使用Docker创建Let‘s Encrypt SSL证书
如果你的网站还在非https下裸奔,那你肯定out了,过去SSL证书价格昂贵,但今天我们很幸运Let‘s Encrypt为我们提供了免费的证书服务,本文主要介绍如何利用docker-compose运行certbot免污染主机环境的申请SSL证书、Nginx下证书的安装以及证书更新。
为什么要使用https
今天再讨论为什么要使用https感觉有些多余,简单说无非就是以下几点
- 去掉浏览器上讨厌的不安全提示
- 防止网站被劫持
- 为了使用http2
Let‘s Encrypt是什么
Let‘s Encrypt是一个免费的SSL证书认证机构
Let's Encrypt是一个于2015年三季度推出的数字证书认证机构,旨在以自动化流程消除手动创建和安装证书的复杂流程,并推广使万维网服务器的加密连接无所不在,为安全网站提供免费的SSL/TLS证书。 来自维基百科
Get Started
Let‘s Encrypt使用ACME协议验证域名及签发证书,官方推荐使用Certbot做为ACME Client客户端,可以在 Certbot官网首页获取到安装方法。
既然是安装,少不了各种依赖,作为有洁癖的工程师,我们肯定不希望这些依赖污染了我们服务器的纯洁度,这时docker的价值就凸显出来了,并且主要的docker仓库都已经集成了certbot/certbot镜像。
Apply for Certificate
Docker如何安装就不多说了,教程已经泛滥了,在docker下使用Certbot非常简单,执行如下shell就可以了:
sudo docker run -it --rm --name certbot \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/certbot certonly
当然为了后续的管理,使用docker-compose将会更方便,可以使用以下方式替代上面的shell:
首先在一个空目录新建立一个docker-compose.yml文件,内容如下
version: '3'
services:
certbot:
container_name: certbot
image: certbot/certbot
volumes:
- ./letsencrypt/etc:/etc/letsencrypt
- ./letsencrypt/lib:/var/lib/letsencrypt
- ./letsencrypt/log:/var/log/letsencrypt
- ./webroot/www:/var/www
然后运行
docker-compose run certbot certonly
根据提示操作,以下示例使用webroot方式,通常服务器80和443已有服务在使用,standalone适合没有提供服务的新服务器。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): yourmail@mail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): yourdomain.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yourdomain.com
Input the webroot for yourdomain.com: (Enter 'c' to cancel): /var/www/html
Select the webroot for yourdomain.com:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Enter a new webroot
2: /var/www/html
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yourdomain.com/privkey.pem
Your cert will expire on 2018-**-**. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
看到Congratulations就说明成功了,如果出错了也没关系,一般/var/log/letsencrypt/letsencrypt.log日志都有记录原因
生成的证书在/etc/letsencrypt/live里面按域名分类,注意/etc/letsencrypt/live里的证书都是指向到/etc/letsencrypt/archive/里的软连接,如果要挂载到另一个docker容器必须两个目录一起挂载。
Setup Nginx
在对应server配置中增加如下配置开启ssl
ssl on;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
还可以顺便开启http2
listen 443 ssl http2;
通过代理可以将http网站包装成https网站
location / {
proxy_pass http://localhost:8080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
}
通过配置error_page 497,从此跟http说再见吧,记得.well-known虚拟目录指向到在生成证书时Input the webroot for yourdomain.com:这一步的目录,后续更新还需要验证域名,参考如下配置
server {
listen 80;
listen 443 http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
error_page 497 https://$host$request_uri;
location /.well-known/ {
root /var/www/html/;
}
}
Renewal
执行如下shell自动更新
docker-compose run certbot renew
当然可以配置为cron任务定时执行