如果你的网站还在非https下裸奔,那你肯定out了,过去SSL证书价格昂贵,但今天我们很幸运Let‘s Encrypt为我们提供了免费的证书服务,本文主要介绍如何利用docker-compose运行certbot免污染主机环境的申请SSL证书、Nginx下证书的安装以及证书更新。

为什么要使用https

今天再讨论为什么要使用https感觉有些多余,简单说无非就是以下几点

  • 去掉浏览器上讨厌的不安全提示
  • 防止网站被劫持
  • 为了使用http2

Let‘s Encrypt是什么

Let‘s Encrypt是一个免费的SSL证书认证机构

Let's Encrypt是一个于2015年三季度推出的数字证书认证机构,旨在以自动化流程消除手动创建和安装证书的复杂流程,并推广使万维网服务器的加密连接无所不在,为安全网站提供免费的SSL/TLS证书。 来自维基百科

Get Started

Let‘s Encrypt使用ACME协议验证域名及签发证书,官方推荐使用Certbot做为ACME Client客户端,可以在 Certbot官网首页获取到安装方法。

既然是安装,少不了各种依赖,作为有洁癖的工程师,我们肯定不希望这些依赖污染了我们服务器的纯洁度,这时docker的价值就凸显出来了,并且主要的docker仓库都已经集成了certbot/certbot镜像。

Apply for Certificate

Docker如何安装就不多说了,教程已经泛滥了,在docker下使用Certbot非常简单,执行如下shell就可以了:

sudo docker run -it --rm --name certbot \
 -v "/etc/letsencrypt:/etc/letsencrypt" \
 -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
 certbot/certbot certonly

当然为了后续的管理,使用docker-compose将会更方便,可以使用以下方式替代上面的shell:

首先在一个空目录新建立一个docker-compose.yml文件,内容如下

version: '3'
services:
  certbot:
    container_name: certbot
    image: certbot/certbot
    volumes:
      - ./letsencrypt/etc:/etc/letsencrypt
      - ./letsencrypt/lib:/var/lib/letsencrypt
      - ./letsencrypt/log:/var/log/letsencrypt
      - ./webroot/www:/var/www

然后运行

docker-compose run certbot certonly

根据提示操作,以下示例使用webroot方式,通常服务器80和443已有服务在使用,standalone适合没有提供服务的新服务器。

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): yourmail@mail.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): yourdomain.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yourdomain.com
Input the webroot for yourdomain.com: (Enter 'c' to cancel): /var/www/html


Select the webroot for yourdomain.com:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Enter a new webroot
2: /var/www/html
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yourdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yourdomain.com/privkey.pem
   Your cert will expire on 2018-**-**. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

看到Congratulations就说明成功了,如果出错了也没关系,一般/var/log/letsencrypt/letsencrypt.log日志都有记录原因

生成的证书在/etc/letsencrypt/live里面按域名分类,注意/etc/letsencrypt/live里的证书都是指向到/etc/letsencrypt/archive/里的软连接,如果要挂载到另一个docker容器必须两个目录一起挂载。

Setup Nginx

在对应server配置中增加如下配置开启ssl

ssl on;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

还可以顺便开启http2

listen 443 ssl http2;

通过代理可以将http网站包装成https网站

location / {
	proxy_pass http://localhost:8080;
	proxy_redirect   off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $server_name;
	proxy_set_header X-Forwarded-Proto https;
}

通过配置error_page 497,从此跟http说再见吧,记得.well-known虚拟目录指向到在生成证书时Input the webroot for yourdomain.com:这一步的目录,后续更新还需要验证域名,参考如下配置

server {
	listen 80;
	listen 443 http2;
	ssl on;
	ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
	error_page 497 https://$host$request_uri;
	location /.well-known/ {
		root /var/www/html/;
	}
}

Renewal

执行如下shell自动更新

docker-compose run certbot renew

当然可以配置为cron任务定时执行