配置Certbot获取https证书
实验环境:CentOS Linux release 7.4.1708 (Core)
内核版本:Linux version 3.10.0-693.2.2.el7.x86_64
Nginx版本: Nginx-1.14.0
Let’s Encrypt是一个免费的、自动化、开放的证书颁发机构。由Mozilla、Cisco、Chrome、facebook、Akamai等众多公司和机构发起的,其安全稳定及其可靠。具体信息可以去letsencrypt官方网站了解详情。
官网:https://letsencrypt.org/
1 安装certbot
安装certbot及源扩展包
yum install -y epel-release
Certbot是Let’s Encrypt官方指定推荐的客户端。通过 Certbot,你可以自动化部署 Let’s Encrypt SSL证书,以便为网站加上HTTPS加密支持。
yum install certbot
2 申请证书
certbot certonly #还有一种certbot install
执行命令遇到错误
主要是 requests 和 urllib3 的问题,而 requests 的版本需要为 2.6.0
pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
//你是希望如何使用ACME CA进行身份验证?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
//使用临时Web服务器(独立目录)
2: Place files in webroot directory (webroot)
//将文件放在webroot目录
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2【选择2回车】
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): 1624717079@qq.com【输入您的邮箱地址,用于紧急更新和安全通知】
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A【选择A回车同意服务条款,C为拒绝】
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y【您是否愿意分享您的电子邮件地址,建议选择Y回车】
Starting new HTTPS connection (1): supporters.eff.org
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): wechat.yuanfusc.com【输入域名回车】
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for wechat.yuanfusc.com
Input the webroot for wechat.yuanfusc.com: (Enter ‘c’ to cancel): /usr/local/www/wechat【输入网站所在绝对路径回车】
Waiting for verification…
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/wechat.yuanfusc.com/fullchain.pem //证书和链路径
Your key file has been saved at:
/etc/letsencrypt/live/wechat.yuanfusc.com/privkey.pem //密钥文件路径
Your cert will expire on 2019-03-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
恭喜!您的SSL证书和密钥链接已保存,你的证书将于2019-03-24到期。
注意:这里需要说明,在生成证书之前,你必须保证nginx 443端口是运行状态,否则会生成证书失败。
3 自动更新证书
Certbot可以配置为在证书过期之前自动更新证书。由于Let’s Encrypt SSL证书有效期时间为90天,所以建议您利用此功能。您可以通过运行以下命令来测试证书的自动续订:
certbot --nginx certonly
我这里直接执行出现一系列错误,处理方法
找不到nginx插件
安装certbot-nginx插件
pip install certbot-nginx
找不到nginx
ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx
找不到nginx配置文件
ln -s /usr/local/nginx/conf/ /etc/nginx
再次测试
certbot --nginx certonly
如果以上正常工作,你可以通过添加运行以下操作的cron或systemd定时任务安排自动更新
certbot renew
写一个自动执行脚本
crontab -e
添加以下内容
0 */6 * * * /usr/bin/certbot renew --quiet && /bin/systemctl reload nginx #每6小时执行一次
或
0 0 0,12 * * /usr/bin/certbot renew --quiet && /bin/systemctl reload nginx #每天0点和12点执行