Certbot 是一個用戶友好的自動客戶端,可為您的 Web 服務器獲取和部署 SSL/TLS 證書。 它是 EFF 的工具,用於從 Let’s Encrypt 獲取證書並在您的服務器上自動啟用 HTTPS。 簡而言之,它充當官員” Let’s Encrypt 客戶”或“ Let’s Encrypt Python 客戶端。” 它利用自動證書管理環境 (ACME) 自動部署大多數瀏覽器信任的免費 SSL 證書。 因此,它適用於支持 ACME 協議的任何其他 CA。
在本文中,我將解釋如何使用 Certbot 獲取和安裝免費的 Let’s encrypt SSL 證書 Apache 和 Ubuntu 18.04 服務器上的 Nginx。
先決條件
- 一個具有 root 權限的 Ubuntu Bionic Beaver (18.04) 服務器,可以根據要求安裝所需的軟件包。
- 已註冊並具有正確 DNS 記錄的完全限定域。 在本文中,我始終使用域 fosscloudy.com。
安裝 Certbot
最初,要獲取 Letsencrypt SSL 證書,我們需要安裝 Certbot 軟件。 儘管 Certbot 最近在 Ubuntu 中可用,但那裡的軟件包往往已經過時。 因此,建議使用帶有最新軟件的 Ubuntu 軟件存儲庫進行安裝。 您可以使用以下命令安裝 Certbot:
#add-apt-repository ppa:certbot/certbot
#apt update
#apt install certbot您可以使用以下命令確認安裝的 Certbot 版本:
# certbot --version
certbot 0.23.0此外,我們可以使用此命令“certbot plugins”來了解您的服務器上安裝的可用 Certbot 插件。
# certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
-------------------------------------------------------------------------------默認情況下,此包中僅包含 Standalone 和 webroot 插件。 根據我們的目的,我們可以進一步一一啟用所有必需的插件。
設置 Let’s Encrypt SSL 證書 Apache
Certbot 提供了一個 Apache 使用此工具更輕鬆地頒發 SSL 證書的插件。 我們可以通過運行以下命令來安裝此插件:
#apt install python-certbot-apache我們現在已準備好使用此工具,但要為域配置 SSL,我們需要驗證一些 Apache 配置文件。 為了為域頒發 SSL 證書,Certbot 將嘗試在您的服務器中獲取確切的域虛擬主機 Apache 配置。 您可以參考我之前的文章,它會幫助您設置域虛擬主機。 假設我們的域存在合適的虛擬主機,我們可以運行此命令為我們的域 fosscloudy.com 安裝 SSL。
# certbot --apache -d fosscloudy.com -d www.fosscloudy.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for fosscloudy.com
http-01 challenge for www.fosscloudy.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/fosscloudy.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/fosscloudy.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/fosscloudy.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/fosscloudy.com-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/fosscloudy.com.conf to ssl vhost in /etc/apache2/sites-available/fosscloudy.com-le-ssl.conf
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://fosscloudy.com and
https://www.fosscloudy.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=fosscloudy.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.fosscloudy.com
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/fosscloudy.com-0002/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/fosscloudy.com-0002/privkey.pem
Your cert will expire on 2018-09-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le上述交互過程將指導您完成為所選域簽署/安裝證書所需的所有信息。 通過執行此命令,您的域 SSL 將自動在您的域虛擬主機中正確下載、安裝和配置。 現在您可以使用 HTTPS 訪問您的域並確認其工作或在 SSL 檢查器中驗證 SSL 狀態。
或者,如果您配置了多個虛擬主機/域,您可以使用以下命令為它們安裝 SSL 證書。
#certbot --apacheCertbot 會要求您選擇新證書中包含的域。
此外,如果您不希望 Certbot 使用新的 SSL 證書自動安裝/配置您的域虛擬主機,您可以使用以下命令來生成 SSL 證書。 您可以稍後手動配置它。
#certbot --apache certonly在 Nginx 上設置 Let’s Encrypt SSL 證書
對於運行 Nginx 網絡服務器的服務器,我們可以使用 Certbot Nginx 插件自動獲取並安裝 SSL 證書。 您可以通過發出以下命令來安裝此插件:
#apt install python-certbot-nginx我們現在已經準備好使用這個工具,但是要為域配置 SSL,我們需要驗證一些 Nginx 配置文件。 為了為域頒發 SSL 證書,Certbot 將嘗試在您的服務器 Nginx 配置中獲取確切的域虛擬主機。 假設我們的域存在合適的虛擬主機,我們可以運行此命令為我們的域 fosscloudy.com 安裝 SSL。
# certbot --nginx -d fosscloudy.com -d www.fosscloudy.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for fosscloudy.com
http-01 challenge for www.fosscloudy.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/fosscloudy.com.conf
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/fosscloudy.com.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/fosscloudy.com.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/fosscloudy.com.conf
