$ ls ~yifei/notes/

如何使用 letsencrypt

Posted on:

Last modified:

letsencrypt 现在终于支持通配符证书了。

certbot 比较坑爹的一点是 renew 时候使用的是和创建证书相同的参数,而且不能更改,也就是最好在创建证书的时候就选择使用 webroot 的方式。

install certbot

see ~/.dotfiles/installs/install_certbot.sh

create new cert

sudo certbot certonly --webroot -w /opt/spider/nginx/html/ -d shujutuzi.com -d www.shujutuzi.com

sudo certbot certonly --standalone --agree-tos --email kongyifei@gmail.com --domain g.yifei.me --preferred-challenges http --non-interactive

the cert is placed at /etc/letsencrypt/live/shujutuzi.com/

there will be four certs:

  • cert.pem: server certificate only.
  • chain.pem: root and intermediate certificates only.
  • fullchain.pem: combination of server, root and intermediate certificates (replaces cert.pem and chain.pem).
  • privkey.pem: private key (do not share this with anyone!).

install the cert

https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8

auto renew

create a cron job to run renew peroidcally

cerbot renew --pre-hook "/opt/nginx/sbin/nginx -s stop" --post-hook "/opt/nginx/sbin/nginx -s start" --quiet

optionally, you could generate a Strong Diffie-Hellman Group

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Third, change you defautl server settings:

server {
    listen 443 ssl;
    server_name example.com www.example.com;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

// optional

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;
}

Side Notes:

what is a pem file?

pem container format, may contain one or many certs, short for Privacy Enhanced Main key just the private key file of pem format cert, cer, crt just pem file with different extendsion, used on windows

去掉 SSL 证书的密码

openssl rsa -in futurestudio_with_pass.key -out futurestudio.key

生成自签名证书

参考

  1. https://futurestud.io/tutorials/how-to-remove-pem-password-from-ssl-certificate
  2. https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl

© 2016-2022 Yifei Kong. Powered by ynotes

All contents are under the CC-BY-NC-SA license, if not otherwise specified.

Opinions expressed here are solely my own and do not express the views or opinions of my employer.