保护 ssl证书配置 安全
…and before the waiting period was over
……在等待期结束之前
Let’s Encrypt is “A nonprofit Certificate Authority providing TLS certificates to 225 million websites.
让我们加密就是“非营利性证书颁发机构,为2.25亿个网站提供TLS证书。
Unbeknownst to ME until yesterday, Let’s Encrypt has a limit of how many times you can issue a cert for a domain or set of domains per week. I didn’t know this…I didn’t even know to LOOK for this. Guess when I found out about the limit. That’s right; when I exceeded it.
直到昨天,ME才为人所知,“ 让我们加密” ( Let's Encrypt )限制您每周可以为一个域或一组域颁发证书的次数。 我不知道这个……我什至不知道。 猜猜我何时发现极限。 那就对了; 当我超过它。
TLDR; If you’ve run into the same issue, try changing the list of domains. For example, if you entered your domains as www.domainname.com and domainname.com, try adding test.domainname.com to that list. (It’s good to have a testing domain anyway!)
TLDR; 如果您遇到相同的问题,请尝试更改域列表。 例如,如果您输入的域名分别为www.domainname.com和domainname.com,请尝试将test.domainname.com添加到该列表中。 (无论如何,最好有一个测试域!)
After my fix succeeded, it occurred to me that I could have just added one more subdomain to the list, like I’m now suggesting here in my summary, instead of running each domain separately, which is what this post explains how to do. That would have saved me the time figuring out how to modify the Apache files to get the redirect working, and made this post WAY shorter.
修复成功后,我想到可以再添加一个子域到列表中,就像我现在在摘要中建议的那样,而不是单独运行每个域,这就是本文解释的方法。 那会节省我大量时间来弄清楚如何修改Apache文件以使重定向正常工作,并使这篇文章更短。
第一 (First Up)
I’m not trying to tell you how to game the system; well, I guess I am, but I hope you’ll only do it once you’ve made the mistake I did, and stumbled onto this post.
我不是要告诉您如何玩系统; 好吧,我想我是,但是我希望您只有在犯了我的错误并偶然发现这篇文章时才这样做。
They have the limit there for a reason. It’s a non-profit, community funded project, with a large amount of traffic — 225-ish million sites are SSL’d through Let’s Encrypt. I didn’t realize what I was doing when I ran that tool repetitively; and I agree with the limit for free use of the encryption.
他们在那里有限制是有原因的。 这是一个由社区资助的非盈利项目,拥有大量流量-通过Let's Encrypt对225百万个站点进行SSL加密。 重复运行该工具时,我没有意识到自己在做什么。 我同意免费使用加密的限制。
我在做什么?! (What Am I Doing?!)
I’m creating a Django website. I’ve created a LOT of websites, but this is my first Django site. It’s my first time hosting through AWS Lightsail, using Bitnami, and my first time using Let’s Encrypt to create an SSL certificate (through Bitnami’s bncert-tool), too. It is NOT, however, the first time I’ve made a hot mess of things.
我正在创建一个Django网站。 我创建了很多网站,但这是我的第一个Django网站。 这也是我第一次使用Bitnami通过AWS Lightsail进行托管,也是我第一次使用Let's Encrypt(通过Bitnami的bncert-tool)创建SSL证书。 但是,这不是我第一次把事情弄得一团糟。
I decided to automate the whole setup, because I knew I’d have to do this more than once. No way am I going to remember to type all those commands, in the correct order. Let’s just say repetitive work isn’t my strong suit. And although it may exist somewhere, I couldn’t find a way to fully automate what I wanted to automate.
我决定使整个设置自动化 ,因为我知道我必须多次这样做。 我绝对不会记得以正确的顺序键入所有这些命令。 让我们说重复的工作不是我的强项。 尽管它可能存在于某处,但我找不到完全自动化我想自动化的方法的方法。
Of course, automating something ALSO means running it a bunch of times, checking the outcome, making tweaks, lather, rinse, repeat. I tell myself it’s a better kind of repetitive, because each time is just a little different. I also learn exactly what I’m doing WAY better than were I to copy and paste instructions from other places into my CLI (command line interface).
当然,自动化某些东西还意味着要运行很多次,检查结果,进行调整,起泡,冲洗,重复。 我告诉自己,这是一种更好的重复方式,因为每次都稍有不同。 与将其他地方的指令复制并粘贴到CLI(命令行界面)中相比,我还确切地了解了自己在做什么方面的优势。
In a few days, I got the whole setup automated, up to the Apache config editing and the certificate installation. Yesterday I got the Apache config editing automated. That was pretty easy…and then?
