Certbot安装配置
- certbot限制每个注册域名每周可以获取50张证书;
- 一张证书中最多只能包含100个二级域名;
- 证书有效期为90天,certbot自动配置的证书到期可以自动更新。
Centos 7
-
安装snap
yum install epel-release yum install snapd systemctl enable --now snapd.socket ln -s /var/lib/snapd/snap /snap
-
安装snap core
snap install core; sudo snap refresh core
如果出现下面的报错:
error: system does not fully support snapd: cannot mount squashfs image using "squashfs": ----- mount: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error In some cases useful info is found in syslog - try dmesg | tail or so. ----- error: system does not fully support snapd: cannot mount squashfs image using "squashfs": ----- mount: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error In some cases useful info is found in syslog - try dmesg | tail or so. -----
则执行
semodule -i /usr/share/selinux/packages/snappy.pp.bz2
,然后再重新执行snap命令安装snap core。 -
安装certbot
snap install --classic certbot ln -s /snap/bin/certbot /usr/bin/certbot
Ubuntu 20.04
-
ubuntu默认自带snap软件包,直接安装snap core即可:
snap install core; sudo snap refresh core
-
安装certbot
snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot
Certbot使用
-
使用
certbot --nginx
命令,certbot会列出nginx所有监听的域名,按照提示选择需要配置HTTPS的域名即可:[root@localhost admin]# certbot --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: www.evobot.cn - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):
-
获取的证书保存在
/etc/letsencrypt/live/
目录下的对应域名目录内。 -
如果不想certbot自动修改nginx配置,可以执行
certbox certonly --nginx
只获取证书。 -
如果配置出现错误,可以使用
certbot --nginx rollback
进行配置回滚。 -
如果web服务使用apache,则使用
certbot --apache
获取证书。 -
获取证书后,可以手动执行命令
certbot renow --dry-run
检查证书自动续订情况,如果命令执行没有报错,证书将会在后台自动续订:[root@localhost admin]# certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.evobot.cn.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Simulating renewal of an existing certificate for www.evobot.cn - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/www.evobot.cn/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -