linux下安装letscertbot生成域名证书

linux下安装letscertbot生成域名证书

1.下载安装 certbot

1.1.使用 snap 方式安装certbot

# 安装 snap (jumpserver 会报警)
apt install snapd

# 卸载其他形式安装的 certbot
sudo apt-get remove certbot
sudo dnf remove certbot
sudo yum remove certbot

# install snap
sudo snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/
certbot --version

# 出现以下返回即可
------------------------
root@zuiyoujie:/opt# certbot --version
certbot 1.7.0
------------------------

1.2.使用脚本自动安装 certbot

  • 不容易成功
# get certbot install scripts
cd /opt/scripts
mkdir -p certbot-auto
wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
/usr/local/bin/certbot-auto --help

# import certbot key
wget -N https://dl.eff.org/certbot-auto.asc
gpg2 --keyserver pool.sks-keyservers.net --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc /usr/local/bin/certbot-auto

# 实例演示:
----------------------------------
root@zuiyoujie:/opt/scripts/certbot# gpg2 --keyserver pool.sks-keyservers.net --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: key 4D17C995CD9775F2: 7 signatures not checked due to missing keys
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4D17C995CD9775F2: public key "Let's Encrypt Client Team <letsencrypt-client@eff.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

root@zuiyoujie:/opt/scripts/certbot-auto# gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc /usr/local/bin/certbot-auto
gpg: Signature made Wed 05 Aug 2020 02:33:02 AM CST
gpg:                using RSA key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg: key 4D17C995CD9775F2 marked as ultimately trusted
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2027-11-22
gpg: Good signature from "Let's Encrypt Client Team <letsencrypt-client@eff.org>" [ultimate]            #  出现这个信息表示可以正常使用
-----------------------------------

# install certbot 
/usr/local/bin/certbot-auto

# 最后一步是创建 python 虚拟环境,比较耗时,且如果主机内存较小会报错
internal compiler error: Killed (program cc1)

# 执行以下命令,使用交换空间解决
sudo fallocate -l 1G /tmp/swapfile
sudo chmod 600 /tmp/swapfile
sudo mkswap /tmp/swapfile
sudo swapon /tmp/swapfile

# 之后清理掉交换空间
sudo swapoff /tmp/swapfile
sudo rm /tmp/swapfile

1.3.容器安装 certbot

sudo docker run -it --rm --name certbot \
            -v "/etc/letsencrypt:/etc/letsencrypt" \
            -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
            certbot/certbot certonly

1.4.apt 安装 certbot

# add PPA 
sudo apt-get install software-properties-common -y
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

# install certbot
sudo apt-get install certbot python3-certbot-nginx
certbot --version

# 如果是Apache 可以安装以下插件
sudo apt-get install python-certbot-apache

2.下载安装 letscertbot

cd /opt/scripts
git clone https://github.com/jinhucheung/letscertbot.git

## 修改aksk
cd letscertbot
cp config.json.example config.json
vim config.json
--------
your_email=
your_access_key_id=
your_access_key_secret=
--------

sed -i "s#your_email#$your_email#g" config.json
sed -i "s#your_access_key_id#$your_access_key_id#g" config.json
sed -i "s#your_access_key_secret#$your_access_key_secret#g" config.json

grep email config.json
grep access_key_id config.json
grep access_key_secret config.json

3.检测 DNS 的 API 配置

  • 测试是否可以正常修改阿里云的DNS解析配置
cd /opt/scripts/letscertbot
sudo python ./bin/manual.py --test --domain letscertbot.zuiyoujie.com --dns aliyun

---------------- 正确的返回----------------- 可以正常生成证书
root@zuiyoujie:/opt/scripts/letscertbot# sudo python ./bin/manual.py --test --domain letscertbot.zuiyoujie.com --dns aliyun
start to test letscertbot.zuiyoujie.com in DNS aliyun API
add TXT record(domain=zuiyoujie.com, rr=_acme-challenge.letscertbot, value=uJqSmGygc6iH3ApZ) to aliyun DNS
added TXT record
waiting 20 seconds...
remove above TXT record
removed TXT record
tested letscertbot.zuiyoujie.com in DNS aliyun API
-----------------------------------------------------

