通过Certbot申请Let's Encrypt证书

Let's Encrypt 是一家免费、开放、自动化的证书颁发机构(CA),为公众的利益而运行。它是一项由 Internet Security Research Group(ISRG)提供的服务。能够免费、自动化地获取和配置,并具有安全、透明、开放和乐于合作的运营原则。

建议大多数具有命令行访问权限的人使用 Certbot ACME 客户端。它可以在不下线您的服务器的前提下自动执行证书颁发和安装。

安装Certbot

可以使用SnapOperating System PackagesCertbot-Auto等安装方式。

Operating System Packages

通过命令行从源中安装包:

sudo apt-get install certbot python-certbot-nginx

certbot --help

snapd

参考 Get Certbot instructions 中基于Debian系统、Nginx环境的推荐方法,要首先对sanp包进行安装,再通过snap安装certbot来使用,大体如下:

# Install snapd
sudo apt install snapd

# Ensure that your version of snapd is up to date
sudo snap install core
sudo snap refresh core

# Remove any Certbot OS packages
sudo apt-get remove certbot

# Install Certbot
sudo snap install --classic certbot

# Prepare the Certbot command,
sudo ln -s /snap/bin/certbot /usr/bin/certbot

# next for wildcard

# Confirm plugin containment level
sudo snap set certbot trust-plugin-with-root=ok

# Install correct DNS plugin
sudo snap install certbot-dns-<PLUGIN>

# or with the manual plugin by using hook script

获取 manual-auth-hook脚本

GitHub克隆下载letsencrypt通配符证书库:

cd /usr/local/

git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au

ln -s certbot-letencrypt-wildcardcertificates-alydns-au manual-auth-hook-sh

#check and chmod:
chmod +x manual-auth-hook-sh/au.sh

# for protect the DNS-API
chmod 700 manual-auth-hook-sh/au.sh

cd -

修改DNS API参数:

vim /usr/local/manual-auth-hook-sh/au.sh

例如使用腾讯云的DNS API密钥:

txy SecretId:   abcdefghijklmnopqrstuvwxyz
txy SecretKey:  abcdefghijklmnopqrstuvwxyz

获取Let's Encrypt证书

参考Certbot的用户指南ywdblog的脚本说明,测试获取新证书:

certbot certonly \
 -d apwabc.net -d *.apwabc.net \
 --manual \
 --preferred-challenges dns \
 --dry-run --manual-auth-hook "/usr/local/manual-auth-hook-sh/au.sh python txy add" \
 --manual-cleanup-hook "/usr/local/manual-auth-hook-sh/au.sh python txy clean" \
 --agree-tos -m username@domain.tld

测试获取没有问题,可以申请获取证书,移除其中的 --dry-run 参数即可:

certbot certonly \
 -d apwabc.net -d *.apwabc.net \
 --manual \
 --preferred-challenges dns \
 --manual-auth-hook "/usr/local/manual-auth-hook-sh/au.sh python txy add" \
 --manual-cleanup-hook "/usr/local/manual-auth-hook-sh/au.sh python txy clean" \
 --agree-tos -m username@domain.tld

PS:注意修改要申请的域名(apwabc.net)、运行环境(python/php)、DNS服务商(txy/aly)和邮箱地址(username@domain.tld)。

完成后,可以查看和验证一下证书的情况:

certbot certificates

tree /etc/letsencrypt/

如果不满意,可以申请注销证书:

certbot revoke --cert-path /etc/letsencrypt/live/domain.ltd/cert.pem
certbot revoke --cert-name domain.ltd
certbot delete --cert-name domain.ltd

证书续期

续期所有证书:

certbot renew \
 --manual \
 --preferred-challenges dns \
 --manual-auth-hook "/usr/local/manual-auth-hook-sh/au.sh python txy add" \
 --manual-cleanup-hook "/usr/local/manual-auth-hook-sh/au.sh python txy clean"

续期指定的单个证书:

certbot renew \
 --cert-name apwabc.net \
 --manual-auth-hook "/usr/local/manual-auth-hook-sh/au.sh python txy add" \
 --manual-cleanup-hook "/usr/local/manual-auth-hook-sh/au.sh python txy clean"

加入crontab以自动检测并续期,创建独立的/etc/cron.d/certbot-manual文件

vim /etc/cron.d/certbot-manual

按需要修改以下内容

# 证书有效期<30天才会renew,所以crontab可以配置为1天或1周
1 1 */1 * * root certbot renew --manual --preferred-challenges dns --manual-auth-hook "/usr/local/manual-auth-hook-sh/au.sh python txy add" --manual-cleanup-hook "/usr/local/manual-auth-hook-sh/au.sh python txy clean"

# 如果是certbot 机器和运行web服务(比如 nginx,apache)的机器是同一台,那么成功renew证书后,可以启动对应的web 服务器,运行下列crontab :
1 1 */1 * * root certbot renew --manual --preferred-challenges dns --manual-auth-hook "/usr/local/manual-auth-hook-sh/au.sh python txy add" --manual-cleanup-hook "/usr/local/manual-auth-hook-sh/au.sh python txy clean" --deploy-hook "systemctl restart nginx"

或者修改/etc/cron.d/certbot文件

vim /etc/cron.d/certbot

按需要修改以下内容

# Automatically generated for Debian
# 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

# may be modify to:
1 1 */1 * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot renew --manual --preferred-challenges dns --manual-auth-hook "/usr/local/manual-auth-hook-sh/au.sh python txy add" --manual-cleanup-hook "/usr/local/manual-auth-hook-sh/au.sh python txy clean" --deploy-hook "systemctl restart nginx"

ps: the another's command sample:

certbot certonly \
 -d apwabc.net -d *.apwabc.net \
 --manual \
 --preferred-challenges dns \
 --server https://acme-v02.api.letsencrypt.org/directory \
 --force-renewal \
 --email username@domain.tld \
 --agree-tos

参考

返回顶部