几天后,我使整个设置自动化,直到Apache配置编辑和证书安装。 昨天,我自动完成了Apache配置编辑。 那很容易……然后呢?
Bitnami BNCERT-TOOL —呵呵 (The Bitnami BNCERT-TOOL — UhOh)
It took me a few tries to automate the bncert-tool command. Besides getting the script to work, which took a bit, I actually ran the tool five times to be exact, cuz it failed on #6.
我花了一些时间尝试使bncert-tool命令自动化。 除了花一些时间运行脚本之外,实际上我确实运行了该工具五次,因为它在#6上失败了。
First round was running it manually to see what input it needed. Then I used the script to pass those answers into the bncert-tool script.
第一轮是手动运行它,以查看需要什么输入。 然后,我使用脚本将这些答案传递到bncert-tool脚本中。
# What I started withecho “www.$projname.com $projname.com
Y
Y
n
Y
$su_email
Y
\\n
“ | sudo /opt/bitnami/bncert-tool# figuring out to use \\n cost me some time and possibly a round - I initially had \n. It was supposed to be an Enter, but whatever it sent when I had \n, reported an error.And then, since AWS Lightsail/Bitnami/whomever, put the last install package together, the bncert-tool changed. So when I ran it, it asked me an extra question — did I want to update the tool? Since I hadn’t passed that answer into my script, the rest of the question answers were out of order. Another round.
然后,由于AWS Lightsail / Bitnami / whomever将最后一个安装包放在一起,因此bncert-tool发生了变化。 因此,当我运行它时,它问了一个额外的问题-我是否要更新该工具? 由于我尚未将答案传递到脚本中,因此其余问题的答案均不正确。 再来一轮。
I added a Y for updating it, not realizing the implication of the warning “You’ll have to run it manually”. Seeing I was in the script, I just stupidly assumed it would keep going. No. It exited. So now the tool was updated. Maybe there were a different set of questions, right? I’d better check before shoving the script through again. That manual tool run was another round.
我添加了一个Y来更新它,但没有意识到警告“您必须手动运行它”的含义。 看到我在脚本中,我只是愚蠢地认为它会继续下去。 不,它退出了。 因此,现在该工具已更新。 也许会有一系列不同的问题,对不对? 我最好在再次执行脚本之前先进行检查。 该手动工具运行是另一回合。
I accommodated the tool update exit, by calling the tool twice in my script. First time, it just passed a “Y” to update. The second call passed all the other answers to it.
通过在脚本中两次调用工具,我适应了工具更新出口。 第一次,它刚刚通过“ Y”进行更新。 第二个电话通过了所有其他答案。
# This is what I had before the next issue...stay tuned...echo "Y" | sudo /opt/bitnami/bncert-toolecho "www.$projname.com $projname.com
Y
Y
n
Y
$su_email
Y
\\n
" | sudo /opt/bitnami/bncert-toolIt errored, saying it couldn’t find something it needed. I looked, and the necessary file was actually there. I ran it manually, again, with the exact same answers as I’d passed in the code, and it worked fine. Another round.
它出错了,说找不到所需的东西。 我看了看,必要的文件实际上在那里。 我再次手动运行它,得到的答案与我在代码中传递的答案完全相同,并且运行良好。 再来一轮。
Hm. I’d just had to write a separate bash function to get the .bash_aliases to source, because it wouldn’t do so directly in my bash script. Well, it did, but it was only sourced while that script was running; which isn’t what I wanted. I wanted the bash_aliases to be available AFTER the script was done running.
嗯 我只需要编写一个单独的bash函数来获取.bash_aliases的源代码,因为它不能直接在我的bash脚本中执行。 是的,确实是这样,但是它只是在脚本运行时才获得的。 那不是我想要的 我希望bash_aliases在脚本运行完成后可用。
Anyway, having just done that, I thought maybe that’s what I needed to do here, too. Another round….or so I thought… because this time, I got kicked out of the processing for issuing too many certs. In hindsight, now that I’ve read a lot more, I understand their reasoning, and I deserved this.
无论如何,刚做完这些,我想也许这也是我在这里需要做的。 又一轮…。或者我以为……因为这一次,我因发出太多证书而被拒之门外。 事后看来,既然我已经阅读了很多东西,我理解了他们的理由,我应该得到这一点。
BTW, here’s the automation code that I’m just positive WOULD have worked. Maybe.
