最後更新日期:2017-03-16。

介紹

Let's Encrypt 是由許多大公司以及各大非營利團體為了推廣 HTTPS 而贊助的一家免費發佈 SSL certificate 的 Certiciate Authority。

這篇文章主要是介紹怎麼使用 Let's Encrypt 所提供的服務,會需要知道如何操作 command line interface。

限制

Let's Encrypt 目前已經正式開放,但有發行數量限制,一般人可能會遇到的:

最新的資訊以及完整的細節請參考「Rate Limits - Let's Encrypt - Free SSL/TLS Certificates」這邊的說明。

安裝過程

我們用到的程式需要 curl,所以先安裝 curl:

# echo "for Debian/Ubuntu"
# apt-get install curl
# echo "for CentOS/RedHat"
# yum install curl

下載最新 release 的 dehydrated 並且解開,目前是 0.4.0:

$ # refer: https://github.com/lukas2511/dehydrated/releases
$ curl -LO https://github.com/lukas2511/dehydrated/archive/v0.4.0.tar.gz
$ tar -zxv -f v0.4.0.tar.gz
$ cd dehydrated-0.4.0/
或是透過 Git 下載最新版本:
$ cd ~; git clone https://github.com/lukas2511/dehydrated.git
$ cd dehydrated/
除了用 Git 下載外,也可以直接只抓執行檔:
$ curl -LO https://raw.githubusercontent.com/lukas2511/dehydrated/master/dehydrated

把程式安裝到 /etc/dehydrated/ 下:

# mkdir /etc/dehydrated/
# cp ~/dehydrated/dehydrated /etc/dehydrated/
# chmod a+x /etc/dehydrated/dehydrated

建立 SSL certificate 證驗證過程時所需要的目錄:

# mkdir -p /var/www/dehydrated/

設定 Apache 或是 nginx,在要認證的 virtual host 裡加上:

# for Apache
Alias /.well-known/acme-challenge/ /var/www/dehydrated/
# for nginx
location /.well-known/acme-challenge/ {
    alias /var/www/dehydrated/;
}

第一次需要先同意 Let's Encrypt 的條款:

# /etc/dehydrated/dehydrated --register --accept-terms

第一次產生 SSL certificate,黃色的部份請代換成網域名稱:

# /etc/dehydrated/dehydrated -c -d letsencrypt.tw

成功的話會有類似的輸出:

# INFO: Using main config file /etc/dehydrated/config
Processing letsencrypt.tw
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for letsencrypt.tw...
 + Responding to challenge for letsencrypt.tw...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

成功後產生的檔案都在 /etc/dehydrated/certs/letsencrypt.tw/ 裡:

drwx------ 2 root root 4096 Feb 24 02:25 .
drwx------ 3 root root 4096 Feb 24 02:23 ..
-rw------- 1 root root 1651 Feb 24 02:25 cert-1456280700.csr
-rw------- 1 root root 2143 Feb 24 02:25 cert-1456280700.pem
lrwxrwxrwx 1 root root   19 Feb 24 02:25 cert.csr -> cert-1456280700.csr
lrwxrwxrwx 1 root root   19 Feb 24 02:25 cert.pem -> cert-1456280700.pem
-rw------- 1 root root 1675 Feb 24 02:25 chain-1456280700.pem
lrwxrwxrwx 1 root root   20 Feb 24 02:25 chain.pem -> chain-1456280700.pem
-rw------- 1 root root 3818 Feb 24 02:25 fullchain-1456280700.pem
lrwxrwxrwx 1 root root   24 Feb 24 02:25 fullchain.pem -> fullchain-1456280700.pem
-rw------- 1 root root 3243 Feb 24 02:25 privkey-1456280700.pem
lrwxrwxrwx 1 root root   22 Feb 24 02:25 privkey.pem -> privkey-1456280700.pem

接著就可以修改 Apache 或是 nginx 的 SSL 設定:

# for Apache
SSLCertificateFile /etc/dehydrated/certs/letsencrypt.tw/cert.pem
SSLCertificateChainFile /etc/dehydrated/certs/letsencrypt.tw/chain.pem
SSLCertificateKeyFile /etc/dehydrated/certs/letsencrypt.tw/privkey.pem
# for nginx
ssl_certificate /etc/dehydrated/certs/letsencrypt.tw/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/letsencrypt.tw/privkey.pem;

然後重新載入 Apache 或是 nginx 的設定檔 (或是直接重新啟動):

# echo "for Apache"
# service apache2 reload
# echo "for nginx"
# service nginx reload

接下來設定 /etc/cron.d/dehydrated-letsencrypt_tw (因為 /etc/cron.d/ 裡面的檔名不能有 . 這個符號,用 _ 取代),讓 cron 每天自動檢查並更新:

# for Apache
0 0 * * * root sleep $(expr $(printf "\%d" "0x$(hostname | md5sum | cut -c 1-8)") \% 86400); ( /etc/dehydrated/dehydrated -c -d letsencrypt.tw; /usr/sbin/service apache2 reload ) > /tmp/dehydrated-letsencrypt.tw.log 2>&1
# for nginx
0 0 * * * root sleep $(expr $(printf "\%d" "0x$(hostname | md5sum | cut -c 1-8)") \% 86400); ( /etc/dehydrated/dehydrated -c -d letsencrypt.tw; /usr/sbin/service nginx reload ) > /tmp/dehydrated-letsencrypt.tw.log 2>&1

規劃

這段在說明上面為什麼這樣規劃,對於自動化 (像是 PuppetChef) 會很有幫助:

參考資料