用Certbot自动获取https证书

本文最后更新于:2023年10月16日 下午


Let’s Encrypt

Let’s Encrypt 是一家全球性的证书颁发机构(CA),作为一个非营利性组织,它的任务是通过推广 HTTPS 来创建一个更加安全和尊重隐私的 Web 环境。Let’s Encrypt 提供了免费的 SSL 证书供每个人使用。

Let’s Encrypt 使用自动化证书管理环境(ACME)协议来验证域名控制权以及颁发证书,使用 Certbot 首次连接 Let’s Encrypt 服务器时会要求输入邮箱等信息来自动创建账户,帐户 ID 可以在 /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/<ID> 路径中找到,如果在使用中遇到问题,可以提供账户 ID 信息进行反馈。

SSL证书类型

目前主流的 SSL 证书有以下三种:

  • 域名验证型(DV)证书:通过验证域名所有权即可签发证书,只验证网站域名所有权,适合个人和小微企业申请,能起到加密传输的作用,但是证书中无法显示企业信息。
  • 组织验证型(OV)证书:通过验证域名所有权和申请企业的真实身份信息才能签发证书,适合中型企业和互联网业务申请,能通过证书查看到企业相关信息。
  • 扩展验证型(EV)证书:在 OV 证书的基础上额外验证企业的其他相关信息,比如 GoDaddy 会在在授予企业 EV 证书前验证企业是否符合以下条件:已合法注册、目前正常运营、位于所列地址、所列电话号码有效、拥有网站域名。多使用于银行、金融、证券、支付等高安全标准行业。

Let’s Encrypt 提供的是域名验证型(DV)证书,不提供组织验证型(OV)或扩展验证型(EV)证书。

Certbot安装流程

Let’s Encrypt 官方推荐使用 Cerbot 来自动执行证书的颁发和安装,Cerbot 团队建议大多数用户通过 snap 这个包管理工具来安装 Certbot,以避免其他包管理系统上发行的 Cerbot 因为未及时更新而存在问题。因此 Certbot 的安装分为两步:

  1. 安装 snap;
  2. 通过 snap 安装 Certbot。

如果使用的是其他 Linux 发行版可以查阅 certbot instructions

下面简单介绍下 Certbot 在 CentOS 7 和 Denian 系统下的安装流程。

安装snap

CentOS 7

CentOS 7 下 snap 的安装过程参考自官方教程:Installing snap on CentOS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 将EPEL扩展库添加到CentOS 7
$ yum install epel-release

# 安装snapd
$ yum install snapd

# 启用snapd.socket
$ systemctl enable --now snapd.socket

# 创建软链接,用来启用classic snap支持
$ ln -s /var/lib/snapd/snap /snap

# 确保snapd版本是最新的
$ snap install core
$ snap refresh core

# 移除yum上的certbot,进一步确保certbot是通过snap安装的
$ yum remove certbot

Debian

Debian 下可以直接通过 apt 安装 snap

1
2
3
4
$ apt update
$ apt install snapd
$ snap install core
$ snap refresh core

安装Certbot

1
2
3
4
5
# 安装Certbot
$ snap install --classic certbot

# 创建软链接,使certbot命令可以正常使用
$ ln -s /snap/bin/certbot /usr/bin/certbot
  1. 访问网站,验证是否启用 HTTPS:

使用Certbot

Certbot 提供了两个功能:

  1. 获取证书:自动验证对域名的控制,将证书保存到 /etc/letsencrypt/live/ 并定期更新。
  2. 安装证书:通过自动修改服务器的配置,将该证书安装到受支持的 Web 服务器(如 Apache 或 Nginx)和其他类型的服务器。

申请证书时常见的两种场景:

  1. 为每个域名申请独立的证书:Nginx 中配置了一个或多个域名,为每个域名(包括子域名)申请独立的证书并启用 HTTPS;
  2. 主域名和多个子域名共用同一个通配符证书:Nginx 中除了主域名还配置了多个子域名,比如 sannaha.moewatermelonrank.sannaha.moebigwatermelon.sannaha.moe,申请一个通配符证书可以用于所有子域名。

独立证书

申请独立证书

Certbot 可以读取 Nginx 配置,列出这些域名并让用户选择为哪些域名申请证书。这里为 sannaha.moethinklong.me 两个域名分别申请证书:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# 为运行在Nginx上的网站配置HTTPS
# 申请后Certbot会自动修改Nginx配置,建议在使用该命令前备份Nginx配置文件
$ certbot --nginx
# 首次访问Let’s Encrypt服务器时需要根据提示创建账户
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): <email@sannaha.moe>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.

# 选择要申请证书的域名
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: sannaha.moe
2: thinklong.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
Requesting a certificate for sannaha.moe and thinklong.me

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/sannaha.moe/fullchain.pem
Key is saved at: /etc/letsencrypt/live/sannaha.moe/privkey.pem
This certificate expires on 2023-02-15.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for sannaha.moe to /etc/nginx/conf.d/sannaha.conf
Successfully deployed certificate for thinklong.me to /etc/nginx/conf.d/thinklong.conf
Congratulations! You have successfully enabled HTTPS on https://sannaha.moe and https://thinklong.me

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Nginx配置改动

申请后 Certbot 会自动对 Nginx 配置进行修改:配置 SSL 证书路径、添加对 443 端口的监听、将 80 端口的访问请求 301 重定向到 HTTPS:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
server {
server_name sannaha.moe;
root /home/git/www/hexo/;
index index.html;
error_page 404 =301 https://sannaha.moe;

