Let's Encrypt免费ssl证书（基于haproxy负载） · java development

# Let's Encrypt免费ssl证书（基于haproxy负载） - [1. 条件](#1__4) - [2. 实施](#2__10) - [2.1 准备工具](#21__12) - [2.1.1 下载](#211__14) - [2.1.2 安装](#212__17) - [2.2 获取证书](#22__41) - [2.3 配置haproxy](#23_haproxy_87) - [2.3.1 条件](#231__89) - [2.3.2 合并证书](#232__94) - [2.3.4 配置haproxy](#234_haproxy_101) - [2.3.5 pem转成KeyStore](#235_pemKeyStore_118) - [3. 申请延期](#3__130) - [3.1 查看证书过期时间](#31__132) - [3.2 申请延期](#32__143) ## 1. 条件 1. 可用的域名 2. 在域名绑定的服务器上 3. 域名绑定服务器在申请免费证书时，80和443端口是没有被占用的（最主要的是80） ## 2. 实施 ### 2.1 准备工具 #### 2.1.1 下载 <https://codeload.github.com/certbot/certbot/zip/master> #### 2.1.2 安装 ``` unzip certbot-master.zip cd certbot-master ``` 1. letsencrypt-auto申请证书主要用的工具使用说明： ``` run：获取并安装证书到当前的Web服务器 certonly：获取或续期证书，但是不安装 renew：在证书快过期时，续期之前获取的所有证书 -d DOMAINS：一个证书支持多个域名，用逗号分隔 --apache：使用 Apache 插件来认证和安装证书 --standalone：运行独立的 web server 来验证 --nginx：使用 Nginx 插件来认证和安装证书 --webroot：如果目标服务器已经有 web server 运行且不能关闭，可以通过往服务器的网站根目录放置文件的方式来验证 --manual：通过交互式方式，或 Shell 脚本手动获取证书 ``` ### 2.2 获取证书此命令代表仅仅获取证书而已 ``` ./letsencrypt-auto certonly --standalone --email lovetocar@aexit.net -d 域名（多个用逗号隔开） ``` 期间输入： ``` ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: http-01 challenge for lovetocar.cn Waiting for verification... Cleaning up challenges ``` 见到如下，代表证书生成成功了 ``` IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/lovetocar.cn/fullchain.pem Your key file has been saved at: ``` 在/etc/letsencrypt/live/lovetocar.cn/ 目录下生成四个文件 ``` cert.pem: Your domain's certificate（公钥） chain.pem: The Let's Encrypt chain certificate fullchain.pem: cert.pem and chain.pem combined（包含公钥和 Let's Encrypt的证书文件） privkey.pem: Your certificate's private key （私钥） ``` ### 2.3 配置haproxy #### 2.3.1 条件 1. haproxy支持ssl（不支持就去编译安装） 2. 需要合并上一步生成的证书 #### 2.3.2 合并证书 haproxy负载下的web，需要为haproxy指定一个包含公钥和私钥的pem，此时合并fullchain.pem和privkey.pem ``` cat privkey.pem fullchain.pem | tee timing-prod.pem ``` #### 2.3.4 配置haproxy ``` frontend timing bind 0.0.0.0:80 redirect scheme https if !{ ssl_fc } # http请求转成https bind 0.0.0.0:443 ssl crt /home/timing/https/ssl/fullchain.pem # 指定证书 acl is_timing hdr(host) -i lovetocar.cn lovetocar.cn:443 use_backend timing if is_timing backend timing balance source server timing1 10.30.46.31:31001 weight 1 maxconn 10000 check inter 10s server timing2 10.30.48.211:31001 weight 1 maxconn 10000 check inter 10s ``` #### 2.3.5 pem转成KeyStore 如果有需要的话，pem可以转成KeyStore ``` openssl pkcs12 -export -in cert.pem -inkey timing-prod.pem -out timing-prod.pk12 -name timing keytool -importkeystore -deststorepass '4rfv$RFV' -destkeypass '4rfv$RFV' -destkeystore timing-prod.keystore -srckeystore timing-prod.pk12 -srcstoretype PKCS12 -srcstorepass '4rfv$RFV' -alias timing ``` ## 3. 申请延期 ### 3.1 查看证书过期时间包含公钥的pem ``` openssl x509 -in ./fullchain2.pem -noout -dates notBefore=Feb 28 01:54:56 2018 GMT notAfter=May 29 01:54:56 2018 GMT ``` 证书有效期是 2018-2-28到2018-5-29 ### 3.2 申请延期 ``` certbot renew ```