1. 实验背景
服务器:CentOS7.x
示例域名: www.example.com
域名对应的web站点目录: /usr/local/openresty/nginx/html
2. 安装docker
# yum -y install yum-utils
# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# yum list docker-ce --showduplicates | sort -r
# yum -y install docker-ce-17.12.0.ce
3. 添加镜像加速仓库
# tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://m3e4jmm0.mirror.aliyuncs.com"]
}
EOF
# systemctl restart docker
# systemctl restart docker
4. 拉取 certbot 工具镜像
# docker pull certbot/certbot:v1.11.0
v1.11.0: Pulling from certbot/certbot
801bfaa63ef2: Pull complete
7678dd7631a2: Pull complete
4c6139ab40d8: Pull complete
ff5ef8cd8062: Pull complete
73dee1f700a1: Pull complete
3dfb7190edf9: Pull complete
176bf1686307: Pull complete
fe1749c3045d: Pull complete
5a79fca54080: Pull complete
e57ac51359f9: Pull complete
88988e2ba14a: Pull complete
a916063ca8d3: Pull complete
168ae0b7107a: Pull complete
d0bd333abff4: Pull complete
Digest: sha256:fecbc1f03607f961d20a6c6b0624507e42e6dea7c7f1548e2cbb8c3782b35da9
Status: Downloaded newer image for certbot/certbot:v1.11.0
5 . 测试示例域名解析
# nslookup www.exanple.com
Server: 114.114.114.114
Address: 114.114.114.114#53
Non-authoritative answer:
Name: www.exanple.com
Address: 199.59.243.224
注意,示例域名 www.exanple.com在certbot机器上一定要解析在公网ip,而不是解析在内网ip,否则会报错无法解析:
Waiting for verification...
Challenge failed for domain www.example.com
http-01 challenge for www.example.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.example.com
Type: dns
Detail: DNS problem: query timed out looking up A forwww.example.com;
DNS problem: query timed out looking up AAAA for www.example.com
6. 生成证书
# mkdir -p /etc/letsencrypt
# docker run -it --rm -v /etc/letsencrypt:/etc/letsencrypt -v /usr/local/openresty/nginx/html:/usr/local/openresty/nginx/html certbot/certbot:v1.11.0 certonly --webroot -w /usr/local/openresty/nginx/html -d www.example.com -m 123456789@qq.com --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for www.example.com
Performing the following challenges:
http-01 challenge for www.example.com
Using the webroot path /usr/local/openresty/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: 123456789@qq.com).
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.example.com/privkey.pem
Your certificate will expire on 2023-12-28. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Let’s Encrypt需要验证网站的所有权才能颁发证书, 官方称之为challenge(挑战)。
生成证书期间,Certbot工具在nginx的web目录 /usr/local/openresty/nginx/html/ 下创建隐藏临时文件夹 .well-known/acme-challenge,生成一个临时随机字符串文件 CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI
Certbot 会让 Let’s Encrypt 通过公网访问 http://www.example.com/.well-known/acme-challenge/CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI 校验,如果文件内容对得上就签发。
证书签发完成后,Certbot 会删除该临时文件夹,所以如果要观察这个文件,需要在证书签发期间去cat一下。
# cat /usr/local/openresty/nginx/html/.well-known/acme-challenge/CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI
CWJ_QNbAkYkivgJWUD1wxF84fIg5sGTeTy2CeWQVwlI.sHK8K8we80hc978Nkuo1I8tCjj8VA3D87bVwb7Y8ZwM
7. 验证证书
# ll /etc/letsencrypt/live/www.example.com/
total 4.0K
lrwxrwxrwx 1 root root 41 Sep 29 09:55 cert.pem -> ../../archive/www.example.com/cert1.pem
lrwxrwxrwx 1 root root 42 Sep 29 09:55 chain.pem -> ../../archive/www.example.com/chain1.pem
lrwxrwxrwx 1 root root 46 Sep 29 09:55 fullchain.pem -> ../../archive/www.example.com/fullchain1.pem
