一直都听说可以用Let’s Encrypt免费安装SSL证书来获得https加密,但作为懒癌晚期的人总是没有实践。今天刚好有空尝试了一下安装,发现原来是如此简单。
Let’s Encrypt的Getting Started页面指引到了一个Certbot站点,选择对应的Linux发行版本和Web服务器按照教程操作即可。如Alan的博客选择CentOS 6和Apache:
|
1 2 3 4 5 |
cd /opt/ wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto ./certbot-auto --apache # 按提示选择需加密的网站,按步骤走即可完成安装 |
IMPORTANT NOTES:
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
设置自动更新
Let’s Encrypt的证书是存在有效期的,官方当前说是3个月需更新一次,在前面的安装中也会要求填写邮箱以便收到需更新的提示,但在前述页面提供了一个自动更新的选项,只需添加cron job即可:
|
1 2 3 4 5 6 7 8 9 |
# 测试是否可正常运行 /opt/certbot-auto renew --dry-run # 添加crontab crontab -e # 加入如下内容,官方建议每检查两次 00 00 * * * /opt/certbot-auto renew 00 12 * * * /opt/certbot-auto renew # 或 * */12 * * * /opt/certbot-auto renew |
至此设置完毕
常见问题
1、Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
据说是由于TLS-SNI-01的安全问题的所致,网上有其它方法,Alan 发现重新执行安装即可成功地自动更新了
|
1 2 |
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional sudo yum install certbot python2-certbot-apache |
2、Another instance of Certbot is already running.
|
1 2 |
find / -type f -name ".certbot.lock" find / -type f -name ".certbot.lock" -exec rm {} \; |
3、ImportError: ‘pyOpenSSL’ module missing required functionality. Try upgrading to v0.14 or newer.
|
1 2 3 4 5 6 7 8 9 10 11 |
rpm -Uvh https://cbs.centos.org/kojifiles/packages/pyOpenSSL/16.2.0/3.el7/noarch/python2-pyOpenSSL-16.2.0-3.el7.noarch.rpm # easy_install --upgrade pip # 使用 snap 安装 sudo yum -y install snapd sudo systemctl enable --now snapd.socket sudo ln -s /var/lib/snapd/snap /snap yum remove certbot -y sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot certbot renew --dry-run |
