配置Certbot获取https证书

实验环境:CentOS Linux release 7.4.1708 (Core)

内核版本:Linux version 3.10.0-693.2.2.el7.x86_64

Nginx版本: Nginx-1.14.0

Let’s Encrypt是一个免费的、自动化、开放的证书颁发机构。由Mozilla、Cisco、Chrome、facebook、Akamai等众多公司和机构发起的,其安全稳定及其可靠。具体信息可以去letsencrypt官方网站了解详情。

官网:https://letsencrypt.org/

安装certbot及源扩展包

bash

yum install -y epel-release 

Certbot是Let’s Encrypt官方指定推荐的客户端。通过 Certbot,你可以自动化部署 Let’s Encrypt SSL证书,以便为网站加上HTTPS加密支持。

bash

yum install certbot

bash

certbot certonly #还有一种certbot install

执行命令遇到错误

主要是 requests 和 urllib3 的问题,而 requests 的版本需要为 2.6.0

bash

pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

//你是希望如何使用ACME CA进行身份验证?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Spin up a temporary webserver (standalone)

//使用临时Web服务器(独立目录)

2: Place files in webroot directory (webroot)

//将文件放在webroot目录

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2【选择2回车】

Plugins selected: Authenticator webroot, Installer None

Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to

cancel): 1624717079@qq.com【输入您的邮箱地址,用于紧急更新和安全通知】

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(A)gree/(C)ancel: A【选择A回车同意服务条款,C为拒绝】

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let’s Encrypt project and the non-profit

organization that develops Certbot? We’d like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y【您是否愿意分享您的电子邮件地址,建议选择Y回车】

Starting new HTTPS connection (1): supporters.eff.org

Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’

to cancel): wechat.yuanfusc.com【输入域名回车】

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for wechat.yuanfusc.com

Input the webroot for wechat.yuanfusc.com: (Enter ‘c’ to cancel): /usr/local/www/wechat【输入网站所在绝对路径回车】

Waiting for verification…

Cleaning up challenges

Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/wechat.yuanfusc.com/fullchain.pem //证书和链路径

Your key file has been saved at:

/etc/letsencrypt/live/wechat.yuanfusc.com/privkey.pem //密钥文件路径

Your cert will expire on 2019-03-24. To obtain a new or tweaked

version of this certificate in the future, simply run certbot

again. To non-interactively renew all of your certificates, run

“certbot renew”

- Your account credentials have been saved in your Certbot

configuration directory at /etc/letsencrypt. You should make a

secure backup of this folder now. This configuration directory will

also contain certificates and private keys obtained by Certbot so

making regular backups of this folder is ideal.

- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

恭喜!您的SSL证书和密钥链接已保存,你的证书将于2019-03-24到期。

注意:这里需要说明,在生成证书之前,你必须保证nginx 443端口是运行状态,否则会生成证书失败。

Certbot可以配置为在证书过期之前自动更新证书。由于Let’s Encrypt SSL证书有效期时间为90天,所以建议您利用此功能。您可以通过运行以下命令来测试证书的自动续订:

shell

certbot --nginx certonly

我这里直接执行出现一系列错误,处理方法

找不到nginx插件

安装certbot-nginx插件

bash

pip install certbot-nginx

找不到nginx

bash

ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx

找不到nginx配置文件

bash

ln -s /usr/local/nginx/conf/ /etc/nginx

再次测试

bash

certbot --nginx certonly

如果以上正常工作,你可以通过添加运行以下操作的cron或systemd定时任务安排自动更新

bash

certbot renew

写一个自动执行脚本

bash

crontab -e

添加以下内容

bash

0 */6 * * * /usr/bin/certbot renew --quiet && /bin/systemctl reload nginx	#每6小时执行一次

bash

0 0 0,12 * * /usr/bin/certbot renew --quiet && /bin/systemctl reload nginx	#每天0点和12点执行

相关内容