前言
Certbot可以配置為在證書過期之前自動更新證書。由於Let’s Encrypt SSL證書有效期時間為90天,所以建議您利用此功能。您可以通過運行以下命令來測試證書的自動續訂:
安裝
yum -y install yum-utils yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional yum install certbot python2-certbot-nginx
使用
1.生成配置
certbot --nginx # 自動生成nginx配置 Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Which names would you like to activate HTTPS for? 1:servicemesher.com 2: www.servicemsher.com # 這里直接回車選擇所有的域名 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/servicemesher.com.conf) It contains these names: servicemesher.com, www.servicemesher.com You requested these names for the new certificate: servicemesher.com, prow.servicemesher.com, www.servicemesher.com. Do you want to expand and replace this existing certificate with the new certificate? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (E)xpand/(C)ancel: E Renewing an existing certificate Performing the following challenges: http-01 challenge for prow.servicemesher.com Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/nginx.conf Deploying Certificate to VirtualHost /etc/nginx/nginx.conf Deploying Certificate to VirtualHost /etc/nginx/nginx.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): # 這里是為了擴展證書支持更多的域名,所有輸入 2 回車 Traffic on port 80 already redirecting to ssl in /etc/nginx/nginx.conf Redirecting all traffic on port 80 to ssl in /etc/nginx/nginx.conf Traffic on port 80 already redirecting to ssl in /etc/nginx/nginx.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Your existing certificate has been successfully renewed, and the new certificate has been installed.
2、查看配置
參考重點配置如下:
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256
ssl_ecdh_curve prime256v1;
# ssl_certificate /nginx.crt;
# ssl_certificate_key /nginx.key;
ssl_certificate /fullchain.pem;
ssl_certificate_key /privkey.pem;
ssl_verify_client off;
ssl_verify_depth 10;
3、重啟,測試
nginx -t;nginx -s reload
4、自動化續期
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
附錄:
git代碼庫,開發文檔
git clone https://github.com/certbot/certbot
https://certbot.eff.org/docs/contributing.html
certbot命令詳解
用法:
certbot [子命令] [選項] [-d 域名] [-d 域名] ...
Certbot工具用於獲取和安裝 HTTPS/TLS/SSL 證書。默認情況下,Certbot會嘗試為本地網頁服務器
(如果不存在會默認安裝一個到本地)獲取並安裝證書。最常用的子命令和選項如下:
獲取, 安裝, 更新證書:
(默認) run 獲取並安裝證書到當前網頁服務器
certonly 獲取或更新證書,但是不安裝
renew 更新已經獲取但快過期的所有證書
-d 域名列表 指定證書對應的域名列表,域名之間使用逗號分隔
--apache 使用Apache插件進行身份認證和安裝
--standalone 運行一個獨立的網頁服務器用於身份認證
--nginx 使用Nginx插件進行身份認證和安裝
--webroot 把身份認證文件放置在服務器的網頁根目錄下
--manual 使用交互式或腳本鈎子的方式獲取證書
-n 非交互式運行
--test-cert 從預交付服務器上獲取測試證書
--dry-run 測試獲取或更新證書,但是不存儲到本地硬盤
證書管理:
certificates 顯示使用Certbot生成的所有證書的信息
revoke 撤銷證書(supply --cert-path)
delete 刪除證書
管理你的Let's Encrypt賬戶
register 創建Let's Encrypt ACME賬戶
--agree-tos 同意ACME服務器的訂閱協議
-m EMAIL 接收有關賬戶的重要通知的郵箱地址
可選參數:
-h, --help 顯示幫助信息,然后退出
-c 配置文件, --config 配置文件
配置文件的路徑 (默認: /etc/letsencrypt/cli.ini
或 ~/.config/letsencrypt/cli.ini)
-v, --verbose 當前參數可以重復使用多次來增加輸出信息的詳細程度,例如 -vvv.
