使用LetsEncrypt生成SSL证书:修订间差异

来自Domoticz
(创建页面,内容为“This article shows you how to add a Lets Encrypt certificate to Domoticz so you can access your server over a secure HTTPS channel. The provided steps are executed...”)
 
 
(未显示2个用户的11个中间版本)
第1行: 第1行:
This article shows you how to add a Lets Encrypt certificate to Domoticz so you can access your server over a secure HTTPS channel.
本文介绍了如何为Domoticz安装Lets Encrypt证书,让你可以通过HTTPS通道访问Domoticz。


The provided steps are executed using a Raspberry Pi, but they should work on every Linux OS.
所提供的步骤均在树莓派3上执行,理论上同样适用于其它Linux系统。


Prerequisites (see here : http://www.domoticz.com/wiki/Native_HTTPS_/_SSL_support)
安装前提 (看这里:[[原生支持HTTPS/SSL]])
* Port 80 (HTTP) and 443 (HTTPS) are forwarded to your Domoticz server
* 80 (HTTP) 443 (HTTPS) 端口需要在路由器中设置转发
* You own a domain name
* 需要一个域名
* The (sub)domain name for Domoticz has a DNS entry that points to your external IP address
* 域名需要指向Domoticz所在网络的外网IP


==Startup script==
==启动脚本==
If you want Domoticz to use only HTTPS, you will need to edit the startup script.
如果你想只允许通过HTTPS访问Domoticz,你需要修改Domoticz的启动脚本:


<code>sudo vi /etc/init.d/domoticz.sh
<syntaxhighlight lang="bash">sudo vi /etc/init.d/domoticz.sh</syntaxhighlight>


DAEMON_ARGS="-daemon -sslwww 443"</code>
<code>DAEMON_ARGS="-daemon -sslwww 443"</code>


==安装Let’s Encrypt==
==安装Let’s Encrypt==
<code>git clone https://github.com/letsencrypt/letsencrypt</code>
<syntaxhighlight lang="bash">sudo git clone https://github.com/letsencrypt/letsencrypt</syntaxhighlight>


==生成证书==
==生成证书==
命令:


<code>cd letsencrypt
<syntaxhighlight lang="bash">cd letsencrypt
sudo ./letsencrypt-auto certonly --manual --email  <your email> -d <your domain name></code>
sudo ./letsencrypt-auto certonly --manual --email  你的邮箱 -d 你的域名</syntaxhighlight>


注意:域名需要写全,比如使用 home.domoticz.cn,就不能只写 domotiz.cn。


You can specify multiple domain names using another -d parameter and domain name for each additional domain name.
如果你有多个域名,可以在命令后面继续添加-d参数,每个-d参数后面对应一个域名。


If the following message shows don't press enter:
如果显示以下信息,不要按回车键:


<syntaxhighlight lang="text">
<syntaxhighlight lang="text">
第32行: 第34行:
mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
cd /tmp/letsencrypt/public_html
cd /tmp/letsencrypt/public_html
printf "%s" <some random string> > .well-known/acmechallenge/<some random string>
printf "%s" 随机字符 > .well-known/acmechallenge/随机字符
# run only once per server:
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
第41行: 第43行:
</syntaxhighlight>
</syntaxhighlight>


Open another shell window and execute the given commands to validate the ownership of the server.
新打开一个Shell窗口,执行以下命令将Let's Encrypt之前给出的随机字符文件加入网站,以通过Let's Encrypt的域名验证:


<syntaxhighlight lang="text">
<syntaxhighlight lang="bash">
mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
mkdir -p /home/pi/domoticz/www/.well-known/acme-challenge/
cd /tmp/letsencrypt/public_html
cd /home/pi/domoticz/www/
printf "%s" <some random string> > .wellknown/acmechallenge/<some random string>
printf "%s" 随机字符 > .wellknown/acmechallenge/随机字符
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()"
</syntaxhighlight>
</syntaxhighlight>


'''Edit Nov 4 2016'''. Alternative : Domoticz is a web server, so the direct registration is possible. Simply put the file /tmp/letsencrypt/public_html/.well-known/acme-challenge/<some random string>  to /home/pi/domoticz/www/.well-known/acme-challenge/
注意:此操作需要你的Domoticz能够在外网通过80端口访问。如果你的80端口在路由器中设置了端口转发也无法在外网打开,可能是你的网络运营商没有开放80端口。这时你需要另一台可以通过80端口访问的虚拟主机或服务器,绑定你的域名后将验证文件放到网站内。
and check that your domoticz is accessible on the port HTTP 80. (aka : NAT forwarding in your router)


确认在浏览器中打开 http://你的域名/.well-known/acme-challenge/随机字符 可以正常访问。
然后回到之前的Shell窗口,按回车键继续生成证书。


 
如果一切正常,应该返回以下信息:
Now press enter on the other shell. If everything is OK this message shows:
 
