centos 7 安装 certbot 自动配置 ssl 证书

2,319 阅读2分钟

官网

certbot.eff.org/lets-encryp…

安装

先安装 snapd,使用 snap 安装 certbot 可以隔离环境影响

yum install snapd
# 设置为开机启动并立即启动
sudo systemctl enable --now snapd
# 建立软链接
sudo ln -s /var/lib/snapd/snap /snap
# 安装内核
sudo snap install core
# 安装certbot
sudo snap install --classic certbot
# 添加软链接
sudo ln -s /snap/bin/certbot /usr/bin/certbot

异常处理

因为 DNS 被污染,需要修改 hosts,否则更新证书会报错

OCSP check failed for /etc/letsencrypt/archive/****/cert1.pem (are we offline?)
Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/652/lib/python3.8/site-packages/urllib3/connection.py", line 159, in _new_conn
    conn = connection.create_connection(
  File "/var/lib/snapd/snap/certbot/652/lib/python3.8/site-packages/urllib3/util/connection.py", line 84, in create_connection
    raise err
  File "/var/lib/snapd/snap/certbot/652/lib/python3.8/site-packages/urllib3/util/connection.py", line 74, in create_connection
    sock.connect(sa)
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/652/lib/python3.8/site-packages/urllib3/connectionpool.py", line 670, in urlopen
    httplib_response = self._make_request(
  File "/var/lib/snapd/snap/certbot/652/lib/python3.8/site-packages/urllib3/connectionpool.py", line 392, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/var/lib/snapd/snap/certbot/652/usr/lib/python3.8/http/client.py", line 1240, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/var/lib/snapd/snap/certbot/652/usr/lib/python3.8/http/client.py", line 1286, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/var/lib/snapd/snap/certbot/652/usr/lib/python3.8/http/client.py", line 1235, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/var/lib/snapd/snap/certbot/652/usr/lib/python3.8/http/client.py", line 1006, in _send_output
    self.send(msg)
  File "/var/lib/snapd/snap/certbot/652/usr/lib/python3.8/http/client.py", line 946, in send
    self.connect()
  File "/var/lib/snapd/snap/certbot/652/lib/python3.8/site-packages/urllib3/connection.py", line 187, in connect
    conn = self._new_conn()
  File "/var/lib/snapd/snap/certbot/652/lib/python3.8/site-packages/urllib3/connection.py", line 164, in _new_conn
    raise ConnectTimeoutError(
urllib3.exceptions.ConnectTimeoutError: (<urllib3.connection.HTTPConnection object at 0x7f0b8b71cc10>, 'Connection to ocsp.int-x3.letsencrypt.org timed out. (connect timeout=10)')

修改 hosts 添加域名地址

vim /etc/hosts
23.32.3.72     ocsp.int-x3.letsencrypt.org

生成、更新证书

自动生成、安装证书,按提示操作

sudo certbot --nginx

测试是否可以正常执行

sudo certbot renew --dry-run 

安装 snapd 时已经自动创建了定时任务更新证书,官网原文

The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration.

需要手动执行时,去掉 --dry-run正式执行

sudo certbot renew