当前位置:theitroad>路线53让acme.sh加密通配符证书

路线53让acme.sh加密通配符证书

时间:2020-01-09 10:43:29  来源:igfitidea点击:

如何使用acme.sh和AWS Route53从Lets Encrypt获取通配符TLS/SSL证书?
如何为Nginx或者Apache设置通配符以使用AWS Route53加密SSL?
对于通配符TLS/SSL证书,"让加密"接受的唯一质询方法是DNS质询以验证域所有权。
因此,我们需要Route53 AWS DNS API为我们的域添加/修改DNS。
本教程说明了如何使用在Linux或者类Unix系统上运行的Lets Encrypt客户端acme.sh生成通配符TLS/SSL证书。

设置Route 53的前提条件是使用acme.sh加密通配符证书

确保Nginx服务器已安装并正在运行。
例如:

$ sudo apt install nginx
$ sudo yum install nginx

Apache用户可以运行以下命令:

$ sudo apt install apache2
$ sudo yum install httpd

步骤1创建一个新的AWS用户并获取Route 53的API访问密钥

您可以使用控制台添加用户并为Route53创建策略。
在此示例中,我将为我的AWS账户创建一个新的IAM用户,使用aws cli追加并分配策略。

获取与当前AWS账户关联的托管区域

首先,我们需要找出DNS区域ID。
如下运行aws命令以列出托管区域:

$ aws route53 list-hosted-zones

记下您的托管区域ID。
例如:

{
    "HostedZones": [
        {
            "Id": "/hostedzone/RANDOM_ID_HERE_1",
            "Name": "theitroad.org.",
            "CallerReference": "RISWorkflow-RD:473d5c18-2ca9-421b-b217-c40f9d90b976",
            "Config": {
                "Comment": "HostedZone created by Route53 Registrar",
                "PrivateZone": false
            },
            "ResourceRecordSetCount": 2
        },
        {
            "Id": "/hostedzone/RANDOM_ID_HERE_2",
            "Name": "theitroad.com.",
            "CallerReference": "2BC89E0B-FB84-7FA0-8EA6-5A2D46189415",
            "Config": {
                "Comment": "theitroad forum DNS",
                "PrivateZone": false
            },
            "ResourceRecordSetCount": 16
        }
    ]
}

创建一个名为route53.txt的新客户托管策略文件

使用您喜欢的文本编辑器(例如vim)创建严格的策略来更新Route53 DNS区域:

$ vim route53.txt

根据您的设置,将以下文本替换为" RANDOM_ID_HERE_2":

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "vim0",
            "Effect": "Allow",
            "Action": [
                "route53:GetHostedZone",
                "route53:ChangeResourceRecordSets",
                "route53:ListResourceRecordSets"
            ],
            "Resource": "arn:aws:route53:::hostedzone/RANDOM_ID_HERE_2"
        },
        {
            "Sid": "vim1",
            "Effect": "Allow",
            "Action": "route53:ListHostedZones",
            "Resource": "*"
        }
    ]
}

在AWS中创建警察

文件route53.txt是当前文件夹(或者/path/to/route53.txt)中的JSON文档,该文件授予对名为" RANDOM_ID_HERE_2"的Amazon Route 53 DNS ID中的DNS区域的只读/写访问权限:

$ aws iam create-policy --policy-name le-route53-wildcard-dns-verification --policy-document file:///path/to/route53.txt

{
    "Policy": {
        "PolicyName": "le-route53-wildcard-dns-verification",
        "PolicyId": "AQPAZ4PKKZL7RYIBYM6YI",
        "Arn": "arn:aws:iam::791914887124:policy/le-route53-wildcard-dns-verification",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 0,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "CreateDate": "2020-08-03T08:14:25+00:00",
        "UpdateDate": "2020-08-03T08:14:25+00:00"
    }
}

请记下Arn。

创建一个名为route53-dns-verification的AWS IAM帐户

执行:

$ aws iam create-user --user-name route53-dns-verification

将名为arn:aws:iam :: 791914887124:policy/le-route53-wildcard-dns-verification的AWS策略分配给route53-dns-verification用户帐户

运行:

$ aws iam attach-user-policy \
--policy-arn 'arn:aws:iam::791914887124:policy/le-route53-wildcard-dns-verification' \
--user-name route53-dns-verification

