How Can We Help?
使用 certbot 申請 Let’s Encrypt 免費 SSL 憑證
由於目前 Dehydrated 無法正常使用,官方的 certbot 改的簡單許多,建議使用 certbot 來申請
目前我使用過兩種申請方式
- webroot 驗證:優點是不需要中斷現有的網路服務,但需要修改 NGINX 設定檔
- DNS 驗證:只需要修改 DNS 設定即可通過認證,但後續會需要手動續約,不推薦
安裝 certbot-nginx 主程式
yum install -y python-certbot-nginx
Method 1:webroot 驗證申請
需要先修改網址的 NGINX 設定,最前面改為下方樣式
# http -> https
server {
listen 80;
server_name www.cewolf.com.tw;
location ~ /\.well-known\/acme-challenge {
root /etc/letsencrypt;
allow all;
}
if ($request_uri !~ /\.well-known) {
return 301 https://$server_name$request_uri;
}
}
重新載入 NGINX 設定檔
service nginx reload
申請 SSL 憑證
certbot certonly --webroot -w /etc/letsencrypt/ -d www.cewolf.com.tw
跳出以下的內容就代表成功了
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for m2.cewolf.com.tw Using the webroot path /etc/letsencrypt for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.cewolf.com.tw/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.cewolf.com.tw/privkey.pem Your cert will expire on 2020-03-20. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
接著修改 NGINX 設定檔的 SSL 設定
vim /etc/nginx/conf.d/www.cewolf.com.tw.ssl.conf
加入這兩行
ssl_certificate /etc/letsencrypt/live/www.cewolf.com.tw/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.cewolf.com.tw/privkey.pem;
重新載入 NGINX 設定即可
systemctl reload nginx
Method 2:DNS 驗證申請
certbot -d m2.cewolf.com.tw --manual --preferred-challenges dns certonly
會跳出 DNS 驗證值
Please deploy a DNS TXT record under the name _acme-challenge.www.cewolf.com.tw with the following value: O3kP443ms6OP84K8NQnZv_vvZ5HAHMKMBdqqSIyxKlo
直接在 DNS Record 設定 txt 之後需確認可成功查詢
nslookup -type=TXT _acme-challenge.www.cewolf.com.tw
接著按下 Enter 就看到,就代表成功了
Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.cewolf.com.tw/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.cewolf.com.tw/privkey.pem Your cert will expire on 2020-03-20. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
接著修改 NGINX 設定檔的 SSL 設定
vim /etc/nginx/conf.d/www.cewolf.com.tw.ssl.conf
加入這兩行
ssl_certificate /etc/letsencrypt/live/www.cewolf.com.tw/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.cewolf.com.tw/privkey.pem;
重新載入 NGINX 設定
systemctl reload nginx
記得確認 SSL 憑證失效日是否有成功延後喔!
自動展延憑證
我們可以利用 cron 這個小程式來定期自動展期,首先編輯 crontab 設定檔
vim /etc/crontab
加入這兩行(於每周六 AM 3:00 檢查第一組網域是否需要展期,AM 3:30 reload NGINX)
00 3 * * 6 root certbot -d www.cewolf.com.tw --no-redirect 10 3 * * 6 root certbot -d km.cewolf.com.tw --no-redirect 20 3 * * 6 root certbot -d www.gapl.com.tw --no-redirect 30 3 * * 6 root systemctl reload nginx.service
重新啟動 cron service
systemctl restart crond.service
完成!
確認憑證狀態
有時候會收到 letsencrypt 寄來的「憑證即將到期通知 Let’s Encrypt certificate expiration notice for domain “your_domain.com”」。這時候可以輸入下面的指令確認狀態。
sudo certbot certificates