Ubuntu:為 Docker 中的 Apache 容器使用 CertBot 自動安裝 Let’s Encrypt SSL 憑證

2022/01/05 1,054 0 作業系統 , 資訊安全 , 伺服器 , Linux , Ubuntu ,

首先,我的 Apache HTTP 伺服器是架設在 Docker 的容器之中,所以一開始一定要將該容器的 port 80 跟 443 對外開放,這樣相對應的 HTTP 與 HTTPS 傳輸協定才能使用,訪客才能透過瀏覽器訪問我們的網站,不過由於我們尚未安裝 SSL 憑證,所以 HTTPS 連線暫時無法使用,為了讓它能正常運作,現在我們要利用 CertBot 這個工具,為容器內的 Apache 自動取得由 Let’s Encrypt 提供的免費 SSL 憑證。現在就開始吧!


▲ 這是 CertBot 的官方網站截圖,一般來說只要照著官網提供的選項,選擇您使用的作業系統及網頁伺服器架構,接著就能照著說明去執行相關指令完成自動 SSL 憑證申請,但由於我們的網頁伺服器是被關在 Docker 容器中,因此需要使用特殊的方式進行。另外要注意,CertBot 去申請的憑證來自 Let’s Encrypt,其憑證期限是三個月,所以必須定時更新,幸好 CertBot 有提供相對應的指令可以幫助我們更新憑證,文末會提及。

開始!打開終端機先 SSH 連線到伺服器,請先用 docker ps 查看容器名稱或 ID,接著輸入 docker exec -it [容器] bash 進入該容器並保持可輸入指令狀態,下 apt install certbot python3-certbot-apache -y 將 CertBot 安裝進容器內,再來用 certbot --apache 啟動機器人。


▲ 接著會看到以下文字內容:

root@123a45bbcccc:/var/log/letsencrypt# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):

基本上需要先輸入 E-MAIL...

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

再來要同意註冊至 ACME 伺服器,請一定要 Y...

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

是否要接收相關 E-MAIL,這部分可以 N,接著會看到註冊成功文字。

No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel):

這個是要輸入您的網域名稱,輸入「c」可以取消,這裡先以「example.com」替代,會看到以下回應:

Requesting a certificate for example.com
Performing the following challenges:
http-01 challenge for example.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your certificate will expire on 2022-04-05. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
renew *all* of your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

到目前為止,CertBot 已經幫助您完成申請 SSL 憑證囉!文字中可以看到兩個重點,一是這個新憑證會在三個月後到期,二是這個憑證可以透過 certbot renew 指令更新憑證,但理論上 Certbot 程式包會附帶一個 cron 作業或 systemd 計時器,所以無需自行手動更新,它會自動更新憑證。由於現在憑證還很新,直接輸入指令會得到以下回應:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem expires on 2022-04-05 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

以上文字就是不需要更新憑證的意思。若要模擬憑證更新,可以用 certbot renew --dry-run 指令,得到結果如下:

root@123a45bbcccc:/var/log/letsencrypt# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Account registered.
Simulating renewal of an existing certificate for example.com
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

預設情況下 CertBot 會讓 HTTP 自動轉 HTTPS,但若不想要這樣,很簡單!只要到容器內的 /etc/apache2/sites-enabled,用文字編輯器打開 000-default.conf(推薦用 VIM),接著:

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

改成

RewriteEngine off
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

或是直接將這三行移除也是OK的!設定檔改好後記得下 service apache2 restart 重新啟動伺服器以讓新設定生效喔!

希望這個圖文有幫助到大家!

贊助廣告 ‧ Sponsor advertisements

留言區 / Comments

萌芽論壇