如今免费的SSL证书颁发机构很多,有效期一般都比较短,Let’s Encrypt是3个月,亲自去申请还是比较麻烦,之前一直在某个网站免费申请,手动部署,续约也免费, 后来就变成了续约收费,虽然不贵,但还是想自己搞一搞,于是就自己去官网上了解了下,结果官网提供完整的解决方案,从申请,到部署,到续约,全套自动化,那就省事多了, 今天就记录下。
官方完整教程在 这里,想看原文的可移步。
一,前提条件
- 熟悉命令行
- 网站已经部署在线,可通过80端口正常访问
- 可通过SSH登录网站服务器 ,并有root权限
二,安装snap
yum install snapd
systemctl enable --now snapd.socket
ln -s /var/lib/snapd/snap /snap
三,移除任何certbot-auto或Certbot包
yum remove certbot
四,安装Certbot并准备命令行
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
五,获取证书并自动部署,到期自动续约
certbot --nginx-server-root=/usr/local/nginx/conf
这里有个小坑,原文命令是 certbot –nginx,结果执行后报错
分析下错误,是由于没有找到系统nginx配置文件,所以使用–nginx-server-root指定到实际目录。
接下来就是各种配置
[root@iZgw868evfzxajc3genjgzZ ~]# certbot --nginx-server-root=/usr/local/nginx/conf
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): qxxxx@gmail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: admin.xxxxxx.co
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for admin.xxxxxx.co
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/admin.xxxxx.co/fullchain.pem
Key is saved at: /etc/letsencrypt/live/admin.xxxxx.co/privkey.pem
This certificate expires on 2024-06-11.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for admin.lendapi.qlend.co to /usr/local/nginx/conf/vhost/admin.xxxxx.co.conf
Congratulations! You have successfully enabled HTTPS on https://admin.xxxxxx.co
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
完成后,查看nginx配置文件,已经自动配置好了,通过浏览器访问,也变成https协议了。
官方还提供了其他命令,包括只申请证书,测试续约是否有效等,大家可以自己去试一下。
六,新增域名证书申请
[root@iZgw868evfzxajc3genjgzZ vhost]# certbot --nginx-server-root=/usr/local/nginx/conf
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: admin.xxxxx.co
2: nigeria-api.xxxxxx.co
3: nigeria-callback.xxxxx.co
4: nigeria-file.xxxxxx.co
5: api.xxxxxx.co
6: callback.xxxxxxx.co
7: merchant.xxxxxx.co
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2 3 4 5 6 7
Requesting a certificate for nigeria-api.xxxxxx.co and 5 more domains
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/nigeria-api.xxxxx.co/fullchain.pem
Key is saved at: /etc/letsencrypt/live/nigeria-api.xxxxx.co/privkey.pem
This certificate expires on 2024-06-11.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for nigeria-api.xxxxxx.co to /usr/local/nginx/conf/vhost/nigeria-api.xxxxxx.co.conf
Successfully deployed certificate for nigeria-callback.xxxxxx.co to /usr/local/nginx/conf/vhost/nigeria-callback.xxxxxx.co.conf
Successfully deployed certificate for nigeria-file.xxxxxx.co to /usr/local/nginx/conf/vhost/nigeria-file.xxxxxx.co.conf
Successfully deployed certificate for api.xxxxxx.co to /usr/local/nginx/conf/vhost/api.xxxxxx.co.conf
Successfully deployed certificate for callback.xxxxxx.co to /usr/local/nginx/conf/vhost/callback.xxxxxx.co.conf
Successfully deployed certificate for merchant.xxxxxx.co to /usr/local/nginx/conf/vhost/merchant.xxxxxx.co.conf
Congratulations! You have successfully enabled HTTPS on https://nigeria-api.xxxxx.co, https://nigeria-callback.xxxxx.co, https://nigeria-file.xxxxxxx.co, https://api.xxxxxxx.co, https://callback.xxxxxxx.co, and https://merchant.xxxxxx.co
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
七,Namecheap下泛域名自动申请及续约,namecheap的API提高了要求,目前达不到,暂时记录参考连接