linux下安裝letscertbot生成域名證書
1.下載安裝 certbot
1.1.使用 snap 方式安裝certbot
# 安裝 snap (jumpserver 會報警)
apt install snapd
# 卸載其他形式安裝的 certbot
sudo apt-get remove certbot
sudo dnf remove certbot
sudo yum remove certbot
# install snap
sudo snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/
certbot --version
# 出現以下返回即可
------------------------
[email protected]:/opt# certbot --version
certbot 1.7.0
------------------------
1.2.使用腳本自動安裝 certbot
# get certbot install scripts
cd /opt/scripts
mkdir -p certbot-auto
wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
/usr/local/bin/certbot-auto --help
# import certbot key
wget -N https://dl.eff.org/certbot-auto.asc
gpg2 --keyserver pool.sks-keyservers.net --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc /usr/local/bin/certbot-auto
# 實例演示:
----------------------------------
[email protected]:/opt/scripts/certbot# gpg2 --keyserver pool.sks-keyservers.net --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: key 4D17C995CD9775F2: 7 signatures not checked due to missing keys
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4D17C995CD9775F2: public key "Let's Encrypt Client Team <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
[email protected]:/opt/scripts/certbot-auto# gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc /usr/local/bin/certbot-auto
gpg: Signature made Wed 05 Aug 2020 02:33:02 AM CST
gpg: using RSA key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg: key 4D17C995CD9775F2 marked as ultimately trusted
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2027-11-22
gpg: Good signature from "Let's Encrypt Client Team <[email protected]>" [ultimate] # 出現這個信息表示可以正常使用
-----------------------------------
# install certbot
/usr/local/bin/certbot-auto
# 最後一步是創建 python 虛擬環境,比較耗時,且如果主機內存較小會報錯
internal compiler error: Killed (program cc1)
# 執行以下命令,使用交換空間解決
sudo fallocate -l 1G /tmp/swapfile
sudo chmod 600 /tmp/swapfile
sudo mkswap /tmp/swapfile
sudo swapon /tmp/swapfile
# 之後清理掉交換空間
sudo swapoff /tmp/swapfile
sudo rm /tmp/swapfile
1.3.容器安裝 certbot
sudo docker run -it --rm --name certbot \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/certbot certonly
1.4.apt 安裝 certbot
# add PPA
sudo apt-get install software-properties-common -y
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
# install certbot
sudo apt-get install certbot python3-certbot-nginx
certbot --version
# 如果是Apache 可以安裝以下插件
sudo apt-get install python-certbot-apache
2.下載安裝 letscertbot
cd /opt/scripts
git clone https://github.com/jinhucheung/letscertbot.git
## 修改aksk
cd letscertbot
cp config.json.example config.json
vim config.json
--------
your_email=
your_access_key_id=
your_access_key_secret=
--------
sed -i "s#your_email#$your_email#g" config.json
sed -i "s#your_access_key_id#$your_access_key_id#g" config.json
sed -i "s#your_access_key_secret#$your_access_key_secret#g" config.json
grep email config.json
grep access_key_id config.json
grep access_key_secret config.json
3.檢測 DNS 的 API 配置
cd /opt/scripts/letscertbot
sudo python ./bin/manual.py --test --domain letscertbot.zuiyoujie.com --dns aliyun
---------------- 正確的返回----------------- 可以正常生成證書
[email protected]:/opt/scripts/letscertbot# sudo python ./bin/manual.py --test --domain letscertbot.zuiyoujie.com --dns aliyun
start to test letscertbot.zuiyoujie.com in DNS aliyun API
add TXT record(domain=zuiyoujie.com, rr=_acme-challenge.letscertbot, value=uJqSmGygc6iH3ApZ) to aliyun DNS
added TXT record
waiting 20 seconds...
