安装环境
- 系统环境:CentOS Linux 7
- Nginx:1.11.5
- Python3: 3.5.2
1、安装 cerbot
## install snapd
$ sudo yum install snapd
## 安装完成后执行
$ snap version
snap 2.58.3-1.el7
snapd 2.58.3-1.el7
series 16
centos 7
kernel 5.2.10-1.el7.elrepo.x86_64
## 安装certbot
$ sudo snap install --classic certbot
## 等待安装完成
2023-12-23T03:40:45Z INFO Waiting for automatic snapd restart...
certbot 2.8.0 from Certbot Project (certbot-eff✓) installed
如果你是其他操作系统,请直接访问官方文档进行安装.
2、生成证书
下面是一个示例:
$ certbot certonly -d images.os2010.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.
nginx: [emerg] open() "/etc/nginx/nginx.conf" failed (2: No such file or directory)
nginx: configuration file /etc/nginx/nginx.conf test failed
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx) [Misconfigured]
2: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
3: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
Requesting a certificate for images.os2010.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/images.os2010.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/images.os2010.com/privkey.pem
This certificate expires on 2024-03-23.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
查看证书
$ cd /etc/letsencrypt/live/images.os2010.com/
$ ls
cert.pem chain.pem fullchain.pem privkey.pem README
3、在Nginx上使用证书
直接修改Nginx配置,对应SSL整数部分如下
listen 443 ssl;
# ssl证书地址
ssl_certificate /etc/letsencrypt/live/os2010.com-0002/fullchain.pem; # pem文件的路径
ssl_certificate_key /etc/letsencrypt/live/os2010.com-0002/privkey.pem; # key文件的路径
# ssl验证相关配置
ssl_session_timeout 5m; #缓存有效期
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议
ssl_prefer_server_ciphers on; #使用服务器端的首选算法
然后就可以通过HTTPS访问自己的网站啦,不过每次签的SSL都只有3个月有效期,下面就介绍一下如何自动RENEW。
4、自动续SSL
新建crontab,该命令检查服务器上的证书是否会在未来 30 天内到期,如果是,则更新证书。--quiet 指令告知 certbot 不要生成输出。
$ crontab -e
## 添加下面语句
0 12 * * * /var/lib/snapd/snap/bin/certbot renew --quiet
部分错误以及解决方法汇总
1、snap未正常启动
## 安装完成后执行
$ snap version
snap 2.58.3-1.el7
snapd unavailable
series -
## 如果得到类似上面的结果,需要手动执行下面的命令
$ sudo systemctl enable snapd
$ sudo systemctl start snapd
2、使用snap安装cerbot报错
$ sudo snap install --classic certbot
error: cannot install "certbot": classic confinement requires snaps under /snap or symlink from
/snap to /var/lib/snapd/snap
## 创建软件链接,支持classic snap
$ ln -s /var/lib/snapd/snap /snap
3、使用snap安装certbot之前需要卸载yum安装的certbot
$ sudo yum remove certbot
4、通配符命令,需要手动配置DNS
certbot certonly -d *.os2010.com -d os2010.com --manual --preferred-challenges=dns-01 --server https://acme-v02.api.letsencrypt.org/directory
5、出现这个错误:Are you trying to change the key type of the certificate named felhcgw2025.xyz from ECDSA to RSA? Please provide both --cert-name and --key-type on the command line to confirm the change you are trying to make.
certbot --cert-name felhcgw2025.xyz --key-type rsa
