Certbot是一个用户友好的自动客户端,它为你的web服务器获取和部署SSL/TLS证书,它是一个用来从let's Encrypt获取证书,并且在你的服务器上自动启用HTTPS的工具,总之,它充当官方"let's Encrypt客户端"或"let's Encrypt python client.",它利用自动证书管理环境(ACME )自动部署由大多数浏览器信任的免费证书,因此,它适用于支持ACME协议的CA 。
在本文中,我将解释如何在ubuntu 18 04服务器上使用Certbot为Apache和Nginx获取和安装免费的Let's encrypt SSL证书。
预先要求
有root权限的Ubuntu Bionic (18.04 )服务器,可根据需求安装所需软件包,注册域名,并且有适当的DNS记录,在本文中,我将使用,安装certbot
最初,要获取Letsencrypt SSL证书,我们需要安装Certbot软件,尽管最近在Ubuntu上提供了Certbot,但是,这些软件包往往已经过时了。你可以使用以下命令安装Certbot :
#add-apt-repository ppa:certbot/certbot#apt update#apt install certbot
使用以下命令确认已安装的Certbot版本:
# certbot --versioncertbot 0.23.0
另外,我们可以使用命令"certbot plugins"来了解服务器上安装的可用Certbot插件。
# certbot pluginsSaving debug log to /var/log/letsencrypt/letsencrypt.log* standaloneDescription: Spin up a temporary webserverInterfaces: IAuthenticator, IPluginEntry point: standalone = certbot.plugins.standalone:Authenticator* webrootDescription: Place files in webroot directoryInterfaces: IAuthenticator, IPluginEntry point: webroot = certbot.plugins.webroot:Authenticator-------------------------------------------------------------------------------
默认情况下,软件包中只包含独立和webroot插件,按照我们的目的,我们可以一个一个地启用所有需要的插件。
在Apache上设置let's Encrypt SSL证书
Certbot提供了一个Apache插件,使用该工具可以更轻松地颁发SSL证书,运行下面这个命令来安装这个插件:
#apt install python-certbot-apache
假设我们的域名有适当的虚拟主机,我们可以运行这个命令来为我们的域.安装SSL。
# certbot --apache -d -d Saving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator apache, Installer apacheObtaining a new certificatePerforming the following challenges:http-01 challenge for http-01 challenge for Enabled Apache rewrite moduleWaiting for verification...Cleaning up challengesCreated an SSL vhost at /etc/apache2/sites-available/-le-ssl.confDeploying Certificate to VirtualHost /etc/apache2/sites-available/-le-ssl.confEnabling available site: /etc/apache2/sites-available/-le-ssl.confDeploying Certificate to VirtualHost /etc/apache2/sites-available/-le-ssl.confPlease choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.-------------------------------------------------------------------------------1: No redirect - Make no further changes to the webserver configuration.2: Redirect - Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you're confident your site works on HTTPS. You can undo thischange by editing your web server's configuration.-------------------------------------------------------------------------------Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2Enabled Apache rewrite moduleRedirecting vhost in /etc/apache2/sites-enabled/.conf to ssl vhost in /etc/apache2/sites-available/-le-ssl.conf-------------------------------------------------------------------------------Congratulations! You have successfully enabled andYou should test your configuration at:/ssltest/analyze.html?d=/ssltest/analyze.html?d=-------------------------------------------------------------------------------IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live/-0002/fullchain.pemYour key file has been saved at:/etc/letsencrypt/live/-0002/privkey.pemYour cert will expire on -09-03. To obtain a new or tweakedversion of this certificate in the future, simply run certbot againwith the"certonly" option. To non-interactively renew *all* ofyour certificates, run"certbot renew"- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: /donateDonating to EFF: /donate-le
上述交互式过程将指导你为域名签署/安装证书。在虚拟主机中使用此命令执行自动下载,安装和配置你的域名。现在可以使用HTTPS访问域名,并确认它是否工作,验证SSL检查器中的SSL状态。
如果配置了多个虚拟主机/域,则可以使用以下命令为它们安装SSL证书。
#certbot --apache
此外,如果不希望Certbot使用新的SSL证书自动安装/配置域虚拟主机,可以使用以下命令来生成SSL证书,你可以稍后手动配置它。
#certbot --apache certonly
在Nginx上设置let's Encrypt SSL证书
对于运行nginx的服务器,我们可以使用Certbot nginx plugin自动获取,并且安装SSL证书,你可以通过下面的命令来安装这个插件:
#apt install python-certbot-nginx
假设我们的域名有虚拟主机,运行这个命令来为.安装SSL,
# certbot --nginx -d -d Saving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator nginx, Installer nginxEnter email address (used for urgent renewal and security notices) (Enter 'c' tocancel): [email protected]-------------------------------------------------------------------------------Please read the Terms of Service at/documents/LE-SA-v1.2-November-15-.pdf. You mustagree in order to register with the ACME server athttps://acme-v01./directory-------------------------------------------------------------------------------(A)gree/(C)ancel: A-------------------------------------------------------------------------------Would you be willing to share your email address with the Electronic FrontierFoundation, a founding partner of the Let's Encrypt project and the non-profitorganization that develops Certbot? We'd like to send you email about EFF andour work to encrypt the web, protect its users and defend digital rights.-------------------------------------------------------------------------------(Y)es/(N)o: NObtaining a new certificatePerforming the following challenges:http-01 challenge for http-01 challenge for Waiting for verification...Cleaning up challengesDeploying Certificate to VirtualHost /etc/nginx/sites-enabled/.confDeploying Certificate to VirtualHost /etc/nginx/sites-enabled/.confPlease choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.-------------------------------------------------------------------------------1: No redirect - Make no further changes to the webserver configuration.2: Redirect - Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you're confident your site works on HTTPS. You can undo thischange by editing your web server's configuration.-------------------------------------------------------------------------------Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/.confRedirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/.conf-------------------------------------------------------------------------------Congratulations! You have successfully enabled andYou should test your configuration at:/ssltest/analyze.html?d=/ssltest/analyze.html?d=-------------------------------------------------------------------------------IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live//fullchain.pemYour key file has been saved at:/etc/letsencrypt/live//privkey.pemYour cert will expire on -09-03. To obtain a new or tweakedversion of this certificate in the future, simply run certbot againwith the"certonly" option. To non-interactively renew *all* ofyour certificates, run"certbot renew"- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal.- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: /donateDonating to EFF: /donate-le
你可以用你的域替换我的域,并运行相同的命令来生成你的SSL证书。
如果你配置了多个虚拟主机/域名,那么你可以使用下面的命令为所有的虚拟主机安装SSL证书。
#certbot --nginx
Certbot将要求你选择新证书中包含的域。
#certbot --nginx certonly
