note: certbot 申請免費 SSL 憑證 (Let's Encrypt)

安裝 certbot (CentOS)

yum install epel-release -y

yum install certbot -y

申請 SSL 憑證

全自動申請

$ certbot certonly -m 你的信箱@gmail.com \
   -d www.abc.com.tw \
   --webroot -w /var/www/www.abc.com.tw/   
      最後一個參數是網站的目錄，certbot會網站目錄下建立 .well-known/acme-challenge 目錄，
      用來做身份認證  --> 參考資料： ACME 驗證方式

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for www.abc.com.tw
Performing the following challenges:
http-01 challenge for www.abc.com.tw
Using the webroot path /var/www/www.abc.com.tw for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.abc.com.tw/fullchain.pem   申請後的憑證資料
   Your key file has been saved at:
   /etc/letsencrypt/live/www.abc.com.tw/privkey.pem     申請後的私鑰資料
   Your certificate will expire on 2022-02-09. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

手動申請

$ certbot certonly --manual -m 你的信箱@gmail.com -d www.abc.com.tw

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for www.abc.com.tw
Performing the following challenges:
http-01 challenge for www.abc.com.tw

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

3gr6wuYFnYxFoi6nwxmVp6lTyoKLAT9Uj3WG_Khegtw.0BfIxtz1Z3dmos2Ek54Up3SEbb6wicWc3TWJQrNz_b8

And make it available on your web server at this URL:

http://www.abc.com.tw/.well-known/acme-challenge/3gr6wuYFnYxFoi6nwxmVp6lTyoKLAT9Uj3WG_Khegtw

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue 游標會停在這裡，
這時候要自己新增指定的檔案
到網站的目錄底下，先建立子目錄 .well-known/acme-challenge
在新增一個檔案叫做： 3gr6wuYFnYxFoi6nwxmVp6lTyoKLAT9Uj3WG_Khegtw
檔案內容只有一行：3gr6wuYFnYxFoi6nwxmVp6lTyoKLAT9Uj3WG_Khegtw.0BfIxtz1Z3dmos2Ek54Up3SEbb6wicWc3TWJQrNz_b8
接著自己用瀏覽器查看看是否正常顯示：
  http://www.abc.com.tw/.well-known/acme-challenge/3gr6wuYFnYxFoi6nwxmVp6lTyoKLAT9Uj3WG_Khegtw
若沒問題，再按 Enter 就會申請成功

如果要在同一張憑證中 放多個網域：

$ certbot certonly --manual -m 你的信箱@gmail.com \
  -d www.abc.com.tw
  -d xyz.abc.com.tw

按 Enter 後，會有兩個 http 認證檔案要手動處理：
http://www.abc.com.tw/.well-known/acme-challenge/xxxxxxxx
http://xyz.abc.com.tw/.well-known/acme-challenge/zzzz

申請 wildcard 網域 SSL 憑證 (手動)

wildcard 的認證比較麻煩， certbot 要確認你是該網域( *.abc.com.tw ) 的擁有者

$ certbot certonly --manual --agree-tos \
  -d "*.abc.com.tw" \
  --email [email protected] \
  --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/abc.com.tw.conf)

It contains these names: *.abc.com.tw

You requested these names for the new certificate: *.abc.com.tw

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate for *.abc.com.tw
Performing the following challenges:
dns-01 challenge for abc.com.tw

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.abc.com.tw with the following value:

5Ca50v4bJRNMg0HBAPpJx3f_JH-PTiHWeEASMq7QyiI

Before continuing, verify the record is deployed.           
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
  畫面在這裡停留，你需要修改 DNS 資料
  以 cloudflare 為例，新增一個 TXT 類型的紀錄即可，如下圖：
  
  如果是自己管理 name server (bind)
  只要新增一行資料即可：
  _acme-challenge         TXT     "5Ca50v4bJRNMg0HBAPpJx3f_JH-PTiHWeEASMq7QyiI"

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/abc.com.tw/fullchain.pem  申請後的 *.abc.com.tw 憑證資料
   Your key file has been saved at:
   /etc/letsencrypt/live/abc.com.tw/privkey.pem     申請後的 *.abc.com.tw 憑證資料
   Your certificate will expire on 2022-05-12. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

SSL憑證安裝

 

Apache httpd

<VirtualHost _default_:443>
  DocumentRoot "/var/www/www.abc.com.tw"
  ServerName www.abc.com.tw

  ErrorLog    logs/error_log
  TransferLog logs/access_log

  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLCertificateKeyFile   /etc/letsencrypt/live/www.abc.com.tw/privkey.pem
  SSLCertificateFile      /etc/letsencrypt/live/www.abc.com.tw/fullchain.pem
</VirtualHost>

Nginx

server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name  www.abc.com.tw;

    root /var/www/www.abc.com.tw;
    index index.php index.html;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ssl_certificate_key "/etc/letsencrypt/live/www.abc.com.tw/privkey.pem"; 
    ssl_certificate     "/etc/letsencrypt/live/www.abc.com.tw/fullchain.pem";
     #注意!! 注意!! 上面這行是會有問題! 
     #當執行nginx 時會出現錯誤訊息：
     # nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/letsencrypt/live/nidbox.cc/privkey.pem") failed
     # (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) 

     #要用下面這行、bundle_chained.pem 檔案要自己製作(後面說明)
    ssl_certificate     "/etc/letsencrypt/live/www.abc.com.tw/bundle_chained.pem";     

    ssl_protocols TLSv1.2 TLSv1.3; 
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_stapling on;
    ssl_stapling_verify on;

    server_tokens off;

    # framework rewrite
    location / {
        try_files $uri $uri/ /index.php;
    }

    location ~* \.php$ {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

bundle_chained.pem 檔案製作

# cd 切換到憑證檔案的目錄 (如 /etc/letsencrypt/live/www.abc.com.tw)
# cat cert.pem chain.pem > bundle_chained.crt

nginx https  的原廠說明
http://nginx.org/en/docs/http/configuring_https_servers.html


當憑證到期，下次要更新憑證時
只要打一行即可更新憑證

$ sudo certbot renew  (更新所有憑證)

查詢 ssl/tls 憑證的到期時間