------------------  错误的返回 ----------- AKSK配置的权限有问题无法正确添加解析记录
root@zuiyoujie:/opt/scripts/letscertbot# sudo python ./bin/manual.py --test --domain letscertbot.zuiyoujie.com --dns aliyun
start to test letscertbot.zuiyoujie.com in DNS aliyun API
add TXT record(domain=zuiyoujie.com, rr=_acme-challenge.letscertbot, value=juXeSRP9mfC14Dop) to aliyun DNS
ERROR:logger:aliyun#__request raise urllib2.HTTPError: HTTP Error 400: Bad Request
HTTP Error 400: Bad Request
--------------------------------------------

4.生成域名证书

# 证书生成目录,软链接
ll /etc/letsencrypt/live/

# 证书文件目录
ll /etc/letsencrypt/archive/

python ./bin/obtain.py -d www.zuiyoujie.com --cert www.zuiyoujie.com 
python ./bin/obtain.py -d *.zuiyoujie.com --cert all.zuiyoujie.com

python ./bin/obtain.py -d *.39sky.com --cert all.39sky.com

python ./bin/obtain.py -d *.zuiyoujie.com --cert all.zuiyoujie.com --dns aliyun --challenge-alias _acme-challenge.zuiyoujie.com


-d 指定申请证书的域名
--cert 指定生成的证书文件的名称
  • 实例演示
-----------------------------------
root@zuiyoujie:/opt/scripts/letscertbot# python ./bin/obtain.py -d *.zuiyoujie.com --cert all.zuiyoujie.com                  
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for zuiyoujie.com
Running manual-auth-hook command: python /opt/scripts/letscertbot/bin/../bin/manual.py --auth --dns aliyun 
Waiting for verification...
Cleaning up challenges
Running manual-cleanup-hook command: python /opt/scripts/letscertbot/bin/../bin/manual.py --cleanup --dns aliyun 

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/all.zuiyoujie.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/all.zuiyoujie.com/privkey.pem
   Your cert will expire on 2020-11-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@zuiyoujie:/opt/scripts/letscertbot# ll /etc/letsencrypt/live/
total 20
drwx------ 4 root root 4096 Aug 25 15:36 ./
drwxr-xr-x 9 root root 4096 Aug 25 15:36 ../
drwxr-xr-x 2 root root 4096 Aug 25 15:34 all.39sky.com/
drwxr-xr-x 2 root root 4096 Aug 25 15:36 all.zuiyoujie.com/
-rw-r--r-- 1 root root  740 Aug 25 15:34 README

root@zuiyoujie:/opt/scripts/letscertbot# tree /etc/letsencrypt/live/
/etc/letsencrypt/live/
├── all.39sky.com
│   ├── cert.pem -> ../../archive/all.39sky.com/cert1.pem
│   ├── chain.pem -> ../../archive/all.39sky.com/chain1.pem
│   ├── fullchain.pem -> ../../archive/all.39sky.com/fullchain1.pem
│   ├── privkey.pem -> ../../archive/all.39sky.com/privkey1.pem
│   └── README
├── all.zuiyoujie.com
│   ├── cert.pem -> ../../archive/all.zuiyoujie.com/cert1.pem
│   ├── chain.pem -> ../../archive/all.zuiyoujie.com/chain1.pem
│   ├── fullchain.pem -> ../../archive/all.zuiyoujie.com/fullchain1.pem
│   ├── privkey.pem -> ../../archive/all.zuiyoujie.com/privkey1.pem
│   └── README
└── README

2 directories, 11 files

root@zuiyoujie:/etc/letsencrypt/archive/all.39sky.com# ll
total 24
drwxr-xr-x 2 root root 4096 Aug 25 15:34 ./
drwx------ 4 root root 4096 Aug 25 15:36 ../
-rw-r--r-- 1 root root 1899 Aug 25 15:34 cert1.pem
-rw-r--r-- 1 root root 1647 Aug 25 15:34 chain1.pem
-rw-r--r-- 1 root root 3546 Aug 25 15:34 fullchain1.pem
-rw------- 1 root root 1704 Aug 25 15:34 privkey1.pem
--------------------------------------------

# 这书目录下的各个文件
cert1.pem       # 服务器证书,在最上面
chain1.pem      # 机构证书,在服务器证书下面,有多个需要从小到大合并
fullchain1.pem  # 合并后的证书,可以直接使用的
rivkey1.pem     # 私钥

10.参考地址

posted @ 2023-05-24 16:35  天生帅才  阅读(478)  评论(0编辑  收藏  举报
// 百度统计