linux下安装letscertbot生成域名证书
linux下安装letscertbot生成域名证书
1.下载安装 certbot
- certbot官网: https://certbot.eff.org/docs/install.html
1.1.使用 snap 方式安装certbot
- 20200825 官方推荐,兼容性好,不依赖系统
- snap安装:https://snapcraft.io/docs/installing-snapd
- 选择对应的安装环境:https://certbot.eff.org/instructions?ws=nginx&os=ubuntubionic
# 安装 snap (jumpserver 会报警)
apt install snapd
# 卸载其他形式安装的 certbot
sudo apt-get remove certbot
sudo dnf remove certbot
sudo yum remove certbot
# install snap
sudo snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/
certbot --version
# 出现以下返回即可
------------------------
root@zuiyoujie:/opt# certbot --version
certbot 1.7.0
------------------------
1.2.使用脚本自动安装 certbot
- 不容易成功
# get certbot install scripts
cd /opt/scripts
mkdir -p certbot-auto
wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
/usr/local/bin/certbot-auto --help
# import certbot key
wget -N https://dl.eff.org/certbot-auto.asc
gpg2 --keyserver pool.sks-keyservers.net --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc /usr/local/bin/certbot-auto
# 实例演示:
----------------------------------
root@zuiyoujie:/opt/scripts/certbot# gpg2 --keyserver pool.sks-keyservers.net --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: key 4D17C995CD9775F2: 7 signatures not checked due to missing keys
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4D17C995CD9775F2: public key "Let's Encrypt Client Team <letsencrypt-client@eff.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
root@zuiyoujie:/opt/scripts/certbot-auto# gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc /usr/local/bin/certbot-auto
gpg: Signature made Wed 05 Aug 2020 02:33:02 AM CST
gpg: using RSA key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg: key 4D17C995CD9775F2 marked as ultimately trusted
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2027-11-22
gpg: Good signature from "Let's Encrypt Client Team <letsencrypt-client@eff.org>" [ultimate] # 出现这个信息表示可以正常使用
-----------------------------------
# install certbot
/usr/local/bin/certbot-auto
# 最后一步是创建 python 虚拟环境,比较耗时,且如果主机内存较小会报错
internal compiler error: Killed (program cc1)
# 执行以下命令,使用交换空间解决
sudo fallocate -l 1G /tmp/swapfile
sudo chmod 600 /tmp/swapfile
sudo mkswap /tmp/swapfile
sudo swapon /tmp/swapfile
# 之后清理掉交换空间
sudo swapoff /tmp/swapfile
sudo rm /tmp/swapfile
1.3.容器安装 certbot
sudo docker run -it --rm --name certbot \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/certbot certonly
1.4.apt 安装 certbot
# add PPA
sudo apt-get install software-properties-common -y
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
# install certbot
sudo apt-get install certbot python3-certbot-nginx
certbot --version
# 如果是Apache 可以安装以下插件
sudo apt-get install python-certbot-apache
2.下载安装 letscertbot
cd /opt/scripts
git clone https://github.com/jinhucheung/letscertbot.git
## 修改aksk
cd letscertbot
cp config.json.example config.json
vim config.json
--------
your_email=
your_access_key_id=
your_access_key_secret=
--------
sed -i "s#your_email#$your_email#g" config.json
sed -i "s#your_access_key_id#$your_access_key_id#g" config.json
sed -i "s#your_access_key_secret#$your_access_key_secret#g" config.json
grep email config.json
grep access_key_id config.json
grep access_key_secret config.json
3.检测 DNS 的 API 配置
- 测试是否可以正常修改阿里云的DNS解析配置
cd /opt/scripts/letscertbot
sudo python ./bin/manual.py --test --domain letscertbot.zuiyoujie.com --dns aliyun
---------------- 正确的返回----------------- 可以正常生成证书
root@zuiyoujie:/opt/scripts/letscertbot# sudo python ./bin/manual.py --test --domain letscertbot.zuiyoujie.com --dns aliyun
start to test letscertbot.zuiyoujie.com in DNS aliyun API
add TXT record(domain=zuiyoujie.com, rr=_acme-challenge.letscertbot, value=uJqSmGygc6iH3ApZ) to aliyun DNS
added TXT record
waiting 20 seconds...
remove above TXT record
removed TXT record
tested letscertbot.zuiyoujie.com in DNS aliyun API
-----------------------------------------------------
------------------ 错误的返回 ----------- AKSK配置的权限有问题无法正确添加解析记录
root@zuiyoujie:/opt/scripts/letscertbot# sudo python ./bin/manual.py --test --domain letscertbot.zuiyoujie.com --dns aliyun
start to test letscertbot.zuiyoujie.com in DNS aliyun API
add TXT record(domain=zuiyoujie.com, rr=_acme-challenge.letscertbot, value=juXeSRP9mfC14Dop) to aliyun DNS
ERROR:logger:aliyun#__request raise urllib2.HTTPError: HTTP Error 400: Bad Request
HTTP Error 400: Bad Request
--------------------------------------------
4.生成域名证书
# 证书生成目录,软链接
ll /etc/letsencrypt/live/
# 证书文件目录
ll /etc/letsencrypt/archive/
python ./bin/obtain.py -d www.zuiyoujie.com --cert www.zuiyoujie.com
python ./bin/obtain.py -d *.zuiyoujie.com --cert all.zuiyoujie.com
python ./bin/obtain.py -d *.39sky.com --cert all.39sky.com
python ./bin/obtain.py -d *.zuiyoujie.com --cert all.zuiyoujie.com --dns aliyun --challenge-alias _acme-challenge.zuiyoujie.com
-d 指定申请证书的域名
--cert 指定生成的证书文件的名称
- 实例演示
-----------------------------------
root@zuiyoujie:/opt/scripts/letscertbot# python ./bin/obtain.py -d *.zuiyoujie.com --cert all.zuiyoujie.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for zuiyoujie.com
Running manual-auth-hook command: python /opt/scripts/letscertbot/bin/../bin/manual.py --auth --dns aliyun
Waiting for verification...
Cleaning up challenges
Running manual-cleanup-hook command: python /opt/scripts/letscertbot/bin/../bin/manual.py --cleanup --dns aliyun
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/all.zuiyoujie.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/all.zuiyoujie.com/privkey.pem
Your cert will expire on 2020-11-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@zuiyoujie:/opt/scripts/letscertbot# ll /etc/letsencrypt/live/
total 20
drwx------ 4 root root 4096 Aug 25 15:36 ./
drwxr-xr-x 9 root root 4096 Aug 25 15:36 ../
drwxr-xr-x 2 root root 4096 Aug 25 15:34 all.39sky.com/
drwxr-xr-x 2 root root 4096 Aug 25 15:36 all.zuiyoujie.com/
-rw-r--r-- 1 root root 740 Aug 25 15:34 README
root@zuiyoujie:/opt/scripts/letscertbot# tree /etc/letsencrypt/live/
/etc/letsencrypt/live/
├── all.39sky.com
│ ├── cert.pem -> ../../archive/all.39sky.com/cert1.pem
│ ├── chain.pem -> ../../archive/all.39sky.com/chain1.pem
│ ├── fullchain.pem -> ../../archive/all.39sky.com/fullchain1.pem
│ ├── privkey.pem -> ../../archive/all.39sky.com/privkey1.pem
│ └── README
├── all.zuiyoujie.com
│ ├── cert.pem -> ../../archive/all.zuiyoujie.com/cert1.pem
│ ├── chain.pem -> ../../archive/all.zuiyoujie.com/chain1.pem
│ ├── fullchain.pem -> ../../archive/all.zuiyoujie.com/fullchain1.pem
│ ├── privkey.pem -> ../../archive/all.zuiyoujie.com/privkey1.pem
│ └── README
└── README
2 directories, 11 files
root@zuiyoujie:/etc/letsencrypt/archive/all.39sky.com# ll
total 24
drwxr-xr-x 2 root root 4096 Aug 25 15:34 ./
drwx------ 4 root root 4096 Aug 25 15:36 ../
-rw-r--r-- 1 root root 1899 Aug 25 15:34 cert1.pem
-rw-r--r-- 1 root root 1647 Aug 25 15:34 chain1.pem
-rw-r--r-- 1 root root 3546 Aug 25 15:34 fullchain1.pem
-rw------- 1 root root 1704 Aug 25 15:34 privkey1.pem
--------------------------------------------
# 这书目录下的各个文件
cert1.pem # 服务器证书,在最上面
chain1.pem # 机构证书,在服务器证书下面,有多个需要从小到大合并
fullchain1.pem # 合并后的证书,可以直接使用的
rivkey1.pem # 私钥
10.参考地址
作者:天生帅才 www.zuiyoujie.com
本文版权归作者和博客园共有,如果感觉有用可以随意打赏,感谢支持,欢迎转载
