申請同自動更新Let’s Encrypt SSL cert
因為轉咗個hosting,所以又要再裝返張SSL cert。之前喺「用WP Encrypt更新唔到張SSL Cert」度講過用SSL For Free去申請免費嘅Let’s Encrypt SSL cert。依種做法喺當時我仲喺一個無root control嘅hosting黎講已經係好方便,不過依家我轉咗去用AWS嘅EC2,基本上部機任我舞,所以依家就緊係搵下有咩方法可以將renew SSL cert自動化咗佢😃
首先講一講我個hosting係咩機,因為我好懶,所以我係用AWS marketplace入邊嘅image,而我就揀咗WordPress powered by Bitnami,一㩒等幾分鐘就搞掂,抵Amazon賺咁多🤣
而部機個OS係Ubuntu,web server就係apache2。同時我喺網上參考咗幾篇文
- 教點樣申請Let’s Encrypt SSL cert同auto renew
- 教點樣喺AWS嘅bitnami image度restart apache同張cert俾apache用
- Official bitnami嘅Let’s Encrypt教學(Updated@21-Sep-2017)
- Certbot User Guide(Upated@30-Dec-2017)
大概個流程就係咁
- Update你部機先
$ sudo apt-get update
- 跟手裝GIT
$ sudo apt-get -y install git
- Checkout Let’s Encrypt source
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
- 停咗apache先
$ sudo /opt/bitnami/ctlscript.sh stop apache
- 申請張cert
$ cd /opt/letsencrypt
$ ./letsencrypt-auto certonly --standalone(Updated@21-Sep-2017) $ ./certbot-auto certonly --webroot -w <path>/htdocs/ -d <yourdomain> - 佢會問你問題例如你個admin email、你個domain同你肯唔肯俾data佢做feedback
- 之後你就可以喺依度搵到gen出黎嘅cert同key
/etc/letsencrypt/live/<yourdomain>
- 你可以睇下有冇問題先
$ sudo ls /etc/letsencrypt/live/<yourdomain>
- 如果冇問題你會見到依四個files
- cert.pem – your domain’s certificate
- chain.pem – the Let’s Encrypt chain certificate
- fullchain.pem – a concatenated (combined) file of cert.pem and chain.pem
- privkey.pem – your certificate’s private key
- 基本上我哋只需要理fullchain.pem同privkey.pem
- 之後就當然係config隻apache去用Let’s Encrypt SSL cert
- 首先去apache個config file度,因為我係用AWS bitnami image,所以個config會喺
$ vim /opt/bitnami/apache2/conf/bitnami/bitnami.conf
- 跟你只要搵出SSLCertificateFile同SSLCertificateKeyFile,改成
SSLCertificateFile "/etc/letsencrypt/live/<yourdomain>/cert.pem" SSLCertificateKeyFile "/etc/letsencrypt/live/<yourdomain>/privkey.pem"
- 最後就當然係著返隻apache
$ sudo /opt/bitnami/ctlscript.sh start apache
- 咁你再用HTTPS去返你個網度就會見到冇warning
咁之後就講下點做到auto renew。其實都好簡單,因係Let’s Encrypt提供咗renew嘅api,不過如果佢detect到你已經有cert install咗同時又申請咗少過你30日,佢會ignore咗你個renew request(我個人覺得冇咩所謂)。而依個auto renew嘅concept就係用crontab command加上Let’s Encrypt提供咗renew嘅api:
- 首先用一個bash file裝住d command。咁做有兩個好處:
- 可以做testing
- 第時唔好彩要將Let’ Encrypt搬位都唔使郁個crontab
- 咁我就喺/bin度起咗一個叫certbotrenew.sh嘅file,入邊係咁嘅(Updated@30-Dec-2017)
#!/bin/bash cd /opt/letsencrypt sudo ./certbot-auto renew --renew-hook "sudo touch {path to log directory}/renew-success-at-`date +%Y%m%d-%H%M%S`.txt && sudo apachectl -k graceful" exit 0 - 咁樣如果成功更新咗張cert之後會寫一個log file (會係咁樣:renew-success-at-20171230-083934.txt),咁樣我哋可以trace返佢幾時成功renew咗。同時佢會restart個web server。(我係用apache)(Updated@30-Dec-2017)
- 起完之後就可以試下行
$ sudo certbotrenew.sh
- 你應該會見到一堆log message(Updated@30-Dec-2017)
Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/leonlado-smallpig.com.conf ------------------------------------------------------------------------------- Cert not yet due for renewal ------------------------------------------------------------------------------- The following certs are not due for renewal yet: /etc/letsencrypt/live/leonlado-smallpig.com/fullchain.pem (skipped) No renewals were attempted. No hooks were run. -------------------------------------------------------------------------------
- 咁係因為我張cert仲係好新,所以係正常嘅
- 係家起一個新嘅cron job
$ sudo crontab -e
- 跟住指示部機幾時行一次,我係跟Let’s Encrypt官網咁講一日行兩次
Note:
if you’re setting up a cron or systemd job, we recommend running it twice per day (it won’t do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let’s Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.
- 所以我就set咗喺0000同1200(UTC)度行
# Renew SSL certificates using certbot / let's encrypt (twice/day) 0 */12 * * * /bin/certbotrenew.sh
- 咁就大功告成,如果想睇log或者想知有冇行到,可以去依度睇返
sudo view /var/log/letsencrypt/letsencrypt.log
- 如果想睇有冇成功轉cert同restart,可以去返你喺certbotrenew.sh度set咗嘅{path to log directory}睇返
終於唔使每三個月煩一次啦😭