(默認: -2)
-n, --non-interactive, --noninteractive
非交互式運行,即運行過程中不需要詢問用戶輸入,但需要額外的命令行
參數。當客戶端發現參數缺失時會給出相應的說明。(默認: False)
--force-interactive 無論Certbot是否以命令行的方式運行,強制交互式運行。當前參數不能
用於renew子命令。(默認: False)
-d 域名列表, --domains 域名列表, --domain 域名列表
指定域名列表。如果有多個域名,可以多次使用-d參數,也可以在-d參數后
使用逗號分隔的域名列表。(默認: 詢問)
--cert-name 證書名稱 指定證書名稱。每次Certbot運行只使用一個證書名稱。可以使用命令
'certbot certificates'查看已生成的證書名稱。當創建新的證書時,
此選項用於指定證書的名稱。(默認: 無)
--dry-run 使用客戶端執行一次試運行,獲取測試證書(無效的證書)但不保存到磁盤。
當前選項僅用於'certonly'和'renew'子命令。
注: 盡管 --dry-run 選項試圖阻止任何對系統的修改,但並不能做到
完全避免: 如果使用類似apache或nginx網頁服務器來認證插件,
程序運行過程中,會嘗試修改或恢復配置文件來獲取測試證書,
也會重啟網頁服務器來部署和回滾這些修改。如果定義了 --pre-hook 和
--post-hook 選項它們會被同時執行,這兩個選項有助於更精確地模擬
更新證書。--renew-hook 選項在這里不會被執行。(默認: False)
--preferred-challenges PREF_CHALLS
A sorted, comma delimited list of the preferred
challenge to use during authorization with the most
preferred challenge listed first (Eg, "dns" or "tls-
sni-01,http,dns"). Not all plugins support all
challenges. See
https://certbot.eff.org/docs/using.html#plugins for
details. ACME Challenges are versioned, but if you
pick "http" rather than "http-01", Certbot will select
the latest version automatically. (default: [])
--user-agent 用戶代理
設置本客戶端的用戶代理信息。用戶代理信息用於CA機構收集關於操作系統
和插件的使用成功率。如果你希望隱藏此信息,設置此選項為""。
(默認: CertbotACMEClient/0.12.0 (Ubuntu 16.04.2 LTS)
Authenticator/XXX Installer/YYY)
其他相關
自動化:
用於自動運行或其他情況的參數
--keep-until-expiring, --keep, --reinstall
如果被請求的證書已經存在,那么不執行更新操作直到證書將要過期
(如果使用了'run'子命令,無論是否過期證書都會被更新)。
(默認: 詢問)
--expand 如果請求的證書名字是已經存在的證書名字的子集,那么這個本地證書
會被重置並重命名。(默認: 詢問)
--version 顯示程序和版本號,然后退出
--force-renewal, --renew-by-default
如果請求的證書已經存在,無論是否快要到期,更新該證書。
(通常使用 --keep-until-expiring 選項)。
該選項默認包含了 --expand 選項的功能。(默認: False)
--renew-with-new-domains
如果被請求的證書已經存在,但是域名變了,那么無論該證書是否將要過期
都會被更新。(默認: False)
--allow-subset-of-names
When performing domain validation, do not consider it
a failure if authorizations can not be obtained for a
strict subset of the requested domains. This may be
useful for allowing renewals for multiple domains to
succeed even if some domains no longer point at this
system. This option cannot be used with --csr.
