如何实现Nginx自动更换SSL证书?

Nginx

1 基础知识

1.1 ACME

– ACME即英文Automatic Certificate Management Environment的英文缩写
– ACME是一种通讯协议,用于自动证书颁发机构与用户服务器之间的自动证书部署
– ACME协议基于HTTPS传递JSON格式的消息

1.2 Let’s Encrypt证书管理软件

1.2.1 工作原理

– 管理软件向证书颁发机构证明该服务器拥有域名控制权
– 管理软件向证书颁发机构申请、续期或吊销该域名证书

1.2.2 域名认证

– Let’s Encrypt通过公钥识别服务器管理员
– 证书管理软件首次与Let’s Encrypt交互时,会生成新的密钥对
– 证书管理软件会向Let’s Encrypt CA证明服务器控制着一个或多个域名(域名认证或URL认证)
关于域名认证方式,有两种方法
DNS认证,以“example.com”为例,创建Let’s Encrypt指定的CNAME即可完成认证
URL认证,以“example.com”为例,创建Let’s Encrypt指定的URL即可完成认证
一次数字密码,

如上图所示,
– Let’s Encrypt返回一个一次性密码到管理软件
– 管理软件需要用对一次性使用私钥签名以证明秘钥属于管理软件
以下是驾驶使用URL认证并配合一次性密码的交互过程,

1.2.3 证书的颁发与吊销


如上图所示,
– 证书管理软件创建一个PKCS#10(证书签名请求CSR)请求Let’s Encrypt CA为指定公钥颁发证书
– CSR由管理软件使用私钥进行一次签名,然后再用授权秘钥对整个CSR进行一次签名,以便Let’s Encrypt CA验证其来源
– Let’s Encrypt CA收到请求后对两份签名进行验证,如果全部通过则为CSR中的公钥颁发证书并返回证书到管理软件

如上图所示,
– 证书管理软件授权私钥签署一个吊销证书请求用于Let’s Encrypt验证该请求是否已被授权
– 如已授权,则将吊销信息发布到正常的吊销通道(OCSP)中通知浏览器等依赖放他们不再信任该证书

2 最佳实践

2.1 安装Snapd包管理工具

如何安装CentOS Snapcraft ?

2.2 安装Certbot

2.2.1 安装软件包

snap install --classic certbot

2.2.2 配置软链接

ln -s /snap/bin/certbot /usr/bin/certbot

2.2.3 获取帮助手册

certbot --help

可见如下输出,

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  --nginx           Use the Nginx plugin for authentication & installation
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-name or --cert-path)
    delete          Delete a certificate (supply --cert-name)
    reconfigure     Update a certificate's configuration (supply --cert-name)

manage your account:
    register        Create an ACME account
    unregister      Deactivate an ACME account
    update_account  Update an ACME account
    show_account    Display account details
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
  -h all                print a detailed help page including all topics
  --version             print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2.3 证书操作

2.3.1 仅获取证书

certbot certonly --nginx

向导如下,

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): will@cmdschool.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: cmdschool.org
2: www.cmdschool.org
3: www.cmdschool.net
4: www.cmdschool.com
5: www.cmdschool.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2,3,4,5
Requesting a certificate for www.cmdschool.org and 3 more domains

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.cmdschool.org/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/www.cmdschool.org/privkey.pem
This certificate expires on 2023-09-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2.3.2 查询获取到的证书

certbot certificates

可见如下输出,

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: www.cmdschool.org
    Serial Number: 447e7ec9a6cc09f160b5ed91bd2d22ae84b
    Key Type: ECDSA
    Domains: www.cmdschool.org www.cmdschool.cn www.cmdschool.com www.cmdschool.net
    Expiry Date: 2023-09-28 06:52:05+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.cmdschool.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.cmdschool.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2.3.3 配置Nginx加载证书

vim /etc/nginx/conf.d/www.cmdschool.org_443.conf

加入如下配置,

server {
    #...
    ssl_certificate /etc/letsencrypt/live/www.cmdschool.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.cmdschool.org/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    #...
}

2.3.4 配置自动续订

crontab -e

加入如下配置,

0 6 * * * /usr/bin/certbot renew --quiet

需要注意的是,
– 命令行每天6点0分触发一次命令行
– 命令行检查证书是否在30天内过期,符合条件则自动更新
– 已安装的证书将自动更新并重新加载

参阅文档
======================

Let’s Encrypt的工作原理
————————
https://letsencrypt.org/zh-cn/how-it-works/

ACME协议
—————–
https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment
https://datatracker.ietf.org/doc/html/rfc8555

ACME客户端
————-
https://letsencrypt.org/zh-cn/docs/client-options/

nginx的配置范例
——————
https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/

https://beinset.medium.com/secure-your-nginx-server-with-https-using-lets-encrypt-and-certbot-96eb56ea5c21

没有评论

发表回复

Nginx
如何使用Nginx发布维护公告?

1 前言 一个问题,一篇文章,一出故事。 最近由于需要发布维护公告,想着这种东西以后用得着,于是总结 …

Nginx
如何实现Nginx第一次访问跳转?

1 前言 一个问题,一篇文章,一出故事。 笔者在NextCloud生产环境中需要实现首次登录显示公告 …

Nginx
如何实现Nginx首次访问跳转?

1 前言 一个问题,一篇文章,一出故事。 笔者在NextCloud生产环境中需要实现首次登录显示公告 …