环境介绍

标题 版本 备注
系统版本 ubuntu 22.04.3 LTS (Jammy Jellyfish) -
内核版本 5.15.0-88-generic #98-Ubuntu SMP Mon Oct 2 15:18:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux -
CertBot v2.9.0 -

CertBot 安装

注意:以下操作都在 root 用户下执行

CertBot 官网:https://certbot.eff.org/

1.根据官方站点提供的安装命令,先安装 snpad

1
apt install -y snapd

2.如果你之前有使用 apt 命令安装国 certbot ,那么在这里需要将之前安装的 certbot 卸载。

1
apt remove -y certbot

3.使用 snap 命令安装最新版本的 certbot:

1
snap install --classic cerbot

4.安装完成后,将 cerbot 可执行文件软链接到 /usr/bin 目录下:

1
ln -s /snap/bin/certbot /usr/bin/certbot

至此, cerbot 安装已经完成!

CertBot 使用

CertBot 常用参数:

参数 子参数 含义 备注
-d - 指定域名,如果有多个,使用逗号隔开 -
-m - 申请证书时指定邮箱地址 -
--nginx - 用nginx插件进行身份验证和安装 需要配合 python3-certbot-nginx 插件使用
--apache - 使用apache插件进行身份验证和安装 需要配合 python3-certbot-apache 插件使用
--dry-run - 测试“续订”或“仅限证书”,不保存任何证书到磁盘 -
--manual - 以交互方式或使用shell脚本获取证书 -
--webroot - 将文件放在服务器的webroot文件夹中进行身份验证 通常用于知道 web 目录路径的情况,且站点能正常访问
-w 指定网站根路径 -
--standalone - 运行独立的Web服务器进行身份验证 通常用于不知道 web 目录的情况。
不需要访问到站点
服务器不能占用 80 端口

--webroot 方式申请证书

这种方式适用于网站有根目录(知道网站根目录路径),且站点能正常访问

1.在服务器上执行 certbot certonly --webroot ... 命令,申请证书:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
root@iZ5ts4ir4avgeumt2dhyhmZ:~# certbot certonly --webroot -w /data/websites/apache/site04/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): [email protected] # 填写申请证书获取通知的邮件地址

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y # 同意注册协议

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y # 这个是通知,你也可以选择 N
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): apache02.xxxxu.com # 输入你要创建证书的域名
Requesting a certificate for apache02.xxxxu.com

# 下面就是申请信息。
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/apache02.xxxxu.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/apache02.xxxxu.com/privkey.pem
This certificate expires on 2024-06-05.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

上面的交互申请命令也可以简写成自动申请的(下面弹出的交互是因为我上面已经申请过该域名的证书了):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@iZ5ts4ir4avgeumt2dhyhmZ:~# certbot certonly --webroot -w /data/websites/apache/site04 -d apache02.xxxxu.com -m [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/apache02.xxxxu.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

--standalone 方式申请证书

这种方式常用于你的网站没有根目录(代理)或者是你不知道你的网站根目录在哪里的情况

1.在服务器上执行 certbot certonly --standalone ... 命令,申请证书:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@iZ5ts4ir4avgeumt2dhyhmZ:~# certbot certonly --standalone -d apache03.xxxxu.com,apache04.xxxxu.com -m [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for apache03.xxxxu.com and apache04.xxxxu.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/apache03.xxxxu.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/apache03.xxxxu.com/privkey.pem
This certificate expires on 2024-06-06.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

如果服务器 80端口被占用,则会出现(解决方法也很简单,就是停掉 80 端口的服务):

1
2
3
4
5
6
7
8
9
10
11
12
root@iZ5ts4ir4avgeumt2dhyhmZ:~# certbot certonly --standalone -d apache03.xxxxu.com,apache04.xxxxu.com -m [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for apache03.xxxxu.com and apache04.xxxxu.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not bind TCP port 80 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(R)etry/(C)ancel: C
Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

--manual 方式手动申请

这种方式适用于手动交互申请证书,特别适合申请通用(范)证书(-d *.abc.com,abc.com)。另外, 它有 2 种认证方式:

  • 一、DNS 认证:它需要你在域名服务商上做 txt 解析处理;
  • 二、网站根目录文件认证:它需要在你的服务器网站根目录下创建指定的文件进行认证,然后自动下发证书