为名为route53-dns-verification的IAM用户创建访问密钥

执行以下命令后,您需要记下AccessKeyId和SecretAccessKey。
为了确保您的AWS账户的安全性,秘密访问密钥仅在密钥和用户创建期间才可访问。
如果要再次访问它,必须保存该密钥。
如果密钥丢失,则可以删除关联用户的访问密钥,然后创建新密钥。
因此,将它们保存到文本文件中:

$ aws iam create-access-key --user-name route53-dns-verification

{
    "AccessKey": {
        "UserName": "route53-dns-verification",
        "AccessKeyId": "AKIZY3PTTYXXXXXXXXXX",
        "Status": "Active",
        "SecretAccessKey": "58XYYYYYYYYYYYYYYYYYYYYYYYYgmdS",
        "CreateDate": "2020-08-03T08:47:29+00:00"
    }
}

步骤2安装acme.sh客户端

获取Route53 API密钥后,现在设置acme.sh客户端。
因此,使用git命令克隆acme.sh存储库,然后使用su命令/sudo命令安装客户端。

$ cd /tmp/
$ git clone https://github.com/Neilpang/acme.sh.git
$ sudo -i
# touch /root/.bashrc
# cd /tmp/acme.sh/
# acme.sh --install --accountemail your-email-id@domain-here

步骤3使用Route53 DNS为域请求新的通配符TLS证书

到目前为止,我们已经设置了Nginx/Apache,获得了Route54 API /访问密钥,现在是时候使用acme.sh来获取theitroad.com域的通配符证书了。
首先,使用export命令设置AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY,如下所示:

# export AWS_ACCESS_KEY_ID="AKIZY3PTTYXXXXXXXXXX"
# export AWS_SECRET_ACCESS_KEY="58XYYYYYYYYYYYYYYYYYYYYYYYYgmdS"

最后,使用Route53 dns作为您的域的验证器,请求基于通配符的TLS/SSL证书。
确保使用域名替换theitroad.com:

# acme.sh --issue --dns dns_aws --ocsp-must-staple --keylength 4096 -d theitroad.com -d '*.theitroad.com'

抓取椭圆曲线加密(ECC/ECDSA)代替RSA证书:

# acme.sh --issue --dns dns_aws --ocsp-must-staple --keylength ec-384 -d theitroad.com -d '*.theitroad.com'

其中:

  • --issue:颁发证书
  • --dns dns_aws:使用dns模式。在这种情况下,请使用AWS dns api。
  • -ocsp-must-staple:生成ocsp必须装订扩展。
  • --keylength ec-384:将ECC/ECDSA的域密钥长度设置为ec-384。请注意,ec-521目前由Lets Encrypt公司提供。
  • --keylength 4096:设置RSA的域密钥长度。
  • -d theitroad.com -d'* .theitroad.com':您要发行,续订或者吊销证书的域名。

您的Route 53 DNS API /访问密钥存储在/root/.acme.sh/account.conf文件中,我们可以使用cat命令或者grep命令查看它:

# cat /root/.acme.sh/account.conf
# grep '_AWS_' /root/.acme.sh/account.conf

因此,请勿与任何人共享/root/.acme.sh/account.conf文件。

步骤4配置Nginx HTTPS

确保使用openssl命令按如下所示创建Diffie-Hellman密钥交换文件:

# DOMAIN="www.theitroad.com"
# mkdir -pv /etc/nginx/letsencrypt/${DOMAIN}/
# cd /etc/nginx/letsencrypt/${DOMAIN}/
# openssl dhparam -out dhparams.pem -dsaparam 4096

然后编辑您的Nginx配置文件或者虚拟域文件:

# vi /etc/nginx/vhosts.d/www.theitroad.com.conf

更新/编辑文件,如下所示:

# Port 80 config
server {
listen      80 default_server; # IPv4
listen [::]:80 default_server; # IPv6
server_name www.theitroad.com;
access_log  off;
error_log   off;
root        /var/www/html;
return 301 https://$host$request_uri;
}
 
# Port 443 config
server {
listen 443 ssl http2;                # IPv4
listen [::]:443 ssl http2;           # HTTP/2 TLS IPv6
server_name www.theitroad.com;  # domain name 
root   /var/www/html;
index  index.html;
 
