09 使用 Let’s Encrypt 憑證

(2021/11/30後記)

由於10月底安裝後一直出問題，因此向資教中心的林士甫老師請教，老師說：

透過以下網址發現我的憑證已申請成功，這是沒問題的！https://crt.sh/?q=vm.shsps.kh.edu.tw，從上可以看到我10/27、11/04、11/12都有資料(也就是10/27已經申請成功，隨後又更新了兩次)，這是因為出錯，所以再重新去申請！
另外老師也說我之前的作法比較舊，提供新的作法給我：https://certbot.eff.org/instructions?ws=apache&os=centosrhel7，我再把舊的程式移除，改用新作法來安裝
- sudo yum remove certbot
- 安裝snapd
  - $ sudo yum install snapd
  - $ sudo systemctl enable --now snapd.socket
  - $ sudo ln -s /var/lib/snapd/snap /snap
- 檢查是否最新 $ sudo snap install core; sudo snap refresh core
- 安裝Certbot
  - sudo snap install --classic certbot
  - sudo ln -s /snap/bin/certbot /usr/bin/certbot
- 執行Certbot
  - sudo certbot --apache
- 測試自動更新
  - sudo certbot renew --dry-run
- 過程如下：

Last login: Thu Nov 25 13:01:18 2021 from 163.32.244.15

[centos@shsps ~]$ sudo -s

[root@shsps centos]# sudo snap install core; sudo snap refresh core

error: too early for operation, device not yet seeded or device model not acknowledged

[root@shsps centos]# snap install core

2021-11-25T13:11:42+08:00 INFO Waiting for automatic snapd restart...

core 16-2.52.1 from Canonical??installed

[root@shsps centos]# snap refresh core

snap "core" has no updates available

[root@shsps centos]# sudo snap install --classic certbot

certbot 1.21.0 from Certbot Project (certbot-eff?? installed

[root@shsps centos]# sudo ln -s /snap/bin/certbot /usr/bin/certbot

[root@shsps centos]# sudo certbot --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Please enter the domain name(s) you would like on your certificate (comma and/or

space separated) (Enter 'c' to cancel): vm.shsps.kh.edu.tw

Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0003.conf)

What would you like to do?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Attempt to reinstall this existing certificate

2: Renew & replace the certificate (may be subject to CA rate limits)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Deploying certificate

We were unable to find a vhost with a ServerName or Address of vm.shsps.kh.edu.tw.

Which virtual host would you like to choose?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: ssl.conf | | HTTPS | Enabled

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press 1 [enter] to confirm the selection (press 'c' to cancel): 1

Successfully deployed certificate for vm.shsps.kh.edu.tw to /etc/httpd/conf.d/ssl.conf

Congratulations! You have successfully enabled HTTPS on https://vm.shsps.kh.edu.tw

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If you like Certbot, please consider supporting our work by:

* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

* Donating to EFF: https://eff.org/donate-le

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

[root@shsps centos]# sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0001.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Renewal configuration file /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0001.conf is broken.

The error was: target /etc/letsencrypt/archive/vm.shsps.kh.edu.tw-0001/cert2.pem of symlink /etc/letsencrypt/live/vm.shsps.kh.edu.tw-0001/cert.pem does not exist

Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0002.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Renewal configuration file /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0002.conf is broken.

The error was: target /etc/letsencrypt/archive/vm.shsps.kh.edu.tw-0002/cert1.pem of symlink /etc/letsencrypt/live/vm.shsps.kh.edu.tw-0002/cert.pem does not exist

Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0003.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Account registered.

Simulating renewal of an existing certificate for vm.shsps.kh.edu.tw

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: vm.shsps.kh.edu.tw

Type: connection

Detail: Fetching https://vm.shsps.kh.edu.tw/.well-known/acme-challenge/QmkckJV8XYbf1THsx_R3tpU69iiQaJcME2drB5tXCEw: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate vm.shsps.kh.edu.tw-0003 with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Renewal configuration file /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw.conf is broken.

The error was: target /etc/letsencrypt/archive/vm.shsps.kh.edu.tw/cert2.pem of symlink /etc/letsencrypt/live/vm.shsps.kh.edu.tw/cert.pem does not exist

Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All simulated renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/vm.shsps.kh.edu.tw-0003/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:

/etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0001.conf (parsefail)

/etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0002.conf (parsefail)

/etc/letsencrypt/renewal/vm.shsps.kh.edu.tw.conf (parsefail)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1 renew failure(s), 3 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[root@shsps centos]#

.......經過一連串的測試
- 執行網頁https://vm.shsps.kh.edu.tw
- https://www.ssllabs.com/ssltest/analyze.html?d=vm.shsps.kh.edu.tw
- 都出現錯誤，已經想放棄了！！！
- 最後，發現原因是虛擬機的443埠沒有打開，害我花了一個月的時間.....

事後成功後再重新跑sudo certbot renew --dry-run的結果

[root@shsps lcl]# sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0001.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Renewal configuration file /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0001.conf is broken.