- listen 80 default_server;
- listen [::]:80 default_server;
+ listen [::]:443 ssl; # managed by Certbot
+ listen 443 ssl; # managed by Certbot
+ ssl_certificate /etc/letsencrypt/live/sannaha.moe/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /etc/letsencrypt/live/sannaha.moe/privkey.pem; # managed by Certbot
+ include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

+ server {
+ if ($host = sannaha.moe) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+ server_name sannaha.moe;
+ listen 80 default_server;
+ listen [::]:80 default_server;
+ return 404; # managed by Certbot
+ }

通配符证书

通配符证书的使用过程要麻烦一些,需要根据域名选用的 DNS 提供商安装对应的 DNS 插件,授权 Certbot 访问 DNS 提供商,验证对域名的控制权。

安装DNS插件

Certbot 支持的 DNS 插件列表可以查阅 dns-plugins 。比如 DNS 提供商是 cloudflare,需要安装 certbot-dns-cloudflare

1
$ snap install certbot-dns-cloudflare

获取token

访问 cloudflare 控制台 获取 token。出于安全考虑,建议不要使用秘钥,而是为 Certbot 创建单独的 API 令牌。

  1. 创建 API 令牌

  2. 选择 API 令牌模板为“编辑区域 DNS”

  3. 填写令牌信息,选择要管理的域名

  4. 确认摘要信息

  5. 创建成功

创建凭据文件

Certbot 是通过 ini 凭据文件读取 token 的,因此需要编写一个下面这样的文件:

/root/cf.ini

1
2
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

修改凭据文件的权限,限制其他用户的访问:

1
2
3
# 限制其他用户对凭据文件的访问
# 如果Certbot检测到凭据文件可以被其他用户访问,它会显示警告信息
$ chmod 600 /root/cf.ini

申请通配符证书

申请通配符证书但不安装(不修改 Nginx 配置),填写 cloudflare 凭据文件路径,指定申请的域名:

1
2
3
4
5
6
7
8
9
10
  certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials /root/cf.ini \
-d sannaha.moe \
-d *.sannaha.moe


Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/sannaha.moe/fullchain.pem
Key is saved at: /etc/letsencrypt/live/sannaha.moe/privkey.pem
1
2
3
4
5
certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials /root/21535.xyz.cf.ini \
-d *.215315.xyz

修改Nginx配置

申请到证书后需要手动修改 Nginx 配置,修改内容可以参考上面的 Nginx配置改动 ,多个子域名共用刚才申请到的同一个证书。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# Game
server {
server_name bigwatermelon.sannaha.moe;
root /data/website/bigwatermelon/;
index index.html;

listen [::]:443 ssl;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/sannaha.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sannaha.moe/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
error_page 404 =301 https://bigwatermelon.sannaha.moe;
}

server {
server_name bigwaterlemon.sannaha.moe prpr.sannaha.moe;
listen [::]:443 ssl;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/sannaha.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sannaha.moe/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
return 301 https://bigwatermelon.sannaha.moe$request_uri;
}

server {
server_name bigwatermelon.sannaha.moe bigwaterlemon.sannaha.moe prpr.sannaha.moe;
listen 80;
listen [::]:80;
return 301 https://bigwatermelon.sannaha.moe$request_uri;
}

# Rank
server {
server_name watermelonrank.sannaha.moe;
root /data/website/watermelonrank/;
index index.html;

listen [::]:443 ssl;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/sannaha.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sannaha.moe/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
error_page 404 =301 https://watermelonrank.sannaha.moe;
}

server {
server_name watermelon.sannaha.moe;
listen [::]:443 ssl;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/sannaha.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sannaha.moe/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
return 301 https://watermelonrank.sannaha.moe$request_uri;
}

server {
server_name watermelonrank.sannaha.moe watermelon.sannaha.moe;
listen 80;
listen [::]:80;
return 301 https://watermelonrank.sannaha.moe$request_uri;
}

管理证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# 显示从Certbot获得的证书的信息
$ certbot certificates

# 撤销证书
$ certbot revoke --cert-name sannaha.moe

# 在不保存任何证书的情况下测试证书续订功能
$ certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sannaha.moe.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for sannaha.moe and *.sannaha.moe
Waiting 10 seconds for DNS changes to propagate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/thinklong.me.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for thinklong.me

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/sannaha.moe/fullchain.pem (success)
/etc/letsencrypt/live/thinklong.me/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

常用参数说明

certbot 命令详见:certbot-commands

1
2
3
4
5
6
7
8
# 获取证书,并安装
$ certbot

# certonly:只申请证书,不安装
$ certbot certonly

# -d:指定域名
$ certbot --nginx -d sannaha.moe -d thinklong.me

常见问题

启用HTTPS后无法打开网站

  1. 检查服务器防火墙 443 端口是否打开。
  2. 查看服务器端口能否被外部访问 open-ports

无法安装DNS插件

在 Debian 11 上安装 DNS 插件时报错,按照提示操作即可:

1
2
3
4
5
6
7
8
9
10
11
$ snap install certbot-dns-cloudflare
error: cannot perform the following tasks:
- Run hook prepare-plug-plugin of snap "certbot" (run hook "prepare-plug-plugin":
-----
Only connect this interface if you trust the plugin author to have root on the system.
Run `snap set certbot trust-plugin-with-root=ok` to acknowledge this and then run this command again to perform the connection.
If that doesn't work, you may need to remove all certbot-dns-* plugins from the system, then try installing the certbot snap again.
-----)
$ snap set certbot trust-plugin-with-root=ok
$ snap install certbot-dns-cloudflare
certbot-dns-cloudflare 1.32.2 from Certbot Project (certbot-eff✓) installed

References


用Certbot自动获取https证书
https://baymax55.github.io/2023/08/10/other/用Certbot自动获取https证书/
作者
baymax55
发布于
2023年8月10日
许可协议