Certbot-免费的HTTPS证书

一般的 SSL 安全证书签发服务都需要付费，且价格昂贵，不过为了加快推广 https 的普及， EEF 电子前哨基金会、 Mozilla 基金会和美国密歇根大学成立了一个公益组织叫 ISRG （ Internet Security Research Group ），这个组织从 2015 年开始推出了 Let’s Encrypt 免费证书。这个免费证书不仅免费，而且还相当好用，所以我们就可以利用 Let’s Encrypt 提供的免费证书部署 https 了

一、Ubuntu16.04 安装certbot

官网

apt-get update
# 添加存储库。
add-apt-repository ppa:certbot/certbot 
# 如果出现 add-apt-repository: command not found 执行
apt-get install software-properties-common
# 按ENTER接受。然后，更新包列表以获取新存储库的包信息。
apt-get update
# 最后，apt-get安装Certbot的Nginx软件包。
apt-get install python-certbot-nginx

二、生成SSL证书

申请或续费都需要空闲80端口来做验证，这里如果nginx监听了80端口，一定要关掉

执行 certbot certonly --nginx

root@plumvill-prod1:~# certbot certonly --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxxxx@qq.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: xxxxxx.com
2: xxxxxx-test.club
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): xxxxxx.com
** Error - Invalid selection **

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: xxxxxx.com
2: xxxxxx-test.club
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxxxxx.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xxxxxx.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xxxxxx.com/privkey.pem
   Your cert will expire on 2021-09-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 - We were unable to subscribe you the EFF mailing list because your
   e-mail address appears to be invalid. You can try again later by
   visiting https://act.eff.org.
root@plumvill-prod1:~# 

生成的ssl证书文件存放在 /etc/letsencrypt/live/xxxxxx.com/

三、nginx配置

server{
    listen 443 ssl;
    # 域名，根据实际情况修改
    server_name xxxxx.com;
	# 公钥文件
    ssl_certificate /etc/letsencrypt/live/xxxxx.com/fullchain.pem;
    # 私钥文件
    ssl_certificate_key /etc/letsencrypt/live/xxxxx.com/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf; 
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        root   /data/project/motovill-admin/dist;
        index  index.html index.htm;
        try_files $uri $uri/ /index.html;

    }
}

四、自动续期（未测试）

1. 方式一

1. 创建renew-cert.sh

#!/bin/bash
# 停止nginx
nginx -s stop

# 续签
certbot-auto renew --force-renew

# 重启nginx
nginx -s reload

2. 给所有的用户添加执行 renew-cert.sh 这个文件的权限

chmod a+x renew-cert.sh

3. 自动更新https证书`

0 4 1 */2 * /data/renew-cert.sh >/data/crontab.log 2>&1

2. 方式二

1. 模拟自动续期，如果没问题，会重新生成证书

certbot renew --dry-run

2. 模拟成功后，我们可以用linux中的定时任务命令 crontab 来进行自动续期

crontab -e

3. 写入

30 3 * * * /usr/bin/certbot renew  >> /var/log/le-renew.log

五、添加新的域名

如果想要多个域名使用同一个ssl证书，可执行以下操作

# 会读取nginx 已使用的域名，并列出来
certbot certonly --nginx

root@plumvill-prod1:~# certbot certonly --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: xxxxxx.com
2: admin.xxxxxx.com
3: www.xxxxxx.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2 3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/xxxxxx.com.conf)

It contains these names: xxxxxx.com

You requested these names for the new certificate: xxxxxx.com,
admin.xxxxxx.com, www.xxxxxx.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin.xxxxxx.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xxxxxx.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xxxxxx.com/privkey.pem
   Your cert will expire on 2021-09-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@plumvill-prod1:/etc/letsencrypt/live# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: xxxxxx.com
    Domains: xxxxxx.com admin.xxxxxx.com www.xxxxxx.com
    Expiry Date: 2021-09-08 06:27:10+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/xxxxxx.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/xxxxxx.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

最后

以上就是自然心情为你收集整理的Certbot-免费的HTTPS证书Certbot-免费的HTTPS证书的全部内容，希望文章能够帮你解决Certbot-免费的HTTPS证书Certbot-免费的HTTPS证书所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错，欢迎将靠谱客网站推荐给程序员好友。