title: 生成自签名证书的两种方式 #标题
tags: ssl证书 #标签
date: 2020-05-21
categories: linux大杂烩 # 分类

有些时候我们需要生成自签名的ssl证书,该博文用于记录下生成ssl证书的两种方式。

通过github上的项目来生成(比较简单)

此方式不要求域名可以在公网解析(其实此项目就是封装了openssl指令,做了一个自动版的openssl生成证书)。

下载项目并设置有效期

  1. [root@test nginx]# git clone https://github.com/Fishdrowned/ssl.git
  2. [root@test nginx]# cd ssl      # 进入下载的目录
  3. # 设置证书的有效期(可选配置)
  4. [root@test ssl]# cat ca.cnf | grep days     # ca.cnf文件中有一些默认设置
  5. default_days    = 3650        # 此处是设置证书的有效期(默认为730天,也就是两年),我这里直接修改为二十年

生成证书

  1. [root@test ssl]# ./gen.cert.sh www.ljz.com      # 执行此脚本即可,后面的www.ljz.com是你的域名

脚本执行后,输出大概如下(所有和证书相关的文件都会保存在当前目录的out目录下):

生成自签名证书的两种方式 - 图1

将所需证书文件copy到其他目录,以便统一管理

  1. [root@test ssl]# mkdir -pv /data/ssl/www.ljz.com   # 此目录用于存放证书文件
  2. # *.key.pem为证书私钥
  3. [root@test ssl]# cp out/www.ljz.com/www.ljz.com.key.pem /data/ssl/www.ljz.com/
  4. # *.bundle.crt为证书
  5. [root@test ssl]# cp out/www.ljz.com/www.ljz.com.bundle.crt /data/ssl/www.ljz.com/
  6. # root.crt为根证书(此证书用于给client使用,加载到浏览器中,以便信任这个证书)
  7. [root@test ssl]# cp out/www.ljz.com/root.crt /data/ssl/www.ljz.com/
  8. [root@test ssl]# ./flush.sh        # 证书相关文件copy走后,可以执行此脚本来清空所有历史(非必须执行)。

至此,只要在你的网站中指定证书及其私钥的位置,即可通过https来访问你的网站了。(若不将root.crt导入到client的浏览器,https访问时会提示不安全。)

Let’s encrypt

注:此方式需要你的域名必须可以在公网解析。

Let’s Encrypt 是一个自动签发 https 证书的免费项目
CertbotLet’s Encrypt 官方推荐的证书生成客户端工具。

注:每种操作系统及要绑定证书的网站不同,对应的安装操作可能也有出入,我这里以证书是在centos 7上给nginx使用,若你们的需求和我不一样,可以去官网查询安装过程。

letsencrypt有什么限制

  • 同一个顶级域名下的二级域名,一周做多申请 20 个
  • 一个域名一周最多申请 5 次
  • 1 小时最多允许失败 5 次
  • 请求频率需要小于 20 次/s
  • 一个 ip 3 小时内最多创建 10 个账户
  • 一个账户最多同时存在 300 个 pending 的审核

配置yum

  1. [root@nginx ~]# yum -y install epel-release 
  2. [root@nginx ~]# yum -y install yum-utils
  3. [root@nginx ~]# yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

安装certbor

  1. [root@nginx ~]# yum -y install certbot python2-certbot-nginx
  2. [root@nginx ~]# certbot --version         # 确定已安装
  3. certbot 1.3.0

以命令交互方式开始制作证书

  1. [root@nginx ~]# certbot certonly      # 进入交互模式
  2. Saving debug log to /var/log/letsencrypt/letsencrypt.log
  4. How would you like to authenticate with the ACME CA?
  5. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  6. 1: Nginx Web Server plugin (nginx)   # 此方式需要修改配置文件
  7. 2: Spin up a temporary webserver (standalone)     # 此方式需要停止服务
  8. 3: Place files in webroot directory (webroot)     # 如果需要不影响服务器正常运行的情况下制作证书,可以选择这种方式
  9. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  10. Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
  11. # 在这里我们输入1,选择为nginx插件
  12. Plugins selected: Authenticator nginx, Installer None
  13. Enter email address (used for urgent renewal and security notices) (Enter 'c' to
  14. cancel): xxxxxxxxx@qq.com        # 这里输入你的邮箱账号(只有第一次使用时会出现)
  15. Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
  17. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  18. Please read the Terms of Service at
  19. https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
  20. agree in order to register with the ACME server at
  21. https://acme-v02.api.letsencrypt.org/directory
  22. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  23. (A)gree/(C)ancel: a       # 输入“a”同意(只有第一次使用时会出现)
  24. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  25. Would you be willing to share your email address with the Electronic Frontier
  26. Foundation, a founding partner of the Let's Encrypt project and the non-profit
  27. organization that develops Certbot? We'd like to send you email about our work
  28. encrypting the web, EFF news, campaigns, and ways to support digital freedom.
  29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  30. (Y)es/(N)o: y          # 输入“y”确认
  31. Starting new HTTPS connection (1): supporters.eff.org
  32. Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
  33. to cancel): www.lvjianzhao.top          # 这里输入你的域名
  34. Obtaining a new certificate
  35. Performing the following challenges:
  36. http-01 challenge for www.lvjianzhao.top
  37. nginx: [error] invalid PID number "" in "/run/nginx.pid"
  38. Waiting for verification...
  39. Cleaning up challenges
  41. IMPORTANT NOTES:
  42.  - Congratulations! Your certificate and chain have been saved at:
  43.    /etc/letsencrypt/live/www.lvjianzhao.top/fullchain.pem
  44.    Your key file has been saved at:
  45.    /etc/letsencrypt/live/www.lvjianzhao.top/privkey.pem
  46.    Your cert will expire on 2020-07-18. To obtain a new or tweaked
  47.    version of this certificate in the future, simply run certbot
  48.    again. To non-interactively renew *all* of your certificates, run
  49.    "certbot renew"
  50.  - Your account credentials have been saved in your Certbot
  51.    configuration directory at /etc/letsencrypt. You should make a
  52.    secure backup of this folder now. This configuration directory will
  53.    also contain certificates and private keys obtained by Certbot so
  54.    making regular backups of this folder is ideal.
  55.  - If you like Certbot, please consider supporting our work by:
  57.    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
  58.    Donating to EFF:                    https://eff.org/donate-le
  60.  - We were unable to subscribe you the EFF mailing list because your
  61.    e-mail address appears to be invalid. You can try again later by
  62.    visiting https://act.eff.org.
  65. # 假如你的域名解析没有问题,那么至此就是证书制作成功了。

配置nginx使用生成的证书

[root@nginx ~]# cd /etc/letsencrypt/live/www.lvjianzhao.top/     # 进入证书存放目录
[root@nginx www.lvjianzhao.top]# ll
total 4
# 下面两个文件无需关注
lrwxrwxrwx 1 root root  42 Apr 19 21:20 cert.pem -> ../../archive/www.lvjianzhao.top/cert1.pem
lrwxrwxrwx 1 root root  43 Apr 19 21:20 chain.pem -> ../../archive/www.lvjianzhao.top/chain1.pem
# 下面是证书文件
lrwxrwxrwx 1 root root  47 Apr 19 21:20 fullchain.pem -> ../../archive/www.lvjianzhao.top/fullchain1.pem  
# 下面是证书私钥
lrwxrwxrwx 1 root root  45 Apr 19 21:20 privkey.pem -> ../../archive/www.lvjianzhao.top/privkey1.pem
# 此README为上面几个文件的作用说明
-rw-r--r-- 1 root root 692 Apr 19 21:20 README
# 将所需证书及其私钥copy到指定目录统一存放
[root@nginx www.lvjianzhao.top]# cp fullchain.pem privkey.pem /etc/nginx/ssl/www.lvjianzhao.top/
# 接下来就是要修改nginx的配置文件来引用这个证书了,不过关于nignx的配置文件修改不是此博文的重点,所以就不解释了
[root@nginx nginx]# egrep -v '^$|^#' nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  www.lvjianzhao.top;
        root         /usr/share/nginx/html;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        location / {
        return 302 https://www.lvjianzhao.top;
        }
        error_page 404 /404.html;
            location = /40x.html {
        }
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  www.lvjianzhao.top;
        root         /usr/share/nginx/html;
        ssl_certificate "/etc/nginx/ssl/www.lvjianzhao.top/fullchain.pem";
        ssl_certificate_key "/etc/nginx/ssl/www.lvjianzhao.top/privkey.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        location / {

        }
        error_page 404 /404.html;
            location = /40x.html {
        }
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}

访问测试https是否生效

生成自签名证书的两种方式 - 图2

参考博文:Certbot 自动化生成 https 证书

设置自动任务,配置自动续订(防止证书过期)

[root@nginx nginx]# echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | tee -a /etc/crontab