How Can We Help?

使用 certbot 申請 Let’s Encrypt 免費 SSL 憑證

You are here:
< All Topics

由於目前 Dehydrated 無法正常使用,官方的 certbot 改的簡單許多,建議使用 certbot 來申請

目前我使用過兩種申請方式

  1. webroot 驗證:優點是不需要中斷現有的網路服務,但需要修改 NGINX 設定檔
  2. DNS 驗證:只需要修改 DNS 設定即可通過認證,但後續會需要手動續約,不推薦

安裝 certbot-nginx 主程式

yum install -y python-certbot-nginx

Method 1:webroot 驗證申請

需要先修改網址的 NGINX 設定,最前面改為下方樣式

    # http -> https
    server {
        listen 80;
        server_name  www.cewolf.com.tw;

        location ~ /\.well-known\/acme-challenge {
                root /etc/letsencrypt;
        allow all;
        }
        if ($request_uri !~ /\.well-known) {
                return 301 https://$server_name$request_uri;
        }
    }

重新載入 NGINX 設定檔

 service nginx reload

申請 SSL 憑證

certbot certonly --webroot -w /etc/letsencrypt/ -d www.cewolf.com.tw

跳出以下的內容就代表成功了

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for m2.cewolf.com.tw
Using the webroot path /etc/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.cewolf.com.tw/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.cewolf.com.tw/privkey.pem
Your cert will expire on 2020-03-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

接著修改 NGINX 設定檔的 SSL 設定

vim /etc/nginx/conf.d/www.cewolf.com.tw.ssl.conf

加入這兩行

ssl_certificate /etc/letsencrypt/live/www.cewolf.com.tw/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.cewolf.com.tw/privkey.pem;

重新載入 NGINX 設定即可

systemctl reload nginx

Method 2:DNS 驗證申請

certbot -d m2.cewolf.com.tw --manual --preferred-challenges dns certonly

會跳出 DNS 驗證值

Please deploy a DNS TXT record under the name
_acme-challenge.www.cewolf.com.tw with the following value:

O3kP443ms6OP84K8NQnZv_vvZ5HAHMKMBdqqSIyxKlo

直接在 DNS Record 設定 txt 之後需確認可成功查詢

nslookup -type=TXT _acme-challenge.www.cewolf.com.tw

接著按下 Enter 就看到,就代表成功了

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.cewolf.com.tw/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.cewolf.com.tw/privkey.pem
Your cert will expire on 2020-03-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

接著修改 NGINX 設定檔的 SSL 設定

vim /etc/nginx/conf.d/www.cewolf.com.tw.ssl.conf

加入這兩行

ssl_certificate /etc/letsencrypt/live/www.cewolf.com.tw/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.cewolf.com.tw/privkey.pem;

重新載入 NGINX 設定

systemctl reload nginx

記得確認 SSL 憑證失效日是否有成功延後喔!

自動展延憑證

我們可以利用 cron 這個小程式來定期自動展期,首先編輯 crontab 設定檔

vim /etc/crontab

加入這兩行(於每周六 AM 3:00 檢查第一組網域是否需要展期,AM 3:30 reload NGINX)

00 3 * * 6 root certbot -d www.cewolf.com.tw --no-redirect
10 3 * * 6 root certbot -d km.cewolf.com.tw --no-redirect
20 3 * * 6 root certbot -d www.gapl.com.tw --no-redirect
30 3 * * 6 root systemctl reload nginx.service

重新啟動 cron service

systemctl restart crond.service

完成!

確認憑證狀態

有時候會收到 letsencrypt 寄來的「憑證即將到期通知 Let’s Encrypt certificate expiration notice for domain “your_domain.com”」。這時候可以輸入下面的指令確認狀態。

sudo certbot certificates
Table of Contents