透過Dehydrated來設定Let’s encrypt

之前是使用Certbot來更新我這個網誌的Let’s encrypt certificate,運作上也還算正常,但自動更新cert這邊常常更新不了(這部分感覺應該是我設定上的問題)…

後來在公司上, DK有提到了dehydrated這個輕量化的Let’s enrypt 設定工具,實際上去快速看了一下它的repoistory以後,真的覺得對於一般的Linux 環境使用上蠻友善的(因為它所需要的工具通常都是Linux 系統預設的工具)。

快速掃完以後,直接進入正題關於設定上的相關指令… (這邊直接參考 DK 的 wiki上的設定)

安裝Dehydrated

# using a temporary directory to download the dehydrated
cd ~/tmp
wget "https://raw.githubusercontent.com/dehydrated-io/dehydrated/master/dehydrated"
chmod +x dehydrated
sudo mv dehydrated /usr/local/bin/

Dehydrated環境設定

# create directories that dehydrated will need
sudo mkdir -p /etc/dehydrated /var/www/dehydrated

#change to the dehydrated dir
cd /etc/dehydrated

# setup the config
echo 'OCSP_MUST_STAPLE=yes' | sudo tee -a config
echo 'KEYSIZE=2048' | sudo tee -a config
echo 'WELLKNOWN=/var/www/dehydrated' | sudo tee -a config

# setup the domain file
echo 'blog.gechen.org' | sudo tee -a domains.txt
 

設定Nginx

這邊的範例主要是透過Nginx來當做之後dehydrated 執行時,用來回應Let’s encrypt 的challenge…

下面就直接貼Nginx 的對應domain的範例設定檔

server {
     listen 80;
     server_name blog.gechen.org;
     rewrite ^(.*) https://$host$1 permanent;
 }

server {
     listen 443 ssl;
     server_name blog.gechen.org;
     
     index index.php;
     ssl_certificate /etc/dehydrated/certs/blog.gechen.org/fullchain.pem;
     ssl_certificate_key /etc/dehydrated/certs/blog.gechen.org/privkey.pem;


     # ... skip some configs

   
     # this part is for dehydrated
     location /.well-known/acme-challenge/ {
        alias /var/www/dehydrated;
     }
 }

執行Dehydrated 來更新Let’s encrypt certs

如果是第一次使用 dehydrated 則要額外執行下面指令

sudo dehydrated --register --accept-terms

透過下面的指令來做Let’s encrypt certificate的申請/更新

# the following command will apply/renew certificates for the domains in file: /etc/dehydrated/domains.txt
sudo dehydrated -c

# or we can also directly use command below to apply for specific domain certificate
sudo dehydrated -c -d blog.gechen.org

設定自動更新certificate的cron jobs

這邊直接引用DK 大大的wiki範例來設定 weekly 的憑證更新…

echo -e '#!/bin/bash\nexport PATH=/usr/sbin:/usr/bin:/bin:"${PATH}"\nsleep $(expr $(printf "%d" "0x$(hostname | md5sum | cut -c 1-8)") % 86400); dehydrated -c && ( service nginx reload )' | sudo tee /etc/cron.weekly/dehydrated; sudo chmod 755 /etc/cron.weekly/dehydrated 

References:

為WordPress 升級 https

申請Letsencrypt 憑證

由於這邊是使用ubuntu 20.04,所以會直接使用下面的指令來安裝certbot

sudo apt install certbot python3-certbot-nginx

接下來,再使用certbot來申請由Letsencrypt發放的憑證。

下面的指令,我們透過certbot 申請了一組wildcard certificate,其中為了證明這個網域是我們所有的,我們必須完成一組ACME挑戰!

sudo certbot certonly --preferred-challenges dns --manual  -d '*.gechen.xyz' --server https://acme-v02.api.letsencrypt.org/directory

在完執行完上述的指令以後,terminal上應該會出現一串字串,而且我們要做就是將那字串新增至DNS TXT Record,並在設定TXT Record設定完成以後,繼續certbot的申請流程。

一切順利的話,certbot 會將申請到的憑證安裝至指定的路徑下,並且有三個月的效期,三個月後我們還得再重新申請效期的延長

/etc/letsencrypt/live/gechen.xyz/

升級Wordpress以使用https

接下來要做的更改Nginx的設定檔以使用我們新申請的憑證

server {
     listen 80;
     listen [::]:80;
     server_name blog.gechen.xyz;
     rewrite ^(.*) https://$host$1 permanent;
 }

 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name blog.gechen.xyz;
    index  index.php; 
    root /var/www/html/wordpress; 
    ssl_certificate /etc/letsencrypt/live/gechen.xyz/fullchain.pem;  
    ssl_certificate_key /etc/letsencrypt/live/gechen.xyz/privkey.pem; 
    ssl_session_timeout 5m; 
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
    # ssl_trusted_certificate /etc/letsencrypt/live/gechen.xyz/fullchain.pem;
   client_max_body_size 100M; 
    error_log /var/log/nginx/secure_ssl_error.log; 
    access_log /var/log/nginx/secure_ssl_access.log; 
    location / {
      try_files $uri $uri/ /index.php?$args; 
    } 
    location ~ \.php$ {     
        include snippets/fastcgi-php.conf;     
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;     
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;     
        include fastcgi_params;
  }
 }

更新Wordpress的網址

這邊可以直接參考之前設定Wordpress的相關步驟來設定新的https的網址

到這邊我們就升級完成了