顺便说一句,这是我肯定会使用的自动化代码。 也许。
# What I ended up with. This updates the tool, creates a script to run it (because I was having trouble getting it to run directly after the update), and runs it.echo "Y" | sudo /opt/bitnami/bncert-toolcat << EOF >> ~/run_bncert_tool.sh
#!/usr/bin/bashecho "www.$projname.com $projname.com
Y
Y
n
Y
$su_email
Y
\\n
" | sudo /opt/bitnami/bncert-toolsudo /opt/bitnami/ctlscript.sh restart
EOFsudo chown $USER ~/run_bncert_tool.sh
sudo chmod 755 ~/run_bncert_tool.shsource ~/run_bn_cert_tool.shbncert-tool never said anything about the limits until it errored. I googled the error, and THAT’S how I found out the details.
bncert-tool在出错之前从未对限制发表任何意见。 我搜索了错误,这就是我发现细节的方式。
Okay, I thought, I’ll just revoke the previous ones. Nope, doesn’t fix the issue. Plus, it won’t let me revoke, because I’ve already made too many requests (Error 429). Let’s Encrypt DOES provide a staging URL to accommodate a higher number of attempts to test the exact think I was doing…automation.
好的,我想,我将撤销以前的内容。 不,不能解决问题。 另外,它不会让我撤销,因为我已经发出了太多请求(错误429)。 让我们加密DOES提供了一个登台URL,以容纳更多尝试来测试我在做什么的确切想法…自动化。
But the bncert-tool is binary, so I can’t edit it to put that staging URL in it. I’d have to find another script, or figure out how to run it manually with that staging URL. And I don’t know if the experience would have been the same with the staging version. Sigh.
但是bncert-tool是二进制的,因此我无法对其进行编辑以将登台URL放入其中。 我必须找到另一个脚本,或者弄清楚如何使用该登台URL手动运行它。 而且我不知道分期版本的体验是否会相同。 叹。
坚持不懈的回报 (Obsessive Persistence Pays Off)
I started to try to accept the outcome of no SSL attempt for 6 more days. It even told me what time I could come back and try again.
我开始尝试接受超过6天没有SSL尝试的结果。 它甚至告诉我什么时候可以回来再试一次。
But if I’m nothing else, for better or not, I’m obsessively persistent.
但是,如果我一无所获,那么无论好坏,我都会执着。
The error message said one thing that ended up being the fix-it secret…It said I’d registered that EXACT set of domains too many times. After taking a walk and eating dinner and drinking a glass of wine…I came up with trying to submit them separately. Spoiler alert: It worked…and then I thought of a better way I could have fixed it. LOL. Of course
错误消息说,一件事最终成为了解决它的秘密……它说我已经注册了EXACT一组过多的域。 在散步,吃晚餐并喝一杯酒之后……我想出了分别提交它们的方法。 剧透警报:它起作用了……然后我想到了可以解决的更好方法。 大声笑。 当然
无论如何,这就是我所做的…… (Anyway, here’s what I did…)
Thinking I may only get away with issuing ONE of them at best, I decided to submit the non-www version. The script warned me it wouldn’t setup the www redirection because www wasn’t in the list of domains. Okay. I accepted that.
考虑到我最多只能发行其中之一,所以我决定提交非www版本。 该脚本警告我不会设置www重定向,因为www不在域列表中。 好的。 我接受了
It SUCCEEDED! What?! I checked the URL in a browser, and it was secure!
成功! 什么?! 我在浏览器中检查了URL,它是安全的!
Of course I pushed my luck…I ran it again, only this time for just the www domain. Same redirect-isn’t-happening warnings, which I accepted again. Annnnddd SUCCESS again. You can see the two new ones on the top of this list.
当然,我碰巧了……我再次运行了它,只是这次只针对www域。 相同的重定向未发生警告,我再次接受。 再次成功。 您可以在此列表的顶部看到两个新的。
修好我的杂物修好我的其他杂物 (Fixing The Mess I Fixing My Other Mess)
Then I realized; oh, I have two certificates now; different ones. And no redirect. I copied the Redirect code out of another instance I hadn’t deleted, and doing the next few steps is what fixed it.