基于 DNS 的认证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@iZ5ts4ir4avgeumt2dhyhmZ:~# certbot certonly --manual -d apache05.xxxxu.com --preferred-challenges=dns -m [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for apache05.xxxxu.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.apache05.xxxxu.com.

with the following value:

k-p2Ap2b9YOKB1JJL2XGVS9OFuVWSqZaKqz4zhXL5MU

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.apache05.xxxxu.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue # 这里不要着急回车,先到你域名服务商去做上面给出的 txt 解析记录

2.做好域名的 txt 解析,如下:

注意:
做完解析后,不要立即去服务器申请证书的命令行回车,这里最好等待1~3分钟!

3.回到申请证书的命令行,执行回车。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/apache05.xxxxu.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/apache05.xxxxu.com/privkey.pem
This certificate expires on 2024-06-06.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

基于文件的认证

这种方式就是在基于 DNS 认证的方式上去掉参数 --preferred-challenges=dns, 但是,网站要能处于正常访问的状态!

1.打开浏览器,确保能使用域名能正常访问到网站资源,如下图:

2.执行命令 certbot certonly --manual -d ssl01.linuser.com -m [email protected] 申请证书:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@ubuntu2204-003:~# certbot certonly --manual -d ssl01.linuser.com -m [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for ssl01.linuser.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

0UDXpTk_fPqqELMmNZzGmCSuEs_kT1ckFgVZqRrzWO8.Wz7Jw2DhZpAKnV69UO62FkFrREiOwWbHK43-y2g5tmQ

And make it available on your web server at this URL:

http://ssl01.linuser.com/.well-known/acme-challenge/0UDXpTk_fPqqELMmNZzGmCSuEs_kT1ckFgVZqRrzWO8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue # 注意,这里先不要按回车,先按照提升创建文件,并访问测试

3.然后在网站所属根目录下创建 .well-known/acme-challenge/0UDXpTk_fPqqELMmNZzGmCSuEs_kT1ckFgVZqRrzWO8 文件, 内容为:

1
0UDXpTk_fPqqELMmNZzGmCSuEs_kT1ckFgVZqRrzWO8.Wz7Jw2DhZpAKnV69UO62FkFrREiOwWbHK43-y2g5tmQ

4.然后在浏览器中访问 http://ssl01.linuser.com/.well-known/acme-challenge/0UDXpTk_fPqqELMmNZzGmCSuEs_kT1ckFgVZqRrzWO8 ,确保能访问得到上面的内容

5.接下来就恢复到服务器申请证书的命令行,直接回车 :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ssl01.linuser.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/ssl01.linuser.com/privkey.pem
This certificate expires on 2022-11-15.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

证书自动续期

由于使用 certbot 申请的证书只有 90 天的使用期限,所以还需要我们为其自动续签。

1.编辑计划任务配置文件 /etc/crontab ,在最下面添加:

1
2
3
4
cat << 'EOF' >> /etc/crontab
# 自动续签证书
0 2 * * * root /usr/bin/certbot renew --quiet
EOF

注意:
通用证书(也就是泛域名证书)只能通过 --manual 的方式手动申请,不能使用 --webroot 或者 --standalone 的方式申请!

证书管理

证书管理涉及查看、删除和注销

证书查看

执行命令 certbot certificates 就可以看到该服务器有哪些证书,且列出证书的详细信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@iZ5ts4ir4avgeumt2dhyhmZ:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: apache02.tufau.com
Serial Number: 3ae329734cb8b9919af7ef3212ac106be16
Key Type: ECDSA
Domains: apache02.tufau.com
Expiry Date: 2024-06-05 12:46:06+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/apache02.tufau.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/apache02.tufau.com/privkey.pem
Certificate Name: apache03.tufau.com
Serial Number: 4c13c1cc3475257f694cc1149d07b4bb883
Key Type: ECDSA
Domains: apache03.tufau.com apache04.tufau.com
Expiry Date: 2024-06-06 00:30:57+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/apache03.tufau.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/apache03.tufau.com/privkey.pem
Certificate Name: apache05.tufau.com
Serial Number: 3790a43f1f224303a65a9d5324d28add4e6
Key Type: ECDSA
Domains: apache