/renew.
--fullchain-file <file> Path to copy the fullchain cert file to after issue/renew.
--reloadcmd <command> Command to execute after issue/renew to reload the server.
--server <server_uri> ACME Directory Resource URI. (default: https://acme.zerossl.com/v2/DV90)
See: https://github.com/acmesh-official/acme.sh/wiki/Server
--accountconf <file> Specifies a customized account config file.
--home <directory> Specifies the home dir for acme.sh.
--cert-home <directory> Specifies the home dir to save all the certs, only valid for '--install' command.
--config-home <directory> Specifies the home dir to save all the configurations.
--useragent <string> Specifies the user agent string. it will be saved for future use too.
-m, --email <email> Specifies the account email, only valid for the '--install' and '--update-account' command.
--accountkey <file> Specifies the account key path, only valid for the '--install' command.
--days <ndays> Specifies the days to renew the cert when using '--issue' command. The default value is 60 days.
--httpport <port> Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
--tlsport <port> Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
--local-address <ip> Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
--listraw Only used for '--list' command, list the certs in raw format.
-se, --stop-renew-on-error Only valid for '--renew-all' command. Stop if one cert has error in renewal.
--insecure Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
--ca-bundle <file> Specifies the path to the CA certificate bundle to verify api server's certificate.
--ca-path <directory> Specifies directory containing CA certificates in PEM format, used by wget or curl.
--no-cron Only valid for '--install' command, which means: do not install the default cron job.
In this case, the certs will not be renewed automatically.
--no-profile Only valid for '--install' command, which means: do not install aliases to user profile.
--no-color Do not output color text.
--force-color Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
--ecc Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--to-pkcs12' and '--create-csr'
--csr <file> Specifies the input csr.
--pre-hook <command> Command to be run before obtaining any certificates.
--post-hook <command> Command to be run after attempting to obtain/renew certificates. Runs regardless of whether obtain/renew succeeded or failed.
--renew-hook <command> Command to be run after each successfully renewed certificate.
--deploy-hook <hookname> The hook file to deploy cert
--ocsp, --ocsp-must-staple Generate OCSP-Must-Staple extension.
--always-force-new-domain-key Generate new domain key on renewal. Otherwise, the domain key is not changed by default.
--auto-upgrade [0|1] Valid for '--upgrade' command, indicating whether to upgrade automatically in future. Defaults to 1 if argument is omitted.
--listen-v4 Force standalone/tls server to listen at ipv4.
--listen-v6 Force standalone/tls server to listen at ipv6.
--openssl-bin <file> Specifies a custom openssl bin location.
--use-wget Force to use wget, if you have both curl and wget installed.
--yes-I-know-dns-manual-mode-enough-go-ahead-please Force use of dns manual mode.
See: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode
-b, --branch <branch> Only valid for '--upgrade' command, specifies the branch name to upgrade to.
--notify-level <0|1|2|3> Set the notification level: Default value is 2.
0: disabled, no notification will be sent.
1: send notifications only when there is an error.
2: send notifications when a cert is successfully renewed, or there is an error.
3: send notifications when a cert is skipped, renewed, or error.
--notify-mode <0|1> Set notification mode. Default value is 0.
0: Bulk mode. Send all the domain's notifications in one message(mail).
1: Cert mode. Send a message for every single cert.
--notify-hook <hookname> Set the notify hook
--revoke-reason <0-10> The reason for revocation, can be used in conjunction with the '--revoke' command.
See: https://github.com/acmesh-official/acme.sh/wiki/revokecert
--password <password> Add a password to exported pfx file. Use with --to-pkcs12.
THE END
0
二维码
海报
使用ACME自动申请证书
为什么要申请证书
证书这个东西,据我粗浅的理解,使用于互联网上进行加密通信,可有效的保护个人隐私。
平时常用的http,ftp通信协议是进行明问传输,在使用……
isir的私人花园
共有 1 条评论