然后我意识到; 哦,我现在有两个证书; 不同的。 而且没有重定向。 我将重定向代码从另一个我尚未删除的实例中复制了出来,接下来的几个步骤就是修复它的方法。
- Update the httpd.conf 更新httpd.conf
I updated the httpd.conf file and changed the domain to zoombeatz.com, instead of www.zoombeatz.com
我更新了httpd.conf文件,并将域更改为zoombeatz.com,而不是www.zoombeatz.com
# httpd.conf removed www from the ServerNameServerName zoombeatz.com:802. Add non-www to www redirection to zoombeatz-https-vhosts.conf
2.将非www到www重定向添加到zoombeatz-https-vhosts.conf
zoombeatz-https-vhosts.conf - The bold part is what I added# END: Support domain renewal when using mod_proxy without Location # BEGIN: Enable non-www to www redirection
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} !^localhost
RewriteCond %{HTTP_HOST} !^[0–9]+.[0–9]+.[0–9]+.[0–9]+(:[0–9]+)?$
RewriteCond %{REQUEST_URI} !^/\.well-known
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]
# END: Enable non-www to www redirection3. Add non-www to www redirection to zoombeatz-vhosts.conf
3.将非www到www重定向添加到zoombeatz-vhosts.conf
zoombeatz-vhosts.conf - when I was done with it. The bold part is what I added.# END: Support domain renewal when using mod_proxy without Location
# BEGIN: Enable HTTP to HTTPS redirection
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !^localhost
RewriteCond %{HTTP_HOST} !^[0–9]+.[0–9]+.[0–9]+.[0–9]+(:[0–9]+)?$
RewriteCond %{REQUEST_URI} !^/\.well-known
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
# END: Enable HTTP to HTTPS redirection# BEGIN: Enable non-www to www redirection
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} !^localhost
RewriteCond %{HTTP_HOST} !^[0–9]+.[0–9]+.[0–9]+.[0–9]+(:[0–9]+)?$
RewriteCond %{REQUEST_URI} !^/\.well-known
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]
# END: Enable non-www to www redirection4. Restart Apache, hold breath…check browser…It worked! Whew!
4.重新启动Apache,屏住呼吸……检查浏览器……成功了! ew!
结语 (Wrap Up)
An improvement to the bncert-tool would be to add a warning not to run this tool until you’re READY to issue a certification for REALZ. A staging test tool would be great as well, for people automating setup like I was, although I don’t know if it would have mimicked the same process, including the question about updating.
对bncert-tool的一个改进是添加警告,除非您准备为REALZ颁发证书,否则请不要运行此工具。 对于像我这样自动化安装程序的人来说,分段测试工具也将非常有用,尽管我不知道它是否会模仿相同的过程,包括更新问题。
An improvement to Let’s Encrypt would be to allow someone who f’d up like me, a one time fee of say $25, to get one more shot before they have to wait their 7 days. That would generate revenue for Let’s Encrypt, and it would save people like me a bunch of time either waiting, or figuring a way around it.
Let's Encrypt的一个改进是允许像我这样的朋友(一次费用25美元)在需要等待7天之前再进行一次拍摄。 这将为Let's Encrypt带来收益,并且可以为像我这样的人节省大量时间,要么等待,要么想办法解决。
The upside of all this is that I learned quite a bit more about SSL certificates and other related topics, than I would have otherwise.
所有这一切的好处是,我比以前学到了更多有关SSL证书和其他相关主题的知识。
When my week is up, I will be going back to the Let’s Encrypt site, to revoke all those unused certificates. I’ll post about it when I get through that process, too, so if you make the same initial mistake as me, you can clean up after yourself, too. Hopefully I won’t make some new mistakes un-mistaking the first mistakes, but I wouldn’t bet on that.
工作结束后,我将回到“让我们加密”站点,以撤销所有那些未使用的证书 。 当我完成该过程时,我也会发布有关它的信息,因此,如果您犯了与我相同的初始错误,也可以自己进行清理。 希望我不会犯一些新的错误,而不会遗漏第一个错误,但是我不会打赌。
Also…as I said in the summary at the top, after doing all this, while writing this post…it occurred to me that I could have just submitted three domains at once, instead of the two separately. It would have met their requirement for the list of domains to be “different”, and I wouldn’t have had to do all this monkeying around with the conf files.
另外……正如我在顶部的摘要中所说,在完成所有这些工作之后,在撰写本文时……我想到我可以一次提交三个域,而不是分别提交两个域。 它将满足他们对域列表“不同”的要求,而我不必使用conf文件来完成所有这些工作。
Maybe I’ll blow my newly secured instance away, and try that….Just kidding. I think…. :)
也许我会把我新保护的实例扔掉,然后尝试……。开个玩笑。 我认为…。 :)
Hope this helps someone!
希望这对某人有帮助!
Resources
资源资源
You can get a list of certificates issued for your registered domain by searching on crt.sh, which uses the public Certificate Transparency logs.
通过在crt.sh上搜索,可以获取为您的注册域颁发的证书的列表,该证书使用公共证书透明性日志。
https://tools.letsdebug.net/cert-search
https://tools.letsdebug.net/cert-search
保护 ssl证书配置 安全
4万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