remove above TXT record
removed TXT record
tested letscertbot.zuiyoujie.com in DNS aliyun API
-----------------------------------------------------
------------------ 錯誤的返回 ----------- AKSK配置的權限有問題無法正確添加解析記錄
[email protected]:/opt/scripts/letscertbot# sudo python ./bin/manual.py --test --domain letscertbot.zuiyoujie.com --dns aliyun
start to test letscertbot.zuiyoujie.com in DNS aliyun API
add TXT record(domain=zuiyoujie.com, rr=_acme-challenge.letscertbot, value=juXeSRP9mfC14Dop) to aliyun DNS
ERROR:logger:aliyun#__request raise urllib2.HTTPError: HTTP Error 400: Bad Request
HTTP Error 400: Bad Request
--------------------------------------------
4.生成域名證書
# 證書生成目錄,軟鏈接
ll /etc/letsencrypt/live/
# 證書文件目錄
ll /etc/letsencrypt/archive/
python ./bin/obtain.py -d www.zuiyoujie.com --cert www.zuiyoujie.com
python ./bin/obtain.py -d *.zuiyoujie.com --cert all.zuiyoujie.com
python ./bin/obtain.py -d *.39sky.com --cert all.39sky.com
python ./bin/obtain.py -d *.zuiyoujie.com --cert all.zuiyoujie.com --dns aliyun --challenge-alias _acme-challenge.zuiyoujie.com
-d 指定申請證書的域名
--cert 指定生成的證書文件的名稱
-----------------------------------
[email protected]:/opt/scripts/letscertbot# python ./bin/obtain.py -d *.zuiyoujie.com --cert all.zuiyoujie.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for zuiyoujie.com
Running manual-auth-hook command: python /opt/scripts/letscertbot/bin/../bin/manual.py --auth --dns aliyun
Waiting for verification...
Cleaning up challenges
Running manual-cleanup-hook command: python /opt/scripts/letscertbot/bin/../bin/manual.py --cleanup --dns aliyun
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/all.zuiyoujie.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/all.zuiyoujie.com/privkey.pem
Your cert will expire on 2020-11-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
[email protected]:/opt/scripts/letscertbot# ll /etc/letsencrypt/live/
total 20
drwx------ 4 root root 4096 Aug 25 15:36 ./
drwxr-xr-x 9 root root 4096 Aug 25 15:36 ../
drwxr-xr-x 2 root root 4096 Aug 25 15:34 all.39sky.com/
drwxr-xr-x 2 root root 4096 Aug 25 15:36 all.zuiyoujie.com/
-rw-r--r-- 1 root root 740 Aug 25 15:34 README
[email protected]:/opt/scripts/letscertbot# tree /etc/letsencrypt/live/
/etc/letsencrypt/live/
├── all.39sky.com
│ ├── cert.pem -> ../../archive/all.39sky.com/cert1.pem
│ ├── chain.pem -> ../../archive/all.39sky.com/chain1.pem
│ ├── fullchain.pem -> ../../archive/all.39sky.com/fullchain1.pem
│ ├── privkey.pem -> ../../archive/all.39sky.com/privkey1.pem
│ └── README
├── all.zuiyoujie.com
│ ├── cert.pem -> ../../archive/all.zuiyoujie.com/cert1.pem
│ ├── chain.pem -> ../../archive/all.zuiyoujie.com/chain1.pem
│ ├── fullchain.pem -> ../../archive/all.zuiyoujie.com/fullchain1.pem
│ ├── privkey.pem -> ../../archive/all.zuiyoujie.com/privkey1.pem
│ └── README
└── README
2 directories, 11 files
[email protected]:/etc/letsencrypt/archive/all.39sky.com# ll
total 24
drwxr-xr-x 2 root root 4096 Aug 25 15:34 ./
drwx------ 4 root root 4096 Aug 25 15:36 ../
-rw-r--r-- 1 root root 1899 Aug 25 15:34 cert1.pem
-rw-r--r-- 1 root root 1647 Aug 25 15:34 chain1.pem
-rw-r--r-- 1 root root 3546 Aug 25 15:34 fullchain1.pem
-rw------- 1 root root 1704 Aug 25 15:34 privkey1.pem
--------------------------------------------
# 這書目錄下的各個文件
cert1.pem # 服務器證書,在最上面
chain1.pem # 機構證書,在服務器證書下面,有多個需要從小到大合併
fullchain1.pem # 合併後的證書,可以直接使用的
rivkey1.pem # 私鑰
10.參考地址
