安全协议>> letsencrypt>> 返回
项目作者: pixerapp

项目描述 :
Issue SSL certificates via Let's Encrypt.
高级语言:
项目地址: git://github.com/pixerapp/letsencrypt.git
创建时间: 2017-02-04T07:25:32Z
项目社区:https://github.com/pixerapp/letsencrypt
开源协议:MIT License
下载


Let’s Encrypt

This is a guide for how to issue SSL certificates on Ubuntu 16.10.

Source: https://certbot.eff.org/#ubuntutyakkety-haproxy

Issue Certificates

  1. Ensure ports 80 and 443 are open. letsencrypt client will create a temporary Web server to validate the host
    and domain.

  2. Install letsencrypt client.

    1.  apt-get udpate -y && apt-get install -y letsencrypt

  3. Issue the certificates for one or more domains.

    1.  certbot certonly --standalone -d pixerapp.com -d www.pixerapp.com -d cdn.pixerapp.com -d es.pixerapp.com -d api.pixerapp.com

All letsencrypt files are stored at /etc/letsencrypt.

Generate a Certificate Chain

The /etc/letsencrypt/archive/pixerapp.com/fullchain1.pem file includes the full chain of certificates except
the private key used to generate the certificates. Prepend the private key to have a valid certificate chain
that can be used by HAProxy server.

  1. cd /etc/letsencrypt/archive/pixerapp.com/
  2. cat privkey1.pem fullchain1.pem > pixerapp.com.pem

Now move this final pixerapp.com.pem to a location that is used by HAProxy.
Check https://github.com/pixerapp/haproxy for how to setup HAProxy.

Renew Certificates

Point remote domains back to the main IP

In order to renew the certificates, ensure all domains in the chain point to the main IP assigned to the host where
certbot script is installed. For instance, if the CDN domain cdn.pixerapp.com usually points to an external CDN
service. We need to temporarily point the domain to our main host.

  1. Copy and save somewhere the original destination of the remote CDN service.
  2. Temporarily point the cdn.pixerapp.com to the main IP pixerapp.com.
  3. Perform the same replacement operation to all other CDN like domains we have.

Stop the proxy server

At this moment we have HAProxy bound to ports 80 (HTTP) and 443 (HTTPS). The certbot needs to be able to bind
to these ports, so we need to temporarily stop our proxy server.

  1. docker stop es_haproxy_1

Then, dry run the command to ensure the certbot can potentially renew all the certificates.

  1. # certbot renew --dry-run
  2. Saving debug log to /var/log/letsencrypt/letsencrypt.log
  4. -------------------------------------------------------------------------------
  5. Processing /etc/letsencrypt/renewal/pixerapp.com.conf
  6. -------------------------------------------------------------------------------
  7. Cert is due for renewal, auto-renewing...
  8. Renewing an existing certificate
  9. Performing the following challenges:
  10. tls-sni-01 challenge for pixerapp.com
  11. tls-sni-01 challenge for api.pixerapp.com
  12. tls-sni-01 challenge for cdn.pixerapp.com
  13. tls-sni-01 challenge for es.pixerapp.com
  14. tls-sni-01 challenge for www.pixerapp.com
  15. Waiting for verification...
  16. Cleaning up challenges
  18. -------------------------------------------------------------------------------
  19. new certificate deployed without reload, fullchain is
  20. /etc/letsencrypt/live/pixerapp.com/fullchain.pem
  21. -------------------------------------------------------------------------------
  22. ** DRY RUN: simulating 'certbot renew' close to cert expiry
  23. **          (The test certificates below have not been saved.)
  25. Congratulations, all renewals succeeded. The following certs have been renewed:
  26.   /etc/letsencrypt/live/pixerapp.com/fullchain.pem (success)
  27. ** DRY RUN: simulating 'certbot renew' close to cert expiry
  28. **          (The test certificates above have not been saved.)

Once the dry run succeeds, we can run it for real

  1. certbot renew

Generate the certificate chain

Refer to the Generate a Certificate Chain section above to append the private key to the generate certificates.

Start the proxy server

Now it is time to start HAProxy.