本教程是使用证书机器人Certbot代向CA机构Let’s Encrypt申请SSL证书的。登录centos7主机的SSH终端,如果没换源的优先换源,然后开始下面操作。
流程:
<先安装snap> —> <安装Cerbot> —> <委托Cerbot代向Let’s Encrypt申请SSL证书> —> <申请好的SSL证书填入相关服务> —> <续订证书>
1.安装snap
- 参考文章:https://snapcraft.io/docs/installing-snap-on-centos
sudo yum install -y snapd
1-2.开启snap的systemd通信接口
sudo systemctl enable --now snapd.socket
1-3.软连接snap命令
sudo ln -s /var/lib/snapd/snap /snap
1-4.设置snap开机自启动
systemctl enable snapd.service
1-5.重启系统
reboot
1-6.开启后重新登录SSH终端
1-7.更新并刷新snap
sudo snap install core && sudo snap refresh core
1-8.删除老版本的Certbot程序或者已安装的Cerbot程序,防止冲突
sudo yum remove -y certbot
2.安装certbot
- 参考文章:https://certbot.eff.org/instructions?ws=other&os=centosrhel7
sudo snap install --classic certbot
2-1.软连接certbot命令
sudo ln -s /snap/bin/certbot /usr/bin/certbot
2-2.开始测试申请证书流程是否正常,本次使用DNS验证方式申请
[root@iZ6webwxn14lqwuh9kxokwZ ~]# sudo certbot certonly --manual --preferred-challenges dns -d one.test.kingsbestone.com --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): admin@example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Account registered. Simulating a certificate request for one.test.kingsbestone.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name: _acme-challenge.one.test.kingsbestone.com. with the following value: QvTbpbiUkaE57DEEpvd0qiDPsHaRsA6yT9z8vbusaiI Before continuing, verify the TXT record has been deployed. Depending on the DNS provider, this may take some time, from a few seconds to multiple minutes. You can check if it has finished deploying with aid of online tools, such as the Google Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.one.test.kingsbestone.com. Look for one or more bolded line(s) below the line ';ANSWER'. It should show the value(s) you've just added. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue The dry run was successful. [root@iZ6webwxn14lqwuh9kxokwZ ~]#
- 提示 The dry run was successful. 表示测试成功。
2-3.开始正式申请证书,本次使用DNS验证方式
[root@iZ6webwxn14lqwuh9kxokwZ ~]# sudo certbot certonly --manual --preferred-challenges dns -d one.test.kingsbestone.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): admin@example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: n Account registered. Requesting a certificate for one.test.kingsbestone.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name: _acme-challenge.one.test.kingsbestone.com. with the following value: r_EdwmRT01siVrDX2pbDGSnnylxcNdiBejYntHPNFYA Before continuing, verify the TXT record has been deployed. Depending on the DNS provider, this may take some time, from a few seconds to multiple minutes. You can check if it has finished deploying with aid of online tools, such as the Google Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.one.test.kingsbestone.com. Look for one or more bolded line(s) below the line ';ANSWER'. It should show the value(s) you've just added. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/one.test.kingsbestone.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/one.test.kingsbestone.com/privkey.pem This certificate expires on 2023-05-08. These files will be updated when the certificate renews. NEXT STEPS: - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [root@iZ6webwxn14lqwuh9kxokwZ ~]#
2-4.把申请的证书填入相关服务,证书目录如下:
Certificate is saved at: /etc/letsencrypt/live/one.test.kingsbestone.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/one.test.kingsbestone.com/privkey.pem
- NGINX或APACHE(证书填入即可)
3.Certbot手动续签证书
3-1.查看所有证书
certbot certificates
3-2.测试续签所有证书是否可以正常工作
- 我默认使用的签发域名为:one.test.kingsbestone.com
[root@iZ6webwxn14lqwuh9kxokwZ ~]# sudo certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/one.test.kingsbestone.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Account registered. Simulating renewal of an existing certificate for one.test.kingsbestone.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/one.test.kingsbestone.com/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [root@iZ6webwxn14lqwuh9kxokwZ ~]#
3-3.正式续签所有证书
sudo certbot renew
4.定时任务自动续签证书
4-1.设置每月执行一次的续签定时任务
vi /etc/crontab * * * 1 * sudo certbot renew --post-hook "systemctl restart nginx.service"
4-2.证书签发完成
5.查看所有证书
[root@iZ6webwxn14lqwuh9kxokwZ ~]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: one.test.kingsbestone.com
Serial Number: 3acb552e4ff3466b6d9b2d2cdca6a56bc9c
Key Type: RSA
Domains: one.test.kingsbestone.com
Expiry Date: 2023-05-08 06:14:05+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/one.test.kingsbestone.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/one.test.kingsbestone.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@iZ6webwxn14lqwuh9kxokwZ ~]#
6.Certbot吊销证书
[root@iZ6webwxn14lqwuh9kxokwZ ~]# sudo certbot revoke --reason keycompromise --cert-path /etc/letsencrypt/live/one.test.kingsbestone.com/fullchain.pem Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you like to delete the certificate(s) you just revoked, along with all earlier and later versions of the certificate? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es (recommended)/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certificate(s) are selected for deletion: * one.test.kingsbestone.com WARNING: Before continuing, ensure that the listed certificates are not being used by any installed server software (e.g. Apache, nginx, mail servers). Deleting a certificate that is still being used will cause the server software to stop working. See https://certbot.org/deleting-certs for information on deleting certificates safely. Are you sure you want to delete the above certificate(s)? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Deleted all files relating to certificate one.test.kingsbestone.com. Congratulations! You have successfully revoked the certificate that was located at /etc/letsencrypt/live/one.test.kingsbestone.com/fullchain.pem. [root@iZ6webwxn14lqwuh9kxokwZ ~]# certbot certificates Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - No certificates found. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [root@iZ6webwxn14lqwuh9kxokwZ ~]#
- –cert-path 指定证书具体目录位置,并非证书名
- –reason 吊销证书的原因(例如:密钥泄露)
6-2.操作成功后,再删除证书相关文件,如果证书已被删除则会报错,提示证书已被删除,就无需重复操作。
certbot delete --cert-name one.test.kingsbestone.com
6-3.再次查看所有证书,如果没有了,则操作成功。
[root@iZ6webwxn14lqwuh9kxokwZ ~]# certbot certificates Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - No certificates found. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [root@iZ6webwxn14lqwuh9kxokwZ ~]#
完成!
7.参数介绍:
sudo certbot certonly --manual --preferred-challenges dns -d *.example.com -d example.com --dry-run #sudo 使用root用户权限执行此命令 #certbot 获取或续订证书,但不安装 #certonly 验证模式(验证模式或安装模式) #--manual 手动交互模式 #--preferred-challenges 采用何种校验方式验证(dns或http) #-d 填写所需证书的域名 #--dry-run 测试模式(certonly或renwe可用),验证命令是否成功用。