安装Certbot
参考链接:
https://certbot.eff.org/docs/using.html?highlight=renew#automated-renewals
https://askubuntu.com/questions/553937/what-is-the-difference-between-the-core-full-extras-and-light-packages-for-ngi
https://salsa.debian.org/nginx-team/nginx/-/blob/master/debian/control
debian操作系统:
1
2
3
4
| sudo apt-get -y install certbot
sudo apt-get -y install nginx-light libnginx-mod-stream # 可选
#sudo apt-get -y install nginx # nginx-full
|
centos操作系统:
1
2
3
4
5
6
| sudo yum -y install epel-release
sudo yum -y install certbot
sudo systemctl start certbot-renew.timer && sudo systemctl enable certbot-renew.timer
sudo yum -y install nginx nginx-mod-stream # 可选
#SLEEPTIME=$(awk 'BEGIN{srand(); print int(rand()*(3600+1))}') && echo "0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q" | sudo tee -a /etc/cron.d/certbot > /dev/null
|
获取SSL证书
manual模式,泛域名证书
参考链接:
https://certbot.eff.org/docs/using.html#manual
https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks
Cloudflare API: 官方链接
DNSPod API: 官方链接
GoDaddy API: 官方链接
Cloudflare
Login Email: [email protected]
Zone ID: 2109e1497fb164ac32a8a56f493jd767
Global API Key: b16b2371170e9i9t7aed5df44a69f3k0fd947
--manual-public-ip-logging-ok # 此参数在certbot新版中已弃用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| sudo certbot certonly --manual \
-d yanyong.cc -d *.yanyong.cc \
--email [email protected] \
--agree-tos \
--no-eff-email \
--preferred-challenges=dns \
--manual-public-ip-logging-ok \
--manual-auth-hook \
'curl -sS -X POST "https://api.cloudflare.com/client/v4/zones/2109e1497fb164ac32a8a56f493jd767/dns_records" -H "X-Auth-Email: [email protected]" -H "X-Auth-Key: b16b2371170e9i9t7aed5df44a69f3k0fd947" -H "Content-Type: application/json" -d {\"type\":\"TXT\",\"name\":\"_acme-challenge.yanyong.cc\",\"content\":\"$CERTBOT_VALIDATION\",\"ttl\":1,\"proxied\":false} && sleep 30' \
--manual-cleanup-hook \
'sleep 30 && id=`curl -sS -X GET "https://api.cloudflare.com/client/v4/zones/2109e1497fb164ac32a8a56f493jd767/dns_records?name=_acme-challenge.yanyong.cc" -H "X-Auth-Email: [email protected]" -H "X-Auth-Key: b16b2371170e9i9t7aed5df44a69f3k0fd947" -H "Content-Type: application/json" | \
grep -oP "(?<=result\":\[\{\"id\":\")\w+"` \
&& curl -sS -X DELETE "https://api.cloudflare.com/client/v4/zones/2109e1497fb164ac32a8a56f493jd767/dns_records/$id" -H "X-Auth-Email: [email protected]" -H "X-Auth-Key: b16b2371170e9i9t7aed5df44a69f3k0fd947" -H "Content-Type: application/json"' \
--deploy-hook 'systemctl reload nginx'
|
DNSPod/腾讯云
ID: 168457
Token: b472bfa84ac4e861c926crb0926c9d77
--manual-public-ip-logging-ok # 此参数在certbot新版中已弃用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| sudo certbot certonly --manual \
-d yanyong.cc -d *.yanyong.cc \
--email [email protected] \
--agree-tos \
--no-eff-email \
--preferred-challenges=dns \
--manual-public-ip-logging-ok \
--manual-auth-hook \
'wget https://dnsapi.cn/Record.Create -qO - --post-data "login_token=168457,b472bfa84ac4e861c926crb0926c9d77&domain=$CERTBOT_DOMAIN&sub_domain=_acme-challenge&record_type=TXT&record_line_id=0&value=$CERTBOT_VALIDATION" && sleep 30' \
--manual-cleanup-hook \
'sleep 30 && recordid=`wget https://dnsapi.cn/Record.List -qO - --post-data "login_token=168457,b472bfa84ac4e861c926crb0926c9d77&domain=$CERTBOT_DOMAIN&sub_domain=_acme-challenge&record_type=TXT&record_line_id=0" | \
grep -oP "(?<=records\":\[\{\"id\":\")\d+"` \
&& wget https://dnsapi.cn/Record.Remove -qO - --post-data "login_token=168457,b472bfa84ac4e861c926crb0926c9d77&domain=$CERTBOT_DOMAIN&record_id=$recordid"' \
--deploy-hook 'systemctl reload nginx'
|
GoDaddy
API Key: e9CahQ5IAHEz_CbrhCS1CxpXgLPgAdCUk17
Secret API Key: LMFh2nNET8szNIT14bT1A7
Customer ID: 379363747
--manual-public-ip-logging-ok # 此参数在certbot新版中已弃用
1
2
3
4
5
6
7
8
9
10
11
12
| sudo certbot certonly --manual \
-d yanyong.cc -d *.yanyong.cc \
--email [email protected] \
--agree-tos \
--no-eff-email \
--preferred-challenges=dns \
--manual-public-ip-logging-ok \
--manual-auth-hook \
'curl -sS -X PATCH "https://api.godaddy.com/v1/domains/yanyong.cc/records" -H "accept: application/json" -H "Content-Type: application/json" -H "Authorization: sso-key e9CahQ5IAHEz_CbrhCS1CxpXgLPgAdCUk17:LMFh2nNET8szNIT14bT1A7" -d "[ { \"data\": \"$CERTBOT_VALIDATION\", \"name\": \"_acme-challenge\", \"ttl\": 600, \"type\": \"TXT\" }]" && sleep 60' \
--manual-cleanup-hook \
'sleep 60 && curl -sS -X DELETE "https://api.godaddy.com/v1/domains/yanyong.cc/records/TXT/_acme-challenge" -H "accept: application/json" -H "X-Shopper-Id: 379363747" -H "Authorization: sso-key e9CahQ5IAHEz_CbrhCS1CxpXgLPgAdCUk17:LMFh2nNET8szNIT14bT1A7"' \
--deploy-hook 'systemctl reload nginx'
|
standalone模式参考
如果服务器上已有web server(nginx或apache等)在运行,会有冲突,不建议使用。不需要开启web服务的情况可以使用,比如VPN服务器。
1
| sudo certbot certonly --standalone -d vpn.yanyong.cc --email [email protected] --agree-tos --no-eff-email
|
webroot模式参考
#nginx配置参考:
server {
listen 443 ssl http2;
server_name yanyong.cc;
root /srv/www/www.yanyong.cc;
ssl_certificate /etc/letsencrypt/live/yanyong.cc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yanyong.cc/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yanyong.cc/chain.pem;
#略...
}
server {
listen 443 ssl http2;
server_name www.yanyong.cc;
ssl_certificate /etc/letsencrypt/live/yanyong.cc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yanyong.cc/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yanyong.cc/chain.pem;
return 301 https://yanyong.cc$request_uri;
}
server {
listen 80;
server_name yanyong.cc www.yanyong.cc;
location ^~ /.well-known/acme-challenge/ {
root /srv/www/_letsencrypt;
}
location / {
return 301 https://yanyong.cc$request_uri;
}
}
1
2
3
4
5
6
| sudo certbot certonly --webroot -w /srv/www/_letsencrypt \
-d yanyong.cc -d www.yanyong.cc \
--email [email protected] \
--agree-tos \
--no-eff-email \
--deploy-hook 'systemctl reload nginx'
|
