Free SSL -免費憑證申請流程

Let’s Encrypt 介紹

Let’s Encrypt 是由許多大公司以及各大非營利團體為了推廣 HTTPS 而贊助的一家免費發佈 SSL certificate 的 Certificate Authority。
無論是你的個人網站還是官網,可以透過以下流程申請免費的 SSL 憑證。

Let’s Encrypt 官方限制

Let’s Encrypt 目前已經正式開放,但有發行數量限制,一般人可能會遇到的:

  • Names/Certificate:單一 certificate 限制 100 個 hostname。
  • Certificates/Domain:每個 domain 每個禮拜最多 20 個 certificate,但 renew 不計算在 quota 內 (需要憑證內的 hostname 與之前完全一樣)。
  • Certificates/FQDNset:相同 hostname 的憑證每個禮拜最多發出五個。

最新的資訊以及完整的細節請參考「Rate Limits – Let’s Encrypt – Free SSL/TLS Certificates」這邊的說明。

安裝方式 – Linux 主機

1. 我們用到的程式需要 curl,所以先安裝 curl:

[root@localhost]# yum install curl

2. 下載最新 release 的 dehydrated 並解壓縮,目前版本是 0.6.5 (https://github.com/lukas2511/dehydrated/releases) 可自行前往確認

[root@localhost]# curl -LO https://github.com/lukas2511/dehydrated/archive/v0.6.5.tar.gz
[root@localhost]# tar -zxv -f v0.6.5.tar.gz
[root@localhost]# cd dehydrated-0.6.5/

3.把程式安裝到 /etc/dehydrated/ 下:

[root@localhost]# mkdir /etc/dehydrated/
[root@localhost]# cp ~/dehydrated/dehydrated /etc/dehydrated/
[root@localhost]# chmod a+x /etc/dehydrated/dehydrated

4.建立 SSL certificate 證驗證過程時所需要的目錄:

[root@localhost]# mkdir -p /var/www/dehydrated/

5.設定 Apache 或是 nginx,在要認證的 virtual host 裡加上:

# for Apache 版
[root@localhost]# Alias /.well-known/acme-challenge/ /var/www/dehydrated/
# for nginx 版
[root@localhost]# vim /etc/nginx/conf.d/default.conf
location /.well-known/acme-challenge/ {
alias /var/www/dehydrated/;
}

6.第一次需要先同意 Let’s Encrypt 的條款:

[root@localhost]# /etc/dehydrated/dehydrated --register --accept-terms

7.第一次產生 SSL certificate,letsencrypt.tw 請代換成網域名稱:

[root@localhost]# /etc/dehydrated/dehydrated -c -d letsencrypt.tw
#=====以下輪出為成功訊息=====#
INFO: Using main config file /etc/dehydrated/config
Processing letsencrypt.tw
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for letsencrypt.tw...
+ Responding to challenge for letsencrypt.tw...
+ Challenge is valid!
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!

8.成功後產生的檔案都在 /etc/dehydrated/certs/letsencrypt.tw/ 裡:

[root@localhost]# ll /etc/dehydrated/certs/letsencrypt.tw/
drwx------ 2 root root 4096 Feb 24 02:25 .
drwx------ 3 root root 4096 Feb 24 02:23 ..
-rw------- 1 root root 1651 Feb 24 02:25 cert-1456280700.csr
-rw------- 1 root root 2143 Feb 24 02:25 cert-1456280700.pem
lrwxrwxrwx 1 root root 19 Feb 24 02:25 cert.csr -> cert-1456280700.csr
lrwxrwxrwx 1 root root 19 Feb 24 02:25 cert.pem -> cert-1456280700.pem
-rw------- 1 root root 1675 Feb 24 02:25 chain-1456280700.pem
lrwxrwxrwx 1 root root 20 Feb 24 02:25 chain.pem -> chain-1456280700.pem
-rw------- 1 root root 3818 Feb 24 02:25 fullchain-1456280700.pem
lrwxrwxrwx 1 root root 24 Feb 24 02:25 fullchain.pem -> fullchain-1456280700.pem
-rw------- 1 root root 3243 Feb 24 02:25 privkey-1456280700.pem
lrwxrwxrwx 1 root root 22 Feb 24 02:25 privkey.pem -> privkey-1456280700.pem

9.接著就可以修改 Apache 或是 nginx 的 SSL 設定:

# for Apache 版
[root@localhost]# vim /etc/httpd/conf.d/ssl.conf 
SSLCertificateFile /etc/dehydrated/certs/letsencrypt.tw/cert.pem
SSLCertificateChainFile /etc/dehydrated/certs/letsencrypt.tw/chain.pem
SSLCertificateKeyFile /etc/dehydrated/certs/letsencrypt.tw/privkey.pem
# for nginx 版
[root@localhost]# vim /etc/nginx/conf.d/ssl.conf 
ssl_certificate /etc/dehydrated/certs/letsencrypt.tw/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/letsencrypt.tw/privkey.pem;

10.然後重新載入 Apache 或是 nginx 的設定檔 (或是直接重新啟動):

# for Apache 版
[root@localhost]# service httpd restart
# for nginx 版
[root@localhost]# service nginx reload

11.接下來設定 /etc/cron.d/dehydrated-letsencrypt_tw (因為 /etc/cron.d/ 裡面的檔名不能有 . 這個符號,用 _ 取代),讓 cron 每天自動檢查並更新:

# for Apache 版
[root@localhost]# vim /etc/cron.d/dehydrated-letsencrypt_tw
0 0 * * * root sleep $(expr $(printf "\%d" "0x$(hostname | md5sum | cut -c 1-8)") \% 86400); ( /etc/dehydrated/dehydrated -c -d letsencrypt.tw; /usr/sbin/service apache2 reload ) > /tmp/dehydrated-letsencrypt.tw.log 2>&1
# for nginx 版
[root@localhost]# vim /etc/cron.d/dehydrated-letsencrypt_tw
0 0 * * * root sleep $(expr $(printf "\%d" "0x$(hostname | md5sum | cut -c 1-8)") \% 86400); ( /etc/dehydrated/dehydrated -c -d letsencrypt.tw; /usr/sbin/service nginx reload ) > /tmp/dehydrated-letsencrypt.tw.log 2>&1

SSL 多個站台設定方式

如果同一台主機上,需要有多個 SSL 憑證服務,可以在 ssl.conf 上增加設定,如下用法即可在同一主機上擁有多個 SSL :

# for Apache 版
[root@localhost]# vim /etc/httpd/conf.d/ssl.conf 
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

##
## SSL Virtual Host Context
##
NameVirtualHost *:443 #一定要加上去

<VirtualHost *:443>
    DocumentRoot "/var/www/letsencrypt.tw/www"
    ServerName www.letsencrypt.tw:443
    ErrorLog logs/www_ssl_error_log
    TransferLog logs/www_ssl_access_log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
    SSLCertificateFile /etc/dehydrated/certs/www.letsencrypt.tw/cert.pem
    SSLCertificateKeyFile /etc/dehydrated/certs/www.letsencrypt.tw/privkey.pem
    SSLCertificateChainFile /etc/dehydrated/certs/www.letsencrypt.tw/chain.pem
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot "/var/www/letsencrypt.tw/www"
    ServerName letsencrypt.tw:443
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
    SSLCertificateFile /etc/dehydrated/certs/letsencrypt.tw/cert.pem
    SSLCertificateKeyFile /etc/dehydrated/certs/letsencrypt.tw/privkey.pem
    SSLCertificateChainFile /etc/dehydrated/certs/letsencrypt.tw/chain.pem
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>