ZeroSSL免費三個月3次的憑證都用完了
原本想說Let's Encrypt不是永久免費嗎?
後來查仔細看發現 ZeroSSL、SSL For Free、Let's Encrypt 三者是如圖中的關係。
Let's Encrypt 的Getting Started頁面也推薦使用Certbot。
Certbot客戶端工具
接著來使用Certbot申請憑證吧
選擇好伺服器及OS後,
下載certbot-installer 並在Server上進行安裝
> certbot --help
這邊照說明,我選擇關閉Apache
否則接下來會出現 Problem binding to port 80: [WinError 10013] 嘗試存取通訊端被拒絕,因為存取權限不足。
> certbot certonly --standalone
第一次使用會要求輸入信箱
> gjlmotea@gmail.com
是否同意條款
> Y
是否接收到訂閱訊息
> Y
網域,多個網域以`,`區隔
> gjlmotea.com
(或者 > gjlmotea.com,*.gjlmotea.com)
Successfully received certificate.
Certificate is saved at: C:\Certbot\live\gjlmotea.com\fullchain.pem
Key is saved at: C:\Certbot\live\gjlmotea.com\privkey.pem
如果出現這段訊息
Detail: no valid A records found for thu.today; no valid AAAA records found for thu.today
代表你得先將Domain DNS做設定,將Domain綁定到此台電腦IP
之後移動到 : C:\Certbot\live\gjlmotea.com 底下出現了好多檔案
閱讀README,上面寫著
This directory contains your keys and certificates.
`privkey.pem` : the private key for your certificate. 憑證的私鑰
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7. 線上憑證狀態協定
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below). 伺服器憑證,建議閱讀文檔再使用
`fullchain.pem`: the certificate file used in most server software. 順帶一提 fullchain = cert.pem + chain.pem
WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
強烈建議我們不要移動這些憑證的位置,
並且這些憑證是以捷徑(連結)形式存在,會自動連結到最新的憑證,以達到自動更新憑證的目的
設定XAMPP Apache SSL
接著開啟XAMPP的Apache SSL設定
找到 SSLCertificateFile、SSLCertificateKeyFile、SSLCertificateChainFile 三個參數,
並設定為CertBot產出的憑證路徑
以下是我做的修改
# Server Certificate:
# Point SSLCertificateFile "conf/ssl.crt/server.crt"
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile "C:\Certbot\live\gjlmotea.com\cert.pem"
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "C:\Certbot\live\gjlmotea.com\privkey.pem"
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile "conf/ssl.crt/server.crt"
# certificate for convenience.
SSLCertificateChainFile "C:\Certbot\live\gjlmotea.com\chain.pem"
BTW
最後一行的SSLCertificateChainFile,用fulllchain或chain.pem都行
SSLCertificateChainFile "C:\Certbot\live\gjlmotea.com\chain.pem"
SSLCertificateChainFile "C:\Certbot\live\gjlmotea.com\fullchain.pem"
若遺漏掉 SSLCertificateChainFile 這行的話,雖然連線上、網頁瀏覽等等都沒什麼問題
但是在前端程式碼,透過proxy串接來進行的話,就會出現 UNABLE_TO_VERIFY_LEAF_SIGNATURE 的錯誤,就是需要將憑證添加到chain中
最後開啟Apache
Ctrl+F5強制重新網頁
就能看到最新的憑證拉
手動更新憑證
一樣將XAMPP中的Apache服務先關閉後,用系統管理員身分開啟CMD執行以下這行
> certbot renew --force-renewal --no-random-sleep-on-renew
(一開始沒加 --force-renewal --no-random-sleep-on-renew 參數,renew 時都會卡住不動)
成功時回傳結果
再啟動Apache服務、強制重整網站之後,就可以看到更新後的憑證
自動更新憑證
還沒研究
似乎可以快過期時,讓系統自動更新憑證?
而更新時需要關閉Apache服務,也許關閉Apache的設定是在Certbot這裡加上參數什麼的
如果連接域名時,出現 ACME client standalone challenge solver 的錯誤,
用 > certbot certonly --standalone來更新該域名憑證
不過要先到Certbot路徑底下,把 archive、live、renewal 三個資料夾內 該域名的資料夾清除
不然名稱重複,就會出現0001 0002等,申請到新的key的檔案位置就對不上囉