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://fosscloudy.com and
https://www.fosscloudy.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=fosscloudy.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.fosscloudy.com
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/fosscloudy.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/fosscloudy.com/privkey.pem
Your cert will expire on 2018-09-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le這個不言自明的交互過程將幫助您為您的域自動生成/安裝/配置 SSL 證書。 通過執行此命令,您的域 SSL 將自動在您的域虛擬主機中正確下載、安裝和配置。 現在您可以使用 HTTPS 訪問您的域並確認其工作或在 SSL 檢查器中驗證 SSL 狀態。 您可以將我的域 fosscloudy.com 替換為您的域,並運行相同的命令來生成您的 SSL 證書。
類似於 Apache 插件,如果您配置了多個虛擬主機/域,則可以使用以下命令為所有這些主機安裝 SSL 證書。
#certbot --nginxCertbot 會要求您選擇新證書中包含的域。
此外,如果您不希望 Certbot 使用新的 SSL 證書自動安裝/配置您的域虛擬主機,您可以使用以下命令生成 SSL 證書,您可以稍後手動配置它。
#certbot --nginx certonly使用 Certbot 設置讓我們加密通配符證書
Let’s Encrypt 最近開始使用其新的 ACME2 協議支持通配符證書。 這意味著您可以擁有一個像 *.fosscloudy.com 這樣的通配符證書,並在所有其他域子域(如 docs.fosscloudy.com、blog.fosscloudy.com、mail.fosscloudy.com 等)上使用它。這使得它非常容易有效地管理眾多域子域的證書。 您可以通過運行以下命令為 fosscloudy.com 生成此通配符 SSL 證書。 您可以使用首選域替換 fosscloudy.com 來修改此命令。
# certbot certonly --manual -d *.fosscloudy.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for fosscloudy.com
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.fosscloudy.com with the following value:
z25SzIfe37x5va0ynh6KdmEYVjjuSvdUOGM_t_twsVk
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/fosscloudy.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/fosscloudy.com-0001/privkey.pem
Your cert will expire on 2018-09-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le正如這個交互式過程中提到的,它會要求您將特定的 TXT 記錄添加到您的 DNS 記錄中。 就我而言,它報告將 TXT 設置如下:
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.fosscloudy.com with the following value:
z25SzIfe37x5va0ynh6KdmEYVjjuSvdUOGM_t_twsVk
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue在您的 DNS 提供商中,您將創建一個新的 DNS TXT 記錄:
Record Name: _acme-challenge (you may or may not need the .fosscloudy.com suffix depending on your DNS provider.
Record Value: z25SzIfe37x5va0ynh6KdmEYVjjuSvdUOGM_t_twsVk (replace this with the value provided by Certbot)Save 您的 DNS 設置並點擊 Enter 在 Certbot 窗口中觸發檢查並完成驗證。 您將需要等待一段時間才能讓新的 DNS 記錄在 Internet 上傳播。 我等了 30 分鐘,然後按了 Enter。 您甚至可以設置較低的 TTL 值以使此過程更快。
恭喜!! 為您的域 fosscloudy.com 生成通配符證書。 現在,您可以將此通配符證書用於為您的域名創建的任何子域。 為了 example,我為此域創建了一個子域,即 docs.fosscloudy.com。 它將使用為主域安裝的此通配符 SSL 證書。 您可以在瀏覽器中使用 HTTPS 訪問您的子域並確認其工作正常。
SSL 證書的自動續訂
您可以使用上述任何一種方法來獲取您的 SSL 證書。 但所有這些 Let’s Encrypt 證書都是短暫的,有效期僅為 90 天。 因此,必須在這些證書到期之前續訂這些證書,以簡化您網站的正常運行。 如果需要,您可以手動執行此操作,也可以使用 cronjobs 或 Certbot 客戶端自動執行此過程。
通過執行上述方法成功安裝證書後,您將收到類似以下消息:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/fosscloudy.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/fosscloudy.com/privkey.pem
Your cert will expire on 2018-09-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"此消息清楚地說明了將來如何使用 "certbot renew" 命令。
讓我們使用以下命令測試自動更新過程:
#certbot renew此命令將檢查域 SSL 是否需要續訂並續訂需要續訂的域 SSL。
好消息是我們服務器上的 Certbot 軟件包帶有一個 cronjob,它會在我們的 SSL 證書過期之前自動更新。 由於 Let’s Encrypt 證書的有效期為 90 天,因此強烈建議您利用此功能。
# cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew此 cron 將每天運行兩次,但不會更新證書,除非它們即將到期。
另請閱讀:
- 使用 Letsencrypt SSL 在 Docker LEMP Stack 上安裝 WordPress
Let’s Encrypt 徹底改變了我們生成、安裝和使用 SSL 證書的方式。 通過使用 Certbot 工具的自動化程序,您可以看到在短短幾秒鐘內獲得免費 SSL 證書是多麼容易,從 Let’s Encrypt 並在幾分鐘內自動安裝它們。 我希望這篇文章對你有用。 請就此發表您的寶貴意見和建議。
