理论上，我们自己也可以签发 SSL 安全证书，但是我们自己签发的安全证书不会被主流的浏览器信任，所以我们需要被信任的证书授权中心（ CA ）签发的安全证书。而一般的 SSL 安全证书签发服务都比较贵，比如 Godaddy 、 GlobalSign 等机构签发的证书一般都需要 20 美金一年甚至更贵，不过为了加快推广 HTTPS 的普及， EEF 电子前哨基金会、 Mozilla 基金会和美国密歇根大学成立了一个公益组织叫 ISRG （ Internet Security Research Group ），这个组织从 2015 年开始推出了 Let’s Encrypt 免费证书。这个免费证书不仅免费，而且还相当好用，所以我们就可以利用 Let’s Encrypt 提供的免费证书部署 HTTPS 了
Let’s Encrypt 是 一个叫 ISRG （ Internet Security Research Group ，互联网安全研究小组）的组织推出的免费安全证书计划。参与这个计划的组织和公司可以说是互联网顶顶重要的先驱，除了前文提到的三个牛气哄哄的发起单位外，后来又有思科（全球网络设备制造商执牛耳者）、 Akamai 加入，甚至连 Linux 基金会也加入了合作，这些大牌组织的加入保证了这个项目的可信度和可持续性。
部署 HTTPS 网站的时候需要证书，证书由 CA 机构签发，大部分传统 CA 机构签发证书是需要收费的，这不利于推动 HTTPS 协议的使用。
Let’s Encrypt 也是一个 CA 机构，但这个 CA 机构是免费的！！！也就是说签发证书不需要任何费用。
# Create a virtual environment pip install virtualenv cd /root virtualenv certbot source certbot/bin/activate
# Update its pip and setuptools (VENV/bin/pip install -U setuptools pip) to avoid problems with cryptography's dependency on setuptools>=11.3.
certbot/bin/pip install -U setuptools pip
Package Version ---------- ------- pip 20.0.2 setuptools 44.0.0 wheel 0.34.2
# Make sure you have libssl-dev and libffi (or your regional equivalents) installed. You might have to set compiler flags to pick things up (I have to use CPPFLAGS=-I/usr/local/opt/openssl/include LDFLAGS=-L/usr/local/opt/openssl/lib on my macOS to pick up brew's openssl, for example).
(certbot) [root@xxx ~]# certbot certonly \ > -n --agree-tos --email xxx \ > --dns-route53 \ > -d "*.xxx" Saving debug log to /var/log/letsencrypt/letsencrypt.log Found credentials in shared credentials file: ~/.aws/credentials Plugins selected: Authenticator dns-route53, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for xxx Waiting for verification... Cleaning up challenges
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/xxx/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/xxx/privkey.pem Your cert will expire on 2020-05-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
All generated keys and issued certificates can be found in /etc/letsencrypt/live/$domain. In the case of creating a SAN certificate with multiple alternative names, $domainis the first domain passed in via -d parameter. Rather than copying, please point your (web) server configuration directly to those files (or create symlinks). During the renewal, /etc/letsencrypt/liveis updated with the latest necessary files.
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. The most common SUBCOMMANDS and flags are:
obtain, install, and renew certificates: (default) run Obtain & install a certificate in your current webserver certonly Obtain or renew a certificate, but do not install it renew Renew all previously obtained certificates that are near expiry enhance Add security enhancements to your existing configuration -d DOMAINS Comma-separated list of domains to obtain a certificate for
(the certbot apache plugin is not installed) --standalone Run a standalone webserver for authentication (the certbot nginx plugin is not installed) --webroot Place files in a server's webroot folder for authentication --manual Obtain certificates interactively, or using shell script hooks -n Run non-interactively --test-cert Obtain a test certificate from a staging server --dry-run Test "renew" or "certonly" without saving any certificates to disk manage certificates: certificates Display information about certificates you have from Certbot revoke Revoke a certificate (supply --cert-name or --cert-path) delete Delete a certificate (supply --cert-name) manage your account: register Create an ACME account unregister Deactivate an ACME account update_account Update an ACME account --agree-tos Agree to the ACME server's Subscriber Agreement -m EMAIL Email address for important account notifications
More detailed help:
-h, --help [TOPIC] print this message, or detailed help on a topic; the available TOPICS are:
all, automation, commands, paths, security, testing, or any of the subcommands or plugins (certonly, renew, install, register, nginx, apache, standalone, webroot, etc.) -h all print a detailed help page including all topics --version print the version number - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
With the good work by “Let’s Encrypt” in providing free SSL certs for users, I wanted a quick way to check all the domains I look after to determine which ones have correct SSL certs, and which ones are in need of updating etc.
This bash file is the first draft of a program to do that. It can either be run against a list of file names, from the directories in your Lets Encrypt live directory or on a single server with the aim of getting all the domain names from the server.
The output looks like:
1 2 3 4 5
Domain cert for valid until cert issued by possible issues? domain1.com domain1.com Dec 22 09:19:00 2016 Let's Encrypt - certificate near renewal date domain2.com domain2.com Dec 22 11:42:00 2016 Let's Encrypt - certificate near renewal date domain3.net domain3.net Mar 4 10:10:00 2016 Let's Encrypt domain4.net domain1.net Mar 2 12:23:00 2016 Let's Encrypt - possible name mismatch
You can also get a list of domains that need to be renewed, to list the domains requiring renewal in the nest 20 days;
You can also get it to run a specific command if domains need renewal, for example
check -i ISPconfig -e 20 -c ~/scripts/renewssl
will run the renewssl command with the domain name passed as an argument. If there are more than one domain that needs renewal it will call the command multiple times. This can then easily be run as a cron to regularly check and update SSL certs.
checkssl ver. 1.15 Checks ssl certs for a set of domains
Usage: checkssl [-h|--help] [-d|--debug] [-f|--file filename] [-s|--server stype] [-l|--location directory] [-e|--expires days] [-r|--renew] [-u|--update] [-U|--nocheck] [-c|--command command] [domain] `` Options: -h, --help Display this help message and exit. -d, --debug Outputs debug information -f, --file filename Where 'filename' is a file containing a list of domain names -s, --server server_type Where 'server_type' is the server type (cpanel, ISPconfig, apache2 ...) -l, --location directory Where 'directory' is where your lets encrypt live directory is (typically /etc/letsencrypt/live/) -e, --expires days Where 'days' is the number of days to alert if cert expires in that time period -r, --renew This just lists domain names that need to be renewed. This list could be used by an auto renew script, or to email you. -p, --problems This just lists the domains that have possible issues. This list could be used to email you only if there is something to take care of. -u, --upgrade Upgrade checkssl if a more recent version is available -U, --nocheck Do not check if a more recent version is available -c, --command run_command Where 'run_command' is a command which will be run (with domain name passed) for any certs due for renewal
A domain name can also be specified on the command line
If a file is provided, with a list of domains then each domain can include a port / service for testing i.e.