使用certbot自动续期免费ssl证书

certbot

https://certbot.eff.org/lets-encrypt/centosrhel7-nginx
https://certbot.eff.org/docs/using.html#getting-certificates-and-choosing-plugins

  1. SSH into the server

    SSH into the server running your HTTP website as a user with sudo privileges.

  2. Enable EPEL repo

    # You'll need to enable the EPEL (Extra Packages for Enterprise Linux) repository.
    # Follow these instructions at the Fedora wiki to enable EPEL.
    yum install -y yum-utils
    yum-config-manager --enable rhel-7-server-optional-rpms --enable rhel-7-server-extras-rpms
  3. Enable the optional channel

    # If you're using RHEL or Oracle Linux, you'll also need to enable the optional channel. On EC2, RHEL users can enable the optional channel by running the following command, substituting your EC2 region for REGION in the command:
    yum -y install yum-utils
    yum-config-manager --enable rhui-7-rhel-server-extras rhui-7-rhel-server-optional
  4. Install Certbot

    # Run this command on the command line on the machine to install Certbot.
    sudo yum install certbot python2-certbot-nginx
  5. 备份原先nginx配置

    备份配置

  6. 如果是默认安装的nginx则执行以下操作

    1. Choose how you'd like to run Certbot

      # Either get and install your certificates...
      # Run this command to get a certificate and have Certbot edit your Nginx configuration automatically to serve it, turning on HTTPS access in a single step.
      sudo certbot --nginx
      # Or, just get a certificate
      # If you're feeling more conservative and would like to make the changes to your Nginx configuration by hand, run this command.
      sudo certbot certonly --nginx
    2. Set up automatic renewal

      # We recommend running the following line, which will add a cron job to the default crontab.
      echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null
    3. Confirm that Certbot worked

      To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar. If you want to check that you have the top-of-the-line installation, you can head to https://www.ssllabs.com/ssltest/.

  7. 如果非默认yum安装的nginx则执行以下操作:(要使用“独立”Web服务器获取证书,您可以通过 在命令行中包含certonly和使用独立插件--standalone。此插件需要绑定到端口80才能执行域验证,因此您可能需要停止现有的Web服务器。)

    nginx -s stop
    certbot certonly --standalone --email '你的邮箱地址' -d '你的域名1' -d '你的域名2'
    certbot certonly --standalone --email 'test@163.com' -d 'guojingyi.cn' -d 'www.guojingyi.cn'
    certbot certonly --standalone --email 'test@163.com' -d 'www.guojingyi.cn' -d 'guojingyi.cn'
    certbot certonly --standalone --email 'test@163.com' -d 'wx.guojingyi.cn'
    1. 查看生产的证书

      tree /etc/letsencrypt/
      /etc/letsencrypt/
      |-- accounts
      |   `-- acme-v02.api.letsencrypt.org
      |       `-- directory
      |           `-- bb1504c830be74e4077ab2ff9294ba7a
      |               |-- meta.json
      |               |-- private_key.json
      |               `-- regr.json
      |-- archive
      |   `-- guojingyi.cn
      |       |-- cert1.pem
      |       |-- chain1.pem
      |       |-- fullchain1.pem
      |       `-- privkey1.pem
      |-- csr
      |   |-- 0000_csr-certbot.pem
      |   |-- 0001_csr-certbot.pem
      |   |-- 0002_csr-certbot.pem
      |   `-- 0003_csr-certbot.pem
      |-- keys
      |   |-- 0000_key-certbot.pem
      |   |-- 0001_key-certbot.pem
      |   |-- 0002_key-certbot.pem
      |   `-- 0003_key-certbot.pem
      |-- live
      |   |-- guojingyi.cn
      |   |   |-- cert.pem -> ../../archive/guojingyi.cn/cert1.pem
      |   |   |-- chain.pem -> ../../archive/guojingyi.cn/chain1.pem
      |   |   |-- fullchain.pem -> ../../archive/guojingyi.cn/fullchain1.pem
      |   |   |-- privkey.pem -> ../../archive/guojingyi.cn/privkey1.pem
      |   |   `-- README
      |   `-- README
      |-- renewal
      |   `-- guojingyi.cn.conf
      `-- renewal-hooks
          |-- deploy
          |-- post
          `-- pre
      15 directories, 22 files
    2. nginx添加ssl配置

      ssl_certificate /etc/letsencrypt/live/guojingyi.cn/fullchain.pem; # 证书位置
      ssl_certificate_key /etc/letsencrypt/live/guojingyi.cn/privkey.pem; # 证书位置

    3. 启动nginx

      systemctl start nginx
    4. 任务计划每周更新证书,添加crontab

      0 0 * * 0 /usr/bin/certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
    5. or

      0 0 * * 0 /usr/bin/certbot renew --pre-hook "/opt/nginx/sbin/nginx -s stop" --post-hook "/opt/nginx/sbin/nginx"
  8. Where are my certificates?

    All generated keys and issued certificates can be found in /etc/letsencrypt/live/$domain. In the case of creating a SAN certificate with multiple alternative names, $domain is the first domain passed in via -d parameter. Rather than copying, please point your (web) server configuration directly to those files (or create symlinks). During the renewal, /etc/letsencrypt/live is updated with the latest necessary files.
    Note
    /etc/letsencrypt/archive and /etc/letsencrypt/keys contain all previous keys and certificates, while /etc/letsencrypt/live symlinks to the latest versions.
    The following files are available:
    privkey.pem
    Private key for the certificate.
    Warning
    This must be kept secret at all times! Never share it with anyone, including Certbot developers. You cannot put it into a safe, however - your server still needs to access this file in order for SSL/TLS to work.
    Note
    As of Certbot version 0.29.0, private keys for new certificate default to 0600. Any changes to the group mode or group owner (gid) of this file will be preserved on renewals.
    This is what Apache needs for SSLCertificateKeyFile, and Nginx for ssl_certificate_key.
    fullchain.pem
    All certificates, including server certificate (aka leaf certificate or end-entity certificate). The server certificate is the first one in this file, followed by any intermediates.
    This is what Apache >= 2.4.8 needs for SSLCertificateFile, and what Nginx needs for ssl_certificate.
    cert.pem and chain.pem (less common)
    cert.pem contains the server certificate by itself, and chain.pem contains the additional intermediate certificate or certificates that web browsers will need in order to validate the server certificate. If you provide one of these files to your web server, you must provide both of them, or some browsers will show “This Connection is Untrusted” errors for your site, some of the time.
    Apache < 2.4.8 needs these for SSLCertificateFile. and SSLCertificateChainFile, respectively.
    If you’re using OCSP stapling with Nginx >= 1.3.7, chain.pem should be provided as the ssl_trusted_certificate to validate OCSP responses.

You may also like...

发表评论