<syntaxhighlight lang="text">
<syntaxhighlight lang="text">
IMPORTANT NOTES:
IMPORTANT NOTES:
第72行: 第69行:
</syntaxhighlight>
</syntaxhighlight>


==Add the certificate to Domoticz==
==将证书加入Domoticz==
The last thing to do is adding the created certificate to Domoticz.
最后要做的是将创建的证书添加到Domoticz。
This is easily done with the following commands:
很简单,执行以下命令即可:


<code>
<syntaxhighlight lang="bash">
sudo rm ~/domoticz/server_cert.pem<br>
sudo rm ~/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/<your domain>/privkey.pem >> ~/domoticz/server_cert.pem<br>
sudo cat /etc/letsencrypt/live/你的域名/privkey.pem >> ~/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/<your domain>/fullchain.pem >> ~/domoticz/server_cert.pem<br>
sudo cat /etc/letsencrypt/live/你的域名/fullchain.pem >> ~/domoticz/server_cert.pem
</code>
</syntaxhighlight>


When there's a domoticz error after rebooting the service like :
然后重启domoticz服务<syntaxhighlight lang="bash">sudo service domoticz.sh restart</syntaxhighlight>
 
如果重启domoticz服务后出现以下错误提示 :
Error: [web:443] missing SSL DH parameters from file
Error: [web:443] missing SSL DH parameters from file
Add the DHparam :
添加DHparam即可 :


<code>
<syntaxhighlight lang="bash">
sudo cat /etc/ssl/certs/dhparam.pem >> ~/domoticz/server_cert.pem
sudo openssl dhparam -out dhparam.pem 2048
</code>
sudo cat dhparam.pem >> ~/domoticz/server_cert.pem
</syntaxhighlight>
注意:第一条命令生成dhparam需要较长时间,请耐心等待,如果通过SSH连接,请不要中途断开连接。


[[Category:Domoticz]]
[[Category:Domoticz]]

2017年6月5日 (一) 11:25的最新版本

本文介绍了如何为Domoticz安装Lets Encrypt证书,让你可以通过HTTPS通道访问Domoticz。

所提供的步骤均在树莓派3上执行,理论上同样适用于其它Linux系统。

安装前提 (看这里:原生支持HTTPS/SSL)

  • 80 (HTTP) 与 443 (HTTPS) 端口需要在路由器中设置转发
  • 需要一个域名
  • 域名需要指向Domoticz所在网络的外网IP

启动脚本

如果你想只允许通过HTTPS访问Domoticz,你需要修改Domoticz的启动脚本:

sudo vi /etc/init.d/domoticz.sh

DAEMON_ARGS="-daemon -sslwww 443"

安装Let’s Encrypt

sudo git clone https://github.com/letsencrypt/letsencrypt

生成证书

命令:

cd letsencrypt
sudo ./letsencrypt-auto certonly --manual --email  你的邮箱 -d 你的域名

注意:域名需要写全,比如使用 home.domoticz.cn,就不能只写 domotiz.cn。

如果你有多个域名,可以在命令后面继续添加-d参数,每个-d参数后面对应一个域名。

如果显示以下信息,不要按回车键:

If you don't have HTTP server configured, you can run the following command on the target server (as root):
mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
cd /tmp/letsencrypt/public_html
printf "%s" 随机字符 > .well-known/acmechallenge/随机字符
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()" 
Press ENTER to continue

新打开一个Shell窗口,执行以下命令将Let's Encrypt之前给出的随机字符文件加入网站,以通过Let's Encrypt的域名验证:

mkdir -p /home/pi/domoticz/www/.well-known/acme-challenge/
cd /home/pi/domoticz/www/
printf "%s" 随机字符 > .wellknown/acmechallenge/随机字符

注意:此操作需要你的Domoticz能够在外网通过80端口访问。如果你的80端口在路由器中设置了端口转发也无法在外网打开,可能是你的网络运营商没有开放80端口。这时你需要另一台可以通过80端口访问的虚拟主机或服务器,绑定你的域名后将验证文件放到网站内。

确认在浏览器中打开 http://你的域名/.well-known/acme-challenge/随机字符 可以正常访问。 然后回到之前的Shell窗口,按回车键继续生成证书。

如果一切正常,应该返回以下信息:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/<your domain>/fullchain.pem. Your
   cert will expire on <date>. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

将证书加入Domoticz

最后要做的是将创建的证书添加到Domoticz。 很简单,执行以下命令即可:

sudo rm ~/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/你的域名/privkey.pem >> ~/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/你的域名/fullchain.pem >> ~/domoticz/server_cert.pem

然后重启domoticz服务

sudo service domoticz.sh restart

如果重启domoticz服务后出现以下错误提示 : Error: [web:443] missing SSL DH parameters from file 添加DHparam即可 :

sudo openssl dhparam -out dhparam.pem 2048
sudo cat dhparam.pem >> ~/domoticz/server_cert.pem

注意:第一条命令生成dhparam需要较长时间,请耐心等待,如果通过SSH连接,请不要中途断开连接。