LetsEncrypt与Certbot之certbot命令介绍

袁亦
2023-12-01

为了在网站上启用https,我们需要从CA(Certificate Authority)申请一个证书,Let’s Encrypt是一个CA 。为了从Let’s Encrypt获取我们网站域名的证书,我们必须证明对域名的控制权。使用Let’s Encrypt,我们可以使用使用ACME协议的软件来执行此操作,该协议通常在我们的Web主机上运行。

如果有用shell访问web主机的权限,推荐使用Certbot ACME客户端,它可以自动执行证书颁发和安装,无需停机。它还为不想要自动配置的人提供专家模式。它易于使用,适用于许多操作系统,并且具有出色的文档。
如果Certbot不满足你的需求, 还有其他的ACME客户端 供选择。

2 Certbot
Certbot 官网

2.1 安装Certbot
Get Certbot

2.1.1 使用certbot-auto方式安装
推荐使用certbot-auto,使用它会自动创建python venv虚拟环境,并在其中安装certbot及其依赖

user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
user@webserver:~$ ./certbot-auto --help
Usage: certbot-auto [OPTIONS]
A self-updating wrapper script for the Certbot ACME client. When run, updates
to both this script and certbot will be downloaded and installed. After
ensuring you have the latest versions installed, certbot will be invoked with
all arguments you have provided.

Help for certbot itself cannot be provided until it is installed.

–debug attempt experimental installation
-h, --help print this help
-n, --non-interactive, --noninteractive run without asking for user input
–no-bootstrap do not install OS dependencies
–no-self-upgrade do not download updates
–os-packages-only install OS dependencies and exit
–install-only install certbot, upgrade if needed, and exit
-v, --verbose provide more output
-q, --quiet provide only update/error output;
implies --non-interactive
可以创建 certbot-auto 软链接到 /usr/bin/ 或者 /usr/local/bin/ 下,这样就可以直接执行命令

根据提示安装certbot和依赖,需要使用root用户

user@webserver:~# ./certbot-auto --install-only
查看certbot帮助

user@webserver:~# ./certbot-auto -h


certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near
expiry
enhance Add security enhancements to your existing configuration
-d DOMAINS Comma-separated list of domains to obtain a certificate for

–apache Use the Apache plugin for authentication & installation
–standalone Run a standalone webserver for authentication
–nginx Use the Nginx plugin for authentication & installation
–webroot Place files in a server’s webroot folder for authentication
–manual Obtain certificates interactively, or using shell script
hooks

-n Run non-interactively
–test-cert Obtain a test certificate from a staging server
–dry-run Test “renew” or “certonly” without saving any certificates
to disk

manage certificates:
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-path or --cert-name)
delete Delete a certificate

manage your account with Let’s Encrypt:
register Create a Let’s Encrypt ACME account
–agree-tos Agree to the ACME server’s Subscriber Agreement
-m EMAIL Email address for important account notifications

More detailed help:

-h, --help [TOPIC] print this message, or detailed help on a topic;
the available TOPICS are:

all, automation, commands, paths, security, testing, or any of the
subcommands or plugins (certonly, renew, install, register, nginx,
apache, standalone, webroot, etc.)


运行certbot命令查看现有证书

user@webserver:~# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


No certs found.


文件certbot-auto中有venv的位置

if [ -z “$VENV_PATH” ]; then

We export these values so they are preserved properly if this script is

rerun with sudo/su where H O M E / HOME/ HOME/XDG_DATA_HOME may have a different value.

export OLD_VENV_PATH="$XDG_DATA_HOME/letsencrypt"
export VENV_PATH="/opt/eff.org/certbot/venv"
fi
我们可以尝试运行venv环境,检查安装的包

[root@journal certbot]# pwd
/opt/eff.org/certbot
[root@journal certbot]# ll
drwxr-xr-x 5 root root 4096 Dec 19 11:33 venv
[root@journal certbot]# source venv/bin/activate
(venv) [root@journal certbot]# pip list |grep certbot
certbot (0.29.1)
certbot-apache (0.29.1)
certbot-nginx (0.29.1)
(venv) [root@journal certbot]# deactivate
[root@journal certbot]#
2.1.2 使用Ansible批量安装
certbot-auto是官方给出的使用vitrualenv方式安装certbot的方法,此方法简单易用,但是由于对脚本逻辑不太了解,可能会对管理上带来困难。
我们自己用vitrualenv方式安装certbot,下面是Ansible批量安装的一个playbook:

install-certbot.yml


  • hosts: webpool-qa:webpool-live
    become: yes
    gather_facts: false
    tasks:
    • name: 1. Install certbot into virtualenv
      pip:
      name: certbot
      state: present
      virtualenv: /root/python-certbot
    • name: 2. Ensure logger(util-linux) have been installed
      yum:
      name: util-linux
      state: present
    • name: 3. Install cert_renew.sh script
      copy:
      src: ./scripts/cert_renew.sh
      dest: /root/cert_renew.sh
      mode: 0755
    • name: 4. Copy cert_posthook.sh if it not exists
      copy:
      src: ./scripts/cert_posthook.sh
      dest: /root/cert_posthook.sh
      mode: 0755
      force: no
    • name: 5. Create certbot job on root account
      cron:
      name: “certbot renew job”
      state: present
      minute: 45
      hour: 14
      job: “/root/cert_renew.sh 2>&1 | /usr/bin/logger -t certbot”
      cert_renew.sh

#!/bin/bash

source /root/python-certbot/bin/activate
certbot renew --post-hook “/root/cert_posthook.sh”
cert_posthook.sh

#!/bin/bash

#Restart local httpd
/sbin/service httpd restart
执行下列命令进行安装

ansible install-certbot.yml

2.1.3 其他方式安装
我们还可以使用git版本的Certbot Use git version certbot

2.2 申请证书
Certbot User Guide

申请证书脚本

[root@journal ~]# mkdir certbot
[root@journal ~]# mv certbot-auto certbot/
[root@journal ~]# cd certbot/
[root@journal ~]# vim cert_apply.sh
#!/bin/bash
./certbot-auto certonly --webroot
-w /data/web -d example.demo.com
自动renew脚本

[root@journal ~]# vim cert_renew.sh
#!/bin/bash
./certbot-auto renew --post-hook “service httpd restart”

certbot renew --pre-hook “service nginx stop” --post-hook “service nginx start”

有效期在30天以上的证书,可使用–force-renewal强制更新;
注意:证书更新过一次之后,会在/etc/letsencrypt/renewal目录下生成对应证书名称的配置文件,记录更新时使用的参数、配置等。

renew脚本定时任务

(需要logger命令),最好触发测试一下

[root@journal certbot]# crontab -l

renew letsencrpyt SSL certificate

36 15 * * 1-5 /root/certbot/cert_renew.sh 2>&1 | /usr/bin/logger -t certbot
2.3 为网站添加证书流程
查看原证书信息

./certbot-auto certificates

编辑申请证书脚本,添加新网站

vim cert_apply.sh

确认vhost配置文件内原证书位置

cd /etc/httpd/conf.d/

grep .pem . -R

grep .pem domain.demo.com.conf

如果提示会生成新的证书,而不是扩展原有证书,则删除原有证书 ,在重启apache之短时间内原证书仍然生效

./certbot-auto delete

生成新证书 ,确保证书位置与原来的一致

./cert_apply.sh

检查apache配置文件语法

apachectl -t

如果Syntax OK,重启apache服务

systemctl restart httpd

原文链接:https://www.jianshu.com/p/6ce6ea52ab5e

 类似资料: