免费https的单域名ssl证书申请和自动部署
以Let’s Encrypt为例,+ubuntu自动申请和更新说明。以本站点为例做个记录,单域名申请证书相对简单。
官方网站:https://letsencrypt.org/
cerbot的各个版本操作方法不一样,本文版本为:certbot 1.6.0.dev0.
cerbot的各个版本操作方法不一样,本文版本为:certbot 1.6.0.dev0.
Let’s Encrypt 是目前使用范围最为广泛的免费 SSL 证书,自 2018 年开始提供通配符 SSL 证书,也就是 wildcard certificates。
这对于广大个人站长来说,无疑是个不错的利好消息。唯一的缺憾就是,Let’s Encrypt 发行的证书有效期只有 3 个月。
通过命令certbot申请证书流程:
第一步:环境安装
根据你的系统和需求安装,参考:https://certbot.eff.org/instructions
第二步:一句命令获取证书
**选项1:给nginx生成证书
这对于广大个人站长来说,无疑是个不错的利好消息。唯一的缺憾就是,Let’s Encrypt 发行的证书有效期只有 3 个月。
通过命令certbot申请证书流程:
第一步:环境安装
根据你的系统和需求安装,参考:https://certbot.eff.org/instructions
第二步:一句命令获取证书
**选项1:给nginx生成证书
sudo certbot --nginx
**选项2:给oss生成证书(阿里云oss)在自动更新证书时候会失败。
sudo certbot certonly --manual (用这个)sudo certbot certonly --standalone #my web server is not currently running on this machine.
通过sudo certbot certonly --manual 生成的证书,renew不行,
下次只能删除了 certbot delete, 然后在重新生成一个新证书。
#Attempting to renew cert (oss.ycbbm.com) from /etc/letsencrypt/renewal/oss.ycbbm.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping. #按要求上传指定的文件到oss目录。 #errorAttempting to renew cert (oss.ycbbm.com) from /etc/letsencrypt/renewal/.ycbbm.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping. #这个域名是cname解析
同一个域名使用certbot生成多了后,会被限制申请:too many certificates (5) already issued for this exact set of domains in the last 168 hours: h5.ycbbm.com, retry after 2023-05-24T16:14:40Z: https://letsencrypt.org/docs/duplicate-certificate-limit/
/etc/letsencrypt/renewal/h5.ycbbm.com.conf
# renew_before_expiry = 30 days version = 1.6.0.dev0 archive_dir = /etc/letsencrypt/archive/h5.ycbbm.com cert = /etc/letsencrypt/live/h5.ycbbm.com/cert.pem privkey = /etc/letsencrypt/live/h5.ycbbm.com/privkey.pem chain = /etc/letsencrypt/live/h5.ycbbm.com/chain.pem fullchain = /etc/letsencrypt/live/h5.ycbbm.com/fullchain.pem # Options used in the renewal process [renewalparams] account = 92a78b683c36c42cc260053c3a5f4e9c authenticator = nginx installer = nginx server = https://acme-v02.api.letsencrypt.org/directory
会询问你的IP会被记录:
NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged?
这个问题不大,只是记录你当前操作的电脑的IP地址,属于隐私问题。根据你的情况选择。
然后会让你添加一条DNS的txt解析记录。
然后会让你添加一条DNS的txt解析记录。
Please deploy a DNS TXT record under the name _acme-challenge.h5.ycbbm.com with the following value: rK7cr2A×××××××××××××××xI8ig1HDiP96q16FnqyOYmDbYI Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges
添加完成后稍等几秒再敲回车。
第三步:不要忘记了做一个定时任务,用来定时更新证书,证书的有效期只有90天。
sudo crontab -e
#每隔两个月,凌晨1点0分,强制续签 0 1 * */2 * /snap/bin/certbot renew --force-renewal
第四步: 测试是否可以更新
sudo certbot certificates # 查看所有签发的证书 sudo certbot renew --dry-run
如果没有报错,则自动续期命令是正常运行的。
最后我们设置个定时任务,让这个续期命令到期自动执行。
用certbot renew --force-renewal强制续签,否则没到期,无法续签的。
错误问题 "http-01 challenge for h5.ycbbm.com"
这是一个验证域名是否能正常访问的一个问题,大概是访问..某.网址,但是返回来是404.然后就说challenge错误,挑战错误。
最下面给出了解决方案:please make sure that your domain name was entered correctly
http-01 challenge for h5.ycbbm.com
Waiting for verification...
Challenge failed for domain h5.ycbbm.com
http-01 challenge for h5.ycbbm.com
Cleaning up challenges
Attempting to renew cert (h5.ycbbm.com) from /etc/letsencrypt/renewal/h5.ycbbm.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
第五步 删除证书
错误问题 "http-01 challenge for h5.ycbbm.com"
这是一个验证域名是否能正常访问的一个问题,大概是访问..某.网址,但是返回来是404.然后就说challenge错误,挑战错误。
最下面给出了解决方案:please make sure that your domain name was entered correctly
http-01 challenge for h5.ycbbm.com
Waiting for verification...
Challenge failed for domain h5.ycbbm.com
http-01 challenge for h5.ycbbm.com
Cleaning up challenges
Attempting to renew cert (h5.ycbbm.com) from /etc/letsencrypt/renewal/h5.ycbbm.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
第五步 删除证书
certbot delete
IMPORTANT NOTES: - The following errors were reported by the server: Domain: oss.ycbbm.com Type: unauthorized Detail: 12.10.20.20: Invalid response from http://h5.ycbbm.com/.well-known/acme-challenge/bXiQqczH**********wlfaLZAOvlTP4Gs: 404 To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
问题:
certbot 有个定时器,默认每隔是12小时会 renew,通过下面命令可以查看。
> systemctl list-timers
但是一周一个域名只能申请五次证书,超过五次就不让你申请了,这就意味,如果证书出现问题,没有更新成功的话,那么他一天就帮你运行2次,等你自己处理的时候,已经超额了。
可以通过一次申请两个证书的方式来规避这种问题。比如h5.ycbbm.com的近一周内的申请已经超过5次,那么可以申请 [ycbbm.com h5.ycbbm.com]。这种情况下还是可以继续申请证书给h5.ycbbm.com使用。
在线申请网址1(中文):https://freessl.org/
在线申请网址2(英文):https://www.sslforfree.com/
在线申请网址3(英文):https://gethttpsforfree.com/
在线申请网址2(英文):https://www.sslforfree.com/
在线申请网址3(英文):https://gethttpsforfree.com/
2018 年 03 月 15 日更新: Let’s Encrypt 已经正式支持发行免费的通配符证书(Wildcard SSL),需使用 certbot 或 acme.sh 手动发行。
通过下面的生成的证书,不能自动更新证书。。。
hw@front:~$ sudo certbot certonly --manual Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): img1.oss.delitao.com Obtaining a new certificate Performing the following challenges: http-01 challenge for img1.oss.delitao.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Create a file containing just this data: KP_exj3n5rD1somuWoQROVtVEquZ40rz***vfWnz-jA9WcxXh9cb8kEJRNESeNU And make it available on your web server at this URL: http://img1.oss.delitao.com/.well-known/acme-challenge/KP_exj3n5rD1****QDUUTTmA8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/img1.oss.delitao.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/img1.oss.delitao.com/privkey.pem Your cert will expire on 2023-09-08. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
阅读量: 536
发布于:
修改于:
发布于:
修改于: