certbot使用笔记
安装
CentOsyum -y install certbot python2-certbot-nginx
Ubuntuapt-get install certbot python-certbot-nginx部署https证书
nginx配置在/etc/nginx/conf/nginx.conf时certbot --nginx
nginx配置文件不在/etc/nginx/conf/nginx.conf下时certbot --nginx --nginx-server-root /usr/local/nginx/conf 需要使用--nginx-server-root指定nginx配置文件所在的目录(不用输入nginx.conf,会自动拼接),必须使用绝对路径 如果使用certbot --nginx-server-root ./nginx.conf会把当前目录拼接./nginx.conf,如/usr/local/nginx/./nginx.conf/nginx.conf
直接指定域名certbot --nginx -d example.com -d example2.com
https证书过期自动生成并重新加载crontab -e 0 12 * * * /usr/bin/certbot renew --quiet --quiet 选项不会生成输入 (每天中午12点自动对还剩30天过期的证书重新生成并且重载) 指定配置文件的方式 0 12 * * * /usr/bin/certbot --nginx-server-root /usr/local/nginx/conf renew --quiet安装过程翻译
第一次使用需要输入邮箱Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter "c" to cancel): 1234567@qq.com Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
是否同意协议- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y
是否同意接受certbot基金组织活动邮件通知Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let"s Encrypt project and the non-profit organization that develops Certbot? We"d like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Account registered.
选择需要激活的https域名Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: a.example.com 2: b.example.com 3: c.example.com 4: d.example.com
请求域名证书注册Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter "c" to cancel): 4 Requesting a certificate for d.example.com Performing the following challenges: http-01 challenge for d.example.com Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /usr/local/nginx/conf/vhost/com.example.d.nginx.conf Redirecting all traffic on port 80 to ssl in /usr/local/nginx/conf/vhost/com.example.d.nginx.conf
配置成功,返回证书文件位置及证书过期时间和重新激活证书命令IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/d.example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/d.example.com/privkey.pem Your certificate will expire on 2023-02-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let"s Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le