# Set access and error log for this vhos
access_log /var/log/nginx/www.theitroad.com_access.log;
error_log  /var/log/nginx/www.theitroad.com_error.log;  
# TLS/SSL CONFIG 
ssl_certificate /etc/nginx/ssl/letsencrypt/www.theitroad.com/www.theitroad.com.fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/letsencrypt/www.theitroad.com/www.theitroad.com.key;
 
# ECC/ECDSA certificates (dual config)
#ssl_certificate /etc/nginx/ssl/letsencrypt/www.theitroad.com/www.theitroad.com.fullchain.cer.ecc;
#ssl_certificate_key /etc/nginx/ssl/letsencrypt/www.theitroad.com/www.theitroad.com.key.ecc;
ssl_dhparam  /etc/nginx/ssl/letsencrypt/www.theitroad.com/dhparams.pem;
 
# A little bit of optimization 
ssl_session_timeout 1d;
ssl_session_cache shared:theitroadSSL:10m;
 
# TLS version 1.2 and 1.3 only
ssl_session_tickets off;  
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;  
 
# HSTS (ngx_http_headers_module is required)
# *************************************************************************
# WARNING - Wrong headers can create serious problems. Read docs otherwise
#           all 3rd party scripts/ads won't load and in some case 
#           browser won't work. Read docs @ https://developer.mozilla.org
# ************************************************************************* 
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header Referrer-Policy  strict-origin-when-cross-origin always;
add_header Feature-policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'" always;
# ***************************************************************************************************
# WARNING: The HTTP Content-Security-Policy response header allows sysadmin/developers 
# to control resources the user agent is allowed to load for a given page. 
# Wrong config can create problems for third party scripts/ad networks. Hence read the following url: 
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# ****************************************************************************************************
add_header content-security-policy "default-src https://www.theitroad.com:443" always;  
 
# OCSP stapling
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_stapling on;
ssl_stapling_verify on;  
ssl_trusted_certificate /etc/nginx/ssl/letsencrypt/www.theitroad.com/www.theitroad.com.fullchain.cer;  
 
# Replace with the IP address of your resolver
resolver 8.8.8.8;
}

步骤5安装证书

根据您的设置将颁发的证书安装到apache/nginx或者任何其他服务器。
确保按照您的Linux/Unix发行版替换/bin/systemctl reload nginx

# DOMAIN="www.theitroad.com"
# CONFIG_ROOT="/etc/nginx/ssl/letsencrypt/$DOMAIN"
# acme.sh -d "$DOMAIN" \
--install-cert \
--reloadcmd "/bin/systemctl reload nginx" \
--fullchain-file "${CONFIG_ROOT}/$DOMAIN.fullchain.cer" \
--key-file "${CONFIG_ROOT}/$DOMAIN.key" \
--cert-file "${CONFIG_ROOT}/$DOMAIN.cer"

如果还使用ECC证书,请安装它们:

# acme.sh -d "$DOMAIN" \
--ecc \
--install-cert \
--reloadcmd "/bin/systemctl reload nginx" \
--fullchain-file "${CONFIG_ROOT}/$DOMAIN.fullchain.cer.ecc" \
--key-file "${CONFIG_ROOT}/$DOMAIN.key.ecc" \
--cert-file "${CONFIG_ROOT}/$DOMAIN.cer.ecc"

步骤6测试您的Nginx设置

如果尚未打开Nginx服务器tcp端口443,请确保已打开。
例如,这是我们在Ubuntu或者Debian Linux上打开它的方法:

$ sudo ufw allow https comment 'Open all to access Nginx port 443'

打开浏览器并输入网址:

https://www.theitroad.com/

当然,我们可以访问SSL实验室来测试我们的TLS/SSL配置页面。
另一个选择是运行testssl.sh命令,如下所示:

$ testssl.sh --fast --parallel https://www.theitroad.com/

Lets Encrypt使用acme.sh和Route53 DNS发布的通配符SSL证书。

相关推荐

红帽/CentOS Linux:Apache启用WebDAV

红帽/CentOS Linux:Apache启用WebDAV

Redhat/CentOS安装Whois客户端

Redhat/CentOS安装Whois客户端

Redhat/CentOS安装Memcached缓存系统

Redhat/CentOS安装Memcached缓存系统

CentOS/Redhat Linux Internet连接共享

CentOS/Redhat Linux Internet连接共享

相关推荐
最近更新
标签