Home » Posts tagged "letsencrypt" (Page 4)

把家裡的機器換上 Let's Encrypt 的 SSL certificate

依照「Beta Program Announcements」這邊的指示去填單申請 Let's Encrypt 的 SSL certificate (先幫 home.gslin.org 申請),等了好幾天,在剛剛收到信就弄了弄,還蠻順利就設好了。

可以看到 Let's Encrypt Authority X1DST Root CA X3 簽名的情況,而後者已經被大多數瀏覽器所確認了:

首先是先把 letsencrypt client 拉下來:

$ git clone https://github.com/letsencrypt/letsencrypt


$ cd letsencrypt
$ ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly

執行時會先建立環境 (由於需要寫到 /etc/letsencrypt 裡面,會需要 root 或 sudo 權限)。

接下來會跳出一些畫面讓你設定,包括 hostname 以及聯絡資訊,再來就是認證的方式 (我是跳出使用 apache 或是 standalone web server),由於我的 port 443 已經被 apache 吃掉,所以需要用 apache。


 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/home.gslin.org/fullchain.pem. Your cert will
   expire on 2016-02-02. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

有效期限 90 days,雖然裡面是講 fullchain.pem,但其實每個檔案都有拆開放,看一下 /etc/letsencrypt/live/home.gslin.org/ 路徑裡的檔案,設定對應的 cert/chain/key 應該還是比較習慣的作法。

官方目前的建議是 60 days 重新 renew 一次,也許可以設成 cron,每兩個月自動更新一次 (並且 reload apache)。

Let's Encrypt 的 Limited Beta

Let's Encrypt 在拿到 IdenTrust 提供的 cross sign (參考「Let's Encrypt 正式出發」) 後所啟動的計畫:「Beta Program Announcements」。

要先透過 Google Forms 填單等待,等通過後要指定 production server 才會發出來。

要注意的是,Let's Encrypt 發出來的 SSL certificate 會比較短,只有 90 天有效,設計上是依靠自動機制在更新,所以理論上不會有問題:

Certificates from Let's Encrypt are valid for 90 days. We recommend renewing them every 60 days to provide a nice margin of error. As a beta participant, you should be prepared to manually renew your certificates at that time. As we get closer to General Availability, we hope to have automatic renewal tested and working on more platforms, but for now, please play it safe and keep track.

再來是有註冊限制,分成 Registrations/IP address 與 Certificates/Domain 兩個限制:

There are two rate limits in play: Registrations/IP address, and Certificates/Domain.

前者的限制是每天 10 次:

Registrations/IP address limits the number of registrations you can make in a given day; currently 10. This means you should avoid deleting the /etc/letsencrypt/accounts folder, or you may not be able to re-register.

後者的限制是每個 domain 只給 4 個 certificate:

Certificates/Domain you could run into through repeated re-issuance. This limit measures certificates issued for a given combination of Top Level Domain + Domain. This means if you issue certificates for the following domains, at the end you would have what we consider 4 certificates for the domain example.com.


Let's Encrypt 的新進展

Let's Encrypt 宣佈有新的進度了,已經可以從 Root Certificate 簽其他的 SSL Certificate 了:「Our First Certificate Is Now Live」。

測試的網站在 https://helloworld.letsencrypt.org/ 這邊,目前應該還是屬於不信任狀態。一旦 cross sign 或是被加到瀏覽器內,這個網站應該就會馬上生效了。