(default: False)
--agree-tos 同意ACME訂閱協議 (默認: 詢問)
--duplicate Allow making a certificate lineage that duplicates an
existing one (both can be renewed in parallel)
(default: False)
--os-packages-only (僅用於 certbot-auto) 安裝系統依賴包,然后停止 (默認: False)
--no-self-upgrade (僅用於 certbot-auto) 禁止 certbot-auto 腳本自動升級自己到
新的發布版本 (默認: 自動升級)
-q, --quiet 程序運行只輸出錯誤信息。這個選項對於 cron 等自動化工具很有用。
該選項默認包含了 --non-interactive 選項的功能。(默認: False)
安全:
有關安全的參數和服務器設置
--rsa-key-size N RSA密鑰的大小。 (默認: 2048)
--must-staple 為證書添加 OCSP Must Staple 擴展。當Apache版本高於2.3.3時,
自動配置 OCSP Stapling 支持。 (默認: False)
--redirect 對於新認證的虛擬主機,自動重定向HTTP到HTTPS。 (默認: 詢問)
--no-redirect 對於新認證的虛擬主機,不要重定向HTTP到HTTPS。 (默認: 詢問)
--hsts Add the Strict-Transport-Security header to every HTTP
response. Forcing browser to always use SSL for the
domain. Defends against SSL Stripping. (default:
False)
--uir Add the "Content-Security-Policy: upgrade-insecure-
requests" header to every HTTP response. Forcing the
browser to use https:// for every http:// resource.
(default: None)
--staple-ocsp Enables OCSP Stapling. A valid OCSP response is
stapled to the certificate that the server offers
during TLS. (default: None)
--strict-permissions Require that all configuration files are owned by the
current user; only needed if your config is somewhere
unsafe like /tmp/ (default: False)
測試:
The following flags are meant for testing and integration purposes only.
--test-cert, --staging
Use the staging server to obtain or revoke test
(invalid) certs; equivalent to --server https://acme-
staging.api.letsencrypt.org/directory (default: False)
--debug Show tracebacks in case of errors, and allow certbot-
auto execution on experimental platforms (default:
False)
--no-verify-ssl Disable verification of the ACME server's certificate.
(default: False)
--tls-sni-01-port TLS_SNI_01_PORT
Port used during tls-sni-01 challenge. This only
affects the port Certbot listens on. A conforming ACME
server will still attempt to connect on port 443.
(default: 443)
--http-01-port HTTP01_PORT
Port used in the http-01 challenge. This only affects
the port Certbot listens on. A conforming ACME server
will still attempt to connect on port 80. (default:
80)
--break-my-certs Be willing to replace or renew valid certs with
invalid (testing/staging) certs (default: False)
路徑:
修改有關執行路徑和服務器的參數
--cert-path 證書路徑
Path to where cert is saved (with auth --csr),
installed from, or revoked. (default: None)
--key-path 密鑰路徑 Path to private key for cert installation or
revocation (if account key is missing) (default: None)
--chain-path 鑰匙鏈路徑
Accompanying path to a certificate chain. (default:
None)
--config-dir 配置文件目錄
Configuration directory. (default: /etc/letsencrypt)
--work-dir 工作目錄 Working directory. (default: /var/lib/letsencrypt)
--logs-dir 日志目錄 Logs directory. (default: /var/log/letsencrypt)
--server 服務器 ACME Directory Resource URI. (default:
https://acme-v01.api.letsencrypt.org/directory)
管理:
Various subcommands and flags are available for managing your
certificates:
certificates List certificates managed by Certbot
delete Clean up all files related to a certificate
renew Renew all certificates (or one specified with --cert-
name)
revoke Revoke a certificate specified with --cert-path
update_symlinks Recreate symlinks in your /etc/letsencrypt/live/
directory
run:
獲取和安裝證書的選項
certonly:
修改獲取證書方式的選項
--csr CSR Path to a Certificate Signing Request (CSR) in DER or
PEM format. Currently --csr only works with the
'certonly' subcommand. (default: None)
renew:
The 'renew' subcommand will attempt to renew all certificates (or more
precisely, certificate lineages) you have previously obtained if they are
close to expiry, and print a summary of the results. By default, 'renew'
will reuse the options used to create obtain or most recently successfully
renew each certificate lineage. You can try it with `--dry-run` first. For
more fine-grained control, you can renew individual lineages with the
`certonly` subcommand. Hooks are available to run commands before and
after renewal; see https://certbot.eff.org/docs/using.html#renewal for
more information on these.
--pre-hook PRE_HOOK Command to be run in a shell before obtaining any
certificates. Intended primarily for renewal, where it
can be used to temporarily shut down a webserver that
might conflict with the standalone plugin. This will
only be called if a certificate is actually to be
obtained/renewed. When renewing several certificates
that have identical pre-hooks, only the first will be
executed. (default: None)
--post-hook POST_HOOK
Command to be run in a shell after attempting to
obtain/renew certificates. Can be used to deploy
renewed certificates, or to restart any servers that
were stopped by --pre-hook. This is only run if an
attempt was made to obtain/renew a certificate. If
multiple renewed certificates have identical post-
hooks, only one will be run. (default: None)
--renew-hook RENEW_HOOK
Command to be run in a shell once for each
successfully renewed certificate. For this command,
the shell variable $RENEWED_LINEAGE will point to the
config live subdirectory containing the new certs and
keys; the shell variable $RENEWED_DOMAINS will contain
a space-delimited list of renewed cert domains
(default: None)
--disable-hook-validation
Ordinarily the commands specified for --pre-hook
/--post-hook/--renew-hook will be checked for
validity, to see if the programs being run are in the
$PATH, so that mistakes can be caught early, even when
the hooks aren't being run just yet. The validation is
rather simplistic and fails if you use more advanced
shell constructs, so you can use this switch to
disable it. (default: False)
certificates:
列出由Certbot管理的所有證書信息
delete:
用於刪除證書的選項
revoke:
用於撤銷證書的選項
--reason {keycompromise,affiliationchanged,superseded,unspecified,cessationofoperation}
Specify reason for revoking certificate. (default: 0)
register:
用於賬戶注冊和更新的選項
--register-unsafely-without-email
Specifying this flag enables registering an account
with no email address. This is strongly discouraged,
because in the event of key loss or account compromise
you will irrevocably lose access to your account. You
will also be unable to receive notice about impending
expiration or revocation of your certificates. Updates
to the Subscriber Agreement will still affect you, and
will be effective 14 days after posting an update to
the web site. (default: False)
--update-registration
With the register verb, indicates that details
associated with an existing registration, such as the
e-mail address, should be updated, rather than
registering a new account. (default: False)
-m EMAIL, --email EMAIL
Email used for registration and recovery contact.
(default: Ask)
--eff-email Share your e-mail address with EFF (default: None)
--no-eff-email Don't share your e-mail address with EFF (default:
None)
unregister:
用於注銷賬戶的選項
--account 賬戶ID 需要注銷的賬戶ID (默認: 無)
install:
用於修改證書部署路徑的選項
--fullchain-path 完整鑰匙鏈的路徑
Accompanying path to a full certificate chain (cert
plus chain). (default: None)
config_changes:
Options for controlling which changes are displayed
--num NUM How many past revisions you want to be displayed
(default: None)
rollback:
Options for rolling back server configuration changes
--checkpoints N Revert configuration N number of checkpoints.
(default: 1)
plugins:
Options for for the "plugins" subcommand
--init Initialize plugins. (default: False)
--prepare Initialize and prepare plugins. (default: False)
--authenticators Limit to authenticator plugins only. (default: None)
--installers Limit to installer plugins only. (default: None)
update_symlinks:
Recreates cert and key symlinks in /etc/letsencrypt/live, if you changed
them by hand or edited a renewal configuration file
plugins:
Plugin Selection: Certbot client supports an extensible plugins
architecture. See 'certbot plugins' for a list of all installed plugins
and their names. You can force a particular plugin by setting options
provided below. Running --help <plugin_name> will list flags specific to
that plugin.