The error was: target /etc/letsencrypt/archive/vm.shsps.kh.edu.tw-0001/cert2.pem of symlink /etc/letsencrypt/live/vm.shsps.kh.edu.tw-0001/cert.pem does not exist

Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0002.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Renewal configuration file /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0002.conf is broken.

The error was: target /etc/letsencrypt/archive/vm.shsps.kh.edu.tw-0002/cert1.pem of symlink /etc/letsencrypt/live/vm.shsps.kh.edu.tw-0002/cert.pem does not exist

Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0003.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Simulating renewal of an existing certificate for vm.shsps.kh.edu.tw

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Renewal configuration file /etc/letsencrypt/renewal/vm.shsps.kh.edu.tw.conf is broken.

The error was: target /etc/letsencrypt/archive/vm.shsps.kh.edu.tw/cert2.pem of symlink /etc/letsencrypt/live/vm.shsps.kh.edu.tw/cert.pem does not exist

Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all simulated renewals succeeded:

/etc/letsencrypt/live/vm.shsps.kh.edu.tw-0003/fullchain.pem (success)

Additionally, the following renewal configurations were invalid:

/etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0001.conf (parsefail)

/etc/letsencrypt/renewal/vm.shsps.kh.edu.tw-0002.conf (parsefail)

/etc/letsencrypt/renewal/vm.shsps.kh.edu.tw.conf (parsefail)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

0 renew failure(s), 3 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[root@shsps lcl]#

測試 https://www.ssllabs.com/ssltest/analyze.html?d=vm.shsps.kh.edu.tw

更改XOOPS的網址：
- vi /var/www/html/xoops/mainfile.php

更改WordPress的網址：

參考資料

(2021/10/27)

最近說要把自己網站的網址採用SSL的連線方式

本文完全參考(抄襲)以下這篇文章：https://www.opencli.com/linux/rhel-centos-install-certbot-get-lets-encrypt-certs

一共有4個步驟：

1. 安裝 Certbot:

2. 取得憑證

3. 設定 Apache

4. 設定自動 renew SSL 憑證

以下為我的電腦的安裝過程：

1. 安裝 Certbot:

在 CentOS 7 要安裝 Certbot, 只要啟用 EPEL 便可以用 yum 安裝，如果沒有啟動 EPEL Repo, 執行以下指令啟用：
# yum install epel-release -y

然後用 yum 安裝所需套件，以下假設設定 Apache 支援 SSL, 需要安裝 mod_ssl：
# yum install mod_ssl

現在可以安裝 Certbot:
# yum install certbot -y

2. 取得憑證

現在要申請 vm.shsps.kh.edu.tw 的憑證，這是我向教育局申請的虛擬機，IP為163.16.244.XXX，這要在先要DNS完成相關設定，新增CAA，且在CAA value輸入letsencrypt.org

在 DNS Server 將以上 hostname 指向伺服器的 IP，Let’s Encrypt 也會用 hostname 驗證是否域名持有人，而假設網頁的目錄在 /var/www/html, 可以執行以下指令：
# certbot certonly --webroot -w /var/www/html -d vm.shsps.kh.edu.tw --email wenyu@shsps.kh.edu.tw --agree-tos

第一次發生錯誤，不知是不是DNS還沒有啟動？
10分鐘後，把httpd重新啟動，再試一次就成功取得認證了

當驗證成功後，SSL 憑證, private key 及 LE chain 會放在 /etc/letsencrypt/live/vm.shsps.kh.edu.tw/ 下面。

3. 設定 Apache

開啟檔案 /etc/httpd/conf.d/ssl.conf：
# vi /etc/httpd/conf.d/ssl.conf
找到 SSLCertificateFile, SSLCertificateKeyFile 及 SSLCACertificateFile 這 3 行，這 3 行是分開的，改成這樣：
- SSLCertificateFile /etc/letsencrypt/live/vm.shsps.kh.edu.tw/cert.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/vm.shsps.kh.edu.tw/privkey.pem
- SSLCACertificateFile /etc/letsencrypt/live/vm.shsps.kh.edu.tw/fullchain.pem

最後重新啟動 Apache 便會生效：
- # systemctl restart httpd

4. 設定自動 renew SSL 憑證

Let’s Encrypt 憑證目前的有效期只有 3 個月，在憑證到期前 1 個月可以 renew以下設定自動 renew 憑證，以下是更新憑證的指令：
- certbot renew --quiet --agree-tos --post-hook "systemctl reload httpd"
以上指令會自動更新所有 SSL 憑證，如果成功更新，會執行 “systemctl reload httpd” 這條指令，讓 apache 重新載入新憑證。
為了日後方便管理，建立一個 renew SSL 的 Shell Script:
- # vi /root/renew.sh
加入以下內容：
- #!/bin/sh
- /usr/bin/certbot renew --quiet --agree-tos --post-hook "systemctl reload httpd"
然後把上面 Shell Script 加入可執行權限及放到 crontab:
- # chmod +x /root/renew.sh
加入 crontab
- # crontab -e
加入以下一行:
- 0 3 * * * /root/renew.sh > /dev/null 2>&1
這樣 certbot 便會在每天凌晨 3:00 自動檢查及更新憑證。

(2021/11/04)一直失敗

Page updated

Google Sites

Report abuse