Certbot安装配置

Certbot安装配置

Administrator 1070 2021-07-28

Certbot安装配置

  1. certbot限制每个注册域名每周可以获取50张证书;
  2. 一张证书中最多只能包含100个二级域名;
  3. 证书有效期为90天,certbot自动配置的证书到期可以自动更新。

Centos 7

  • 安装snap

    yum install epel-release
    yum install snapd
    systemctl enable --now snapd.socket
    ln -s /var/lib/snapd/snap /snap
    
  • 安装snap core

    snap install core; sudo snap refresh core
    

    如果出现下面的报错:

    error: system does not fully support snapd: cannot mount squashfs image using "squashfs": -----
           mount: wrong fs type, bad option, bad superblock on /dev/loop0,
    
           missing codepage or helper program, or other error
    
           In some cases useful info is found in syslog - try
           dmesg | tail or so.
    
           -----
    error: system does not fully support snapd: cannot mount squashfs image using "squashfs": -----
           mount: wrong fs type, bad option, bad superblock on /dev/loop0,
    
           missing codepage or helper program, or other error
    
           In some cases useful info is found in syslog - try
           dmesg | tail or so.
    
           -----
    

    则执行semodule -i /usr/share/selinux/packages/snappy.pp.bz2,然后再重新执行snap命令安装snap core。

  • 安装certbot

    snap install --classic certbot
    ln -s /snap/bin/certbot /usr/bin/certbot
    

Ubuntu 20.04

  • ubuntu默认自带snap软件包,直接安装snap core即可:

    snap install core; sudo snap refresh core
    
  • 安装certbot

    snap install --classic certbot
    sudo ln -s /snap/bin/certbot /usr/bin/certbot
    

Certbot使用

  • 使用certbot --nginx命令,certbot会列出nginx所有监听的域名,按照提示选择需要配置HTTPS的域名即可:

    
    [root@localhost admin]# certbot --nginx
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    Which names would you like to activate HTTPS for?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1: www.evobot.cn
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Select the appropriate numbers separated by commas and/or spaces, or leave input
    blank to select all options shown (Enter 'c' to cancel):
    
    
  • 获取的证书保存在/etc/letsencrypt/live/目录下的对应域名目录内。

  • 如果不想certbot自动修改nginx配置,可以执行certbox certonly --nginx只获取证书。

  • 如果配置出现错误,可以使用certbot --nginx rollback进行配置回滚。

  • 如果web服务使用apache,则使用certbot --apache获取证书。

  • 获取证书后,可以手动执行命令certbot renow --dry-run检查证书自动续订情况,如果命令执行没有报错,证书将会在后台自动续订:

    [root@localhost admin]# certbot renew --dry-run
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/www.evobot.cn.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Simulating renewal of an existing certificate for www.evobot.cn
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Congratulations, all simulated renewals succeeded:
      /etc/letsencrypt/live/www.evobot.cn/fullchain.pem (success)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -