CertBot

CertBot是一个ACME代理, ACME协议是一个证书自动管理环境的协议。以下引自维基百科:

The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users' web servers, allowing the automated deployment of public key infrastructure at very low cost.[1][2] It was designed by the Internet Security Research Group (ISRG) for their Let's Encrypt service.[1]

CertBot与Let's Encrypt(LE)的关系是客户端与服务端的关系,两者通过ACME协议实现对证书的自动管理。

LE官网给出了很多ACME的代理实现,但首推的是CertBot。按道理讲,ACME协议公布之后,LE的实现应该也是可替换的,目前不知道是否还有其他CA支持ACME。

CertBot与LE配合可以为大家提供免费的可信证书,LE目前只支持DV(Domain Validation)这种方式的证书发放。

CertBot提供了很多命令来管理证书的获取,更新,与撤销,详情可参阅官网。

CertBot在获取与安装证书时,支持两种类型的插件:Authenticators与Installers

以下引自官网:

Authenticators are plugins used with the certonly command to obtain a certificate. The authenticator validates that you control the domain(s) you are requesting a certificate for, obtains a certificate for the specified domain(s), and places the certificate in the /etc/letsencrypt directory on your machine. The authenticator does not install the certificate (it does not edit any of your server’s configuration files to serve the obtained certificate). If you specify multiple domains to authenticate, they will all be listed in a single certificate. To obtain multiple separate certificates you will need to run Certbot multiple times.

Installers are Plugins used with the install command to install a certificate. These plugins can modify your webserver’s configuration to serve your website over HTTPS using certificates obtained by certbot.

Plugins that do both can be used with the certbot run command, which is the default when no command is specified. The run subcommand can also be used to specify a combination of distinct authenticator and installer plugins.

官网列出了常见服务器的插件列表,请参见官网说明使用。

比如apache服务器,Authenticator与Installer都有,其中Challenge types (and port)只支持tls-sni-01 (443),

也就是说apache插件使用tls-sni-01这种方式来向LE完成Domain Validation。具体的tls-sni-01的详细验证方式请参见:

https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.3

standalone的服务器,只有Authenticator,支持http-01 (80) or tls-sni-01 (443)这两种Challenge types。

其中http-01的详细方式可以参看LE官网,因为有配图,可能会比 ietf.org中的描述更好理解一些。



阅读更多

没有更多推荐了,返回首页