SSL证书自动化如此简单-certbot实践

2024-01-05 11:12:35 浏览数 (1)

安装Certbot工具

代码语言:javascript复制
sudo apt-get update
sudo apt-get install certbot
certbot --version

ImportError: cannot import name 'appengine' from 'urllib3.contrib' (/usr/local/lib/python3.10/dist-packages/urllib3/contrib/init.py) 解决方案,卸载重装 pip uninstall urllib3 pip install urllib3

设置域名解析

申请证书

方式一:用指定根目录的方式,会在根目录下创建一个.well-known来验证域名的所有权

代码语言:javascript复制
certbot certonly --webroot -w /root/www/html -d tmp1210.visionmedicals.cn

证书生成完毕后,我们可以在 /etc/letsencrypt/live/ 目录下看到对应域名的文件夹

方式二:certbot 还有另外一种模式 --standalone , 这种模式不需要指定网站根目录,他会自动启用服务器的443端口,来验证域名的归属。我们有其他服务(例如nginx)占用了443端口,就必须先停止这些服务,在证书生成完毕后,再启用。

代码语言:javascript复制
# sudo certbot certonly --standalone --email jxiao@visionmedicals.com --agree-tos -d xjtmp.test.visionmedicals.cn
certbot certonly --standalone --email jxiao@visionmedicals.com --agree-tos -d tmp1210.test.visionmedicals.cn

自动续期证书

免费的Let's Encrypt证书的有效期为90天,因此我们需要设置自动续期,以确保证书不会过期。Certbot提供了一个方便的命令行工具来自动续期证书。

设置定时任务

代码语言:javascript复制
sudo crontab -e
代码语言:javascript复制
0 0 * * 0 certbot renew --quiet

这将在每周日的午夜零点自动执行证书续期操作。

实践demo

step1.先配置好域名解释

step2.配置一个新的站点

使能够正常http访问

代码语言:javascript复制
server {
    listen       80;
    listen  [::]:80;
    server_name  tmp1210e.visionmedicals.cn;

    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

step3.生成证书到指定目录

代码语言:javascript复制
root@iZ7xva33l57s9vs0useftcZ:~/software/docker/nginx/config/conf.d# certbot certonly --webroot -w /root/www/html -d tmp1210e.visionmedicals.cn --config-dir /root/software/docker/nginx/config/conf.d/cert/ --email jxiao@visionmedicals.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for tmp1210e.visionmedicals.cn

Successfully received certificate.
Certificate is saved at: /root/software/docker/nginx/config/conf.d/cert/live/tmp1210e.visionmedicals.cn/fullchain.pem
Key is saved at:         /root/software/docker/nginx/config/conf.d/cert/live/tmp1210e.visionmedicals.cn/privkey.pem
This certificate expires on 2024-03-09.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
We were unable to subscribe you the EFF mailing list. You can try again later by visiting https://act.eff.org.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

step4:更新配置

代码语言:javascript复制
server {
    listen       443 ssl;
    server_name tmp1210e.visionmedicals.cn;

    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    ssl_certificate      conf.d/cert/live/tmp1210e.visionmedicals.cn/fullchain.pem;
    ssl_certificate_key  conf.d/cert/live/tmp1210e.visionmedicals.cn/privkey.pem;
    ssl_session_timeout  5m;
    ssl_session_cache    shared:SSL:1m;
    ssl_ciphers          ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:aNULL:!MD5:!ADH:!RC4;
    ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers  on;


}

server {
    listen 80;
    server_name tmp1210.visionmedicals.cn;
    rewrite ^ https://$host$1 permanent;
}
自动化 ssl 配置 实践 域名

0 人点赞