Let'sEncrypt with Spring-boot Https

網路管理基礎

Route53 與網路管理基本概念
EC2 Https 設定

AWS 綁定 Domain

  1. Route53 建立 Hosted Zones, 自己申請的 Domain (my-domain.me)
  2. Route53 Hosted Zones 建立 Record (my-domain.me), 綁定 EC2

Let’sEncrypt Certificate 申請

1. 安裝 certbot 工具

$ git clone https://github.com/certbot/certbot.git
$ cd certbot
$ ./certbot-auto

2. 透過 certbot 的 plugin 申請 certificate


$ ./certbot-auto certonly —a standalone -d my-domain.me —email someone@gmail.com

在流程中, 需要回答一些問題, LetsEncrypt 會發送 request 去驗證 my-domain.me 這個 domain


3. 使用 openssl 將 letsEncrypt 的 key 產生 ssl

這是 os 環境 letsencrypt 的預設目錄路徑 

$ cd /etc/letsencrypt/live/my-domain.me

把 letEncrypt 給你的 private key 產生 ssl 憑證

$ openssl pkcs12 -export -in fullchain.pem \ 
                 -inkey privkey.pem \ 
                 -out keystore.p12 
                 -name tomcat \
                 -CAfile chain.pem \
                 -caname root

把生成的 ssl 憑證, 放到 spring-boot 專案底下的 resouces 


$ cp keystone.p12 ~/my-web-project/main/resources/

4. 設定 application-prod.yml 


server:
    port: 8443
    ssl.key-store: keystore.p12
    ssl.key-store-password: pwd
    ssl.keyStoreType: PKCS12
    ssl.keyAlias: tomcat

5. Http Redirect to Https

Http 已經退流行了, Google 也不歡迎 Http, 就順手把 Http 導向到 Https 吧,
@profile("prod"), 的目的是讓本地開發(dev)流程簡單一點, 不走 Https,
只有機器上線(prod)才讓這個 Configuration Bean 被啟動.


@Profile("prod")
@Configuration
public class WebConfiguration {

    @Value("${server.port}")
    private Integer serverPort;

    @Bean
    public EmbeddedServletContainerFactory servletContainer() {
        TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                SecurityConstraint securityConstraint = new SecurityConstraint();
                securityConstraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection collection = new SecurityCollection();
                collection.addPattern("/*");
                securityConstraint.addCollection(collection);
                context.addConstraint(securityConstraint);
            }
        };

        tomcat.addAdditionalTomcatConnectors(initiateHttpConnector());
        return tomcat;
    }

    private Connector initiateHttpConnector() {
        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
        connector.setScheme("http");
        connector.setPort(8080);
        connector.setSecure(false);
        connector.setRedirectPort(serverPort);

        return connector;
    }
}

6. Package and Deploy


$ mvn clean package



$ curl https://my-domain.me:8443/

Let’sEncrypt Certificate 限制

  • Names/Certificate:單一 certificate 限制 100 個 hostname。
  • Certificates/Domain:每個 domain 每個禮拜最多 20 個 certificate,但 renew 不計算在 quota 內 (需要憑證內的 hostname 與之前完全一樣)。
  • Certificates/FQDNset:相同 hostname 的憑證每個禮拜最多發出五個。

Renew Certificate

因為有安裝 certbot Renew 這個動作, 它也包裝好了, 一鍵使用如下


$ cd certbot
$ ./certbot-auto

這邊是詢問, 要處理哪個 domain


Requesting to rerun /bin/certbot-auto with root privileges...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: my-domain.me
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

這邊是詢問 Redirect, 是否要將 http(port:80) 重新導向到 https 


Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for my-domain.me
Waiting for verification...
Cleaning up challenges
Deploying Certificate for my-domain.me to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enhancement redirect was already set.

搭啦~ 然後就 renew 成功啦


-------------------------------------------------------------------------------
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains:
https://my-domain.me

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=my-domain.me
-------------------------------------------------------------------------------

貼心小提示, renew 完成的憑證路徑, 還有到期日 2017-12-02 

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/my-domain.me/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/my-domain.me/privkey.pem
   Your cert will expire on 2017-12-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

CronJob 自動化


沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)