--configurator CONFIGURATOR
Name of the plugin that is both an authenticator and
an installer. Should not be used together with
--authenticator or --installer. (default: Ask)
-a AUTHENTICATOR, --authenticator AUTHENTICATOR
Authenticator plugin name. (default: None)
-i INSTALLER, --installer INSTALLER
Installer plugin name (also used to find domains).
(default: None)
--apache Obtain and install certs using Apache (default: False)
--nginx Obtain and install certs using Nginx (default: False)
--standalone 運行一個獨立的網頁服務器用於獲取證書。(默認: False)
--manual Provide laborious manual instructions for obtaining a
cert (default: False)
--webroot 把身份認證文件放置在服務器的網頁根目錄下用於獲取證書。
(默認: False)
nginx:
Nginx網頁服務器插件 - Alpha版本
--nginx-server-root NGINX_SERVER_ROOT
Nginx server root directory. (default: /etc/nginx)
--nginx-ctl NGINX_CTL
Path to the 'nginx' binary, used for 'configtest' and
retrieving nginx version number. (default: nginx)
standalone:
啟動一個臨時的網頁服務器
manual:
Authenticate through manual configuration or custom shell scripts. When
using shell scripts, an authenticator script must be provided. The
environment variables available to this script are $CERTBOT_DOMAIN which
contains the domain being authenticated, $CERTBOT_VALIDATION which is the
validation string, and $CERTBOT_TOKEN which is the filename of the
resource requested when performing an HTTP-01 challenge. An additional
cleanup script can also be provided and can use the additional variable
$CERTBOT_AUTH_OUTPUT which contains the stdout output from the auth
script.
--manual-auth-hook MANUAL_AUTH_HOOK
Path or command to execute for the authentication
script (default: None)
--manual-cleanup-hook MANUAL_CLEANUP_HOOK
Path or command to execute for the cleanup script
(default: None)
--manual-public-ip-logging-ok
Automatically allows public IP logging (default: Ask)
webroot:
Place files in webroot directory
--webroot-path WEBROOT_PATH, -w WEBROOT_PATH
public_html / webroot path. This can be specified
multiple times to handle different domains; each
domain will have the webroot path that preceded it.
For instance: `-w /var/www/example -d example.com -d
www.example.com -w /var/www/thing -d thing.net -d
m.thing.net` (default: Ask)
--webroot-map WEBROOT_MAP
JSON dictionary mapping domains to webroot paths; this
implies -d for each entry. You may need to escape this
from your shell. E.g.: --webroot-map
'{"eg1.is,m.eg1.is":"/www/eg1/", "eg2.is":"/www/eg2"}'
This option is merged with, but takes precedence over,
-w / -d entries. At present, if you put webroot-map in
a config file, it needs to be on a single line, like:
webroot-map = {"example.com":"/var/www"}. (default:
{})
apache:
Apache網頁服務器插件 - Beta版本
--apache-enmod APACHE_ENMOD
Path to the Apache 'a2enmod' binary. (default:
a2enmod)
--apache-dismod APACHE_DISMOD
Path to the Apache 'a2dismod' binary. (default:
a2dismod)
--apache-le-vhost-ext APACHE_LE_VHOST_EXT
SSL vhost configuration extension. (default: -le-
ssl.conf)
--apache-server-root APACHE_SERVER_ROOT
Apache server root directory. (default: /etc/apache2)
--apache-vhost-root APACHE_VHOST_ROOT
Apache server VirtualHost configuration root (default:
/etc/apache2/sites-available)
--apache-logs-root APACHE_LOGS_ROOT
Apache server logs directory (default:
/var/log/apache2)
--apache-challenge-location APACHE_CHALLENGE_LOCATION
Directory path for challenge configuration. (default:
/etc/apache2)
--apache-handle-modules APACHE_HANDLE_MODULES
Let installer handle enabling required modules for
you.(Only Ubuntu/Debian currently) (default: True)
--apache-handle-sites APACHE_HANDLE_SITES
Let installer handle enabling sites for you.(Only
Ubuntu/Debian currently) (default: True)