lrwxrwxrwx 1 root root 44 Sep 29 09:55 privkey.pem -> ../../archive/www.example.com/privkey1.pem
-rw-r----- 1 root root 692 Sep 29 09:55 README
证书: /etc/letsencrypt/live/www.example.com/fullchain.pem
私钥: /etc/letsencrypt/live/www.example.com/privkey.pem
# openssl x509 -noout -text -in /etc/letsencrypt/live/www.example.com/fullchain.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:bb:52:8d:5a:6f:03:cc:f1:06:12:75:b0:2f:1e:8a:e6:12
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R3
Validity
Not Before: Sep 29 00:55:29 2023 GMT
Not After : Dec 28 00:55:28 2023 GMT
Subject: CN=www.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c2:d4:38:10:96:f9:7a:ef:10:00:98:1d:a3:ed:
c8:96:71:60:02:ed:8d:32:99:0e:15:11:a4:14:e1:
32:c8:31:75:fa:90:b2:55:3e:c1:6a:2a:f6:3f:ac:
62:1b:f8:cc:0e:bc:4a:27:ea:94:2b:eb:78:49:d1:
f9:c4:5e:f0:12:7f:c5:95:0d:cc:31:b3:8e:f0:ec:
3e:55:b6:97:17:b0:0d:32:35:72:1a:82:87:4f:81:
a0:07:60:7b:b8:03:2e:75:e8:7a:3b:1d:69:40:04:
de:50:36:e8:49:b9:82:25:1d:30:3d:38:16:28:ad:
df:a3:c8:d1:80:a6:87:45:e9:6a:2c:75:5b:06:0f:
97:1e:15:d2:f9:c9:59:9a:9e:ee:5a:4f:bd:14:74:
36:d1:4b:47:0b:c5:8d:75:b7:e7:e0:53:28:41:1f:
b7:05:ae:2f:29:86:98:6f:75:64:e7:83:fd:ce:12:
e2:fc:12:5d:01:01:18:e6:74:1f:83:6a:58:21:01:
99:68:62:8c:29:82:7e:6e:ad:26:50:6b:5d:70:73:
21:5e:19:e1:0c:35:71:53:b7:de:21:66:6e:e4:d9:
32:5e:14:0c:24:2a:00:63:f9:8b:b7:84:12:28:1d:
90:99:4b:08:bc:82:f8:15:68:9d:64:09:ea:1f:bf:
97:3f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
9F:7A:1C:81:35:31:13:62:6E:F6:84:CB:5D:67:2A:41:A5:1C:6F:AC
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:www.example.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
Timestamp : Sep 29 01:55:29.732 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:04:02:FF:43:4D:F2:B4:EA:9F:A0:22:F7:
5A:C6:81:48:C2:A2:91:FE:5C:D7:3D:19:8D:6E:58:64:
06:20:6E:4C:02:21:00:E0:AB:A8:2F:FD:D6:58:E1:62:
6F:A6:94:F3:D8:5D:02:5E:52:1E:00:06:BD:58:B5:00:
F5:8A:C1:7C:EB:33:B5
Signed Certificate Timestamp:
Version : v1(0)
Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
Timestamp : Sep 29 01:55:29.706 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:CE:03:25:26:CF:0E:65:22:9B:9E:EF:
41:CE:6E:AD:EF:FE:B9:FB:66:4F:D9:0A:40:EE:A4:48:
C5:1D:2A:DD:98:02:20:55:84:8F:49:51:E7:47:B7:46:
A4:09:AB:C2:54:F1:65:79:67:C3:7F:DE:6B:9F:77:96:
CF:81:A4:0D:F1:A1:8F
Signature Algorithm: sha256WithRSAEncryption
2d:c1:21:8b:3e:68:d8:df:47:bd:2e:b9:50:ea:cb:23:8d:ba:
ea:17:09:15:27:cb:74:6d:6b:83:9e:a8:19:e3:75:6a:e4:ac:
d2:13:6c:a0:d7:b1:2f:63:f4:f4:6f:86:51:af:37:8f:04:63:
7b:6b:df:93:87:56:a2:0a:1a:79:df:f5:9d:a8:2e:45:7f:83:
3e:b7:d8:a5:5e:59:c3:27:b7:9f:59:24:bc:d5:22:05:db:84:
8e:db:0f:c3:1b:50:d6:c2:3e:38:8c:6e:99:29:bf:42:f7:b2:
52:36:91:58:6e:fc:cf:ef:dd:ef:45:4c:9c:b9:9e:bb:53:49:
a1:98:7a:ce:3b:c2:dd:38:06:c5:45:06:74:1e:da:5b:30:43:
1a:82:95:ff:2c:d0:aa:f2:96:a3:0d:50:90:d1:ec:2b:9e:a9:
22:3a:0e:93:9a:5c:ce:4f:c8:74:e3:c0:37:cc:4d:6f:48:3f:
aa:6e:11:2c:79:3b:ce:b9:30:13:78:96:e7:ce:89:c6:d4:63:
7d:3a:97:83:97:f3:a6:f0:a5:46:6a:90:4e:cf:eb:c0:13:7e:
a9:01:bd:a9:b8:e1:01:2f:21:84:6c:9b:0c:b3:48:9b:48:a9:
5b:b6:e3:48:91:68:56:fa:3a:26:92:88:51:c8:a8:84:17:52:
45:d9:77:6d
https://myssl.com/cert_decode.html
8. 参考
Linux上 基于x86 和 arm CPU架构安装 docker
https://www.jianshu.com/p/99373f14b990
CentOS7.x cerbot 安装使用
https://www.jianshu.com/p/735ed33feaa3
