Let’s Encrypt – 2020 篇

2015 年 Let’s Encrypt 正式推出時,分享過如何透過 Let’s Encrypt 取得憑證,時隔五年,現在已有更好用的 Wildcard 憑證可以使用,讓我們開始吧

本篇所使用的環境為 Ubuntu Server 20.04,並使用 Cloudflare 做為域名託管服務

取得憑證

正式開始前,請先到 Cloudflare 取得 Global API Key,https://dash.cloudflare.com/profile/api-tokens

完成後,請在 Server 安裝 Let’s Encrypt 相關套件

apt install certbot python3-certbot-dns-cloudflare

安裝完後,請在 /etc/letsencrypt 目錄下創建 cloudflare.ini 檔案並設置正確權限

cd /etc/letsencrypt
touch cloudflare.ini
chmod 600 cloudflare.ini

接著,請在 cloudflare.ini 寫入下列設定

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = your_cloudflare_login_email
dns_cloudflare_api_key = api_key

設定好後就可以透過 Let’s Encrypt 取得憑證囉,因使用 DNS 驗證,因此可以取得 Wildcard 的憑證 ,這邊以 bepsvpt.me 域名作為範例

certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini --agree-tos --email "your_personal_email" -d "bepsvpt.me" -d "*.bepsvpt.me"

稍待驗證後,就能在 /etc/letsencrypt/live/your-domain 看到相關憑證檔案

cert.pem
chain.pem
fullchain.pem
privkey.pem

這樣就完成憑證取得囉

自動 renew 憑證

如果你是使用 Nginx 當作 Web Server,請先編輯 /etc/letsencrypt/renewal 目錄下的設定檔,在 [renewalparams] 區塊加上以下設定(此區塊最後一項應該會是 server = ...

renew_hook = /usr/sbin/service nginx reload

完成後設定檔內容應會類似於下方樣子

# renew_before_expiry = 30 days
...

# Options used in the renewal process
[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
authenticator = dns-cloudflare
dns_cloudflare_credentials = /etc/letsencrypt/cloudflare.ini
server = https://acme-v02.api.letsencrypt.org/directory
renew_hook = /usr/sbin/service nginx reload

這樣 Nginx 的前置準備就完成了

再來請透過 certbot renew --dry-run 指令來測試憑證 renew,請確認輸出中有類似下方結構

...

Cleaning up challenges
Dry run: skipping deploy hook command: /usr/sbin/service nginx reload

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is

...

** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:

...

如沒問題,則可進入最後一樣設置,crontab 設定,請執行下方指令

crontab -e

此時會使用你偏好的編輯器打開設定檔,請於最下方加上

@weekly /usr/bin/certbot renew

接著請存檔離開,並透過 crontab -l 查看設定,輸出中應有 @weekly /usr/bin/certbot renew 這行

這樣憑證自動 renew 的設定也都完成囉

Nginx SSL 設定

提供 nginx.conf SSL 設定範例,僅供參考(務必將 your-domain 更換為你的域名)

##
# SSL Settings
##

ssl_certificate /etc/letsencrypt/live/your-domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/your-domain/chain.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_ecdh_curve X25519:secp384r1:secp521r1:prime256v1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets on;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.0.0.1 1.1.1.1;

以上就是 Let’s Encrypt 2020 篇的所有內容,如經濟狀況許可,不妨贊助一下 Let’s Encrypt(https://letsencrypt.org/donate/),讓這麼棒的服務可以更長久!