免费https的单域名ssl证书申请和自动部署


Let’s Encrypt为例,+ubuntu自动申请和更新说明。以本站点为例做个记录,单域名申请证书相对简单。

官方网站:https://letsencrypt.org/
cerbot的各个版本操作方法不一样,本文版本为:certbot 1.6.0.dev0.

Let’s Encrypt 是目前使用范围最为广泛的免费 SSL 证书,自 2018 年开始提供通配符 SSL 证书,也就是 wildcard certificates。
这对于广大个人站长来说,无疑是个不错的利好消息。唯一的缺憾就是,Let’s Encrypt 发行的证书有效期只有 3 个月。

通过命令certbot申请证书流程:

第一步:环境安装
根据你的系统和需求安装,参考:https://certbot.eff.org/instructions

第二步:一句命令获取证书

**选项1:给nginx生成证书
sudo certbot --nginx

**选项2:给oss生成证书(阿里云oss)在自动更新证书时候会失败。
sudo certbot certonly --manual (用这个) 
sudo certbot certonly --standalone #my web server is not currently running on this machine.

通过sudo certbot certonly --manual 生成的证书,renew不行,
下次只能删除了 certbot delete, 然后在重新生成一个新证书。

#Attempting to renew cert (oss.ycbbm.com) from /etc/letsencrypt/renewal/oss.ycbbm.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.

#按要求上传指定的文件到oss目录。

#errorAttempting to renew cert (oss.ycbbm.com) from /etc/letsencrypt/renewal/.ycbbm.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
#这个域名是cname解析


同一个域名使用certbot生成多了后,会被限制申请:too many certificates (5) already issued for this exact set of domains in the last 168 hours: h5.ycbbm.com, retry after 2023-05-24T16:14:40Z: https://letsencrypt.org/docs/duplicate-certificate-limit/

/etc/letsencrypt/renewal/h5.ycbbm.com.conf

# renew_before_expiry = 30 days
version = 1.6.0.dev0
archive_dir = /etc/letsencrypt/archive/h5.ycbbm.com
cert = /etc/letsencrypt/live/h5.ycbbm.com/cert.pem
privkey = /etc/letsencrypt/live/h5.ycbbm.com/privkey.pem
chain = /etc/letsencrypt/live/h5.ycbbm.com/chain.pem
fullchain = /etc/letsencrypt/live/h5.ycbbm.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 92a78b683c36c42cc260053c3a5f4e9c
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory

会询问你的IP会被记录:
NOTE: The IP of this machine will be publicly logged as having requested this certificate. 
If you're running certbot in manual mode on a machine that is not your server, 
please ensure you're okay with that.

Are you OK with your IP being logged?
这个问题不大,只是记录你当前操作的电脑的IP地址,属于隐私问题。根据你的情况选择。
然后会让你添加一条DNS的txt解析记录。

Please deploy a DNS TXT record under the name
_acme-challenge.h5.ycbbm.com with the following value:

rK7cr2A×××××××××××××××xI8ig1HDiP96q16FnqyOYmDbYI

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

添加完成后稍等几秒再敲回车。

第三步:不要忘记了做一个定时任务,用来定时更新证书,证书的有效期只有90天。
sudo crontab -e
#每隔两个月,凌晨1点0分,强制续签
0 1 * */2 * /snap/bin/certbot  renew --force-renewal

第四步: 测试是否可以更新

sudo certbot certificates # 查看所有签发的证书

sudo certbot renew --dry-run
如果没有报错,则自动续期命令是正常运行的。
最后我们设置个定时任务,让这个续期命令到期自动执行。
用certbot renew --force-renewal强制续签,否则没到期,无法续签的。

错误问题 "http-01 challenge for h5.ycbbm.com"
这是一个验证域名是否能正常访问的一个问题,大概是访问..某.网址,但是返回来是404.然后就说challenge错误,挑战错误。
最下面给出了解决方案:please make sure that your domain name was   entered correctly

http-01 challenge for h5.ycbbm.com
Waiting for verification...
Challenge failed for domain h5.ycbbm.com
http-01 challenge for h5.ycbbm.com
Cleaning up challenges
Attempting to renew cert (h5.ycbbm.com) from /etc/letsencrypt/renewal/h5.ycbbm.com.conf produced an unexpected error: Some challenges have failed.. Skipping.

第五步 删除证书

certbot delete

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: oss.ycbbm.com
   Type:   unauthorized
   Detail: 12.10.20.20: Invalid response from
   http://h5.ycbbm.com/.well-known/acme-challenge/bXiQqczH**********wlfaLZAOvlTP4Gs:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

问题:
certbot 有个定时器,默认每隔是12小时会 renew,通过下面命令可以查看。
> systemctl list-timers

但是一周一个域名只能申请五次证书,超过五次就不让你申请了,这就意味,如果证书出现问题,没有更新成功的话,那么他一天就帮你运行2次,等你自己处理的时候,已经超额了。
可以通过一次申请两个证书的方式来规避这种问题。比如h5.ycbbm.com的近一周内的申请已经超过5次,那么可以申请 [ycbbm.com h5.ycbbm.com]。这种情况下还是可以继续申请证书给h5.ycbbm.com使用。



在线申请网址1(中文):https://freessl.org/
在线申请网址2(英文):https://www.sslforfree.com/
在线申请网址3(英文):https://gethttpsforfree.com/


2018 年 03 月 15 日更新: Let’s Encrypt 已经正式支持发行免费的通配符证书(Wildcard SSL),需使用 certbot 或 acme.sh 手动发行。

通过下面的生成的证书,不能自动更新证书。。。
hw@front:~$ sudo certbot certonly --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): img1.oss.delitao.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for img1.oss.delitao.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

KP_exj3n5rD1somuWoQROVtVEquZ40rz***vfWnz-jA9WcxXh9cb8kEJRNESeNU

And make it available on your web server at this URL:

http://img1.oss.delitao.com/.well-known/acme-challenge/KP_exj3n5rD1****QDUUTTmA8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/img1.oss.delitao.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/img1.oss.delitao.com/privkey.pem
   Your cert will expire on 2023-09-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le





阅读量: 1351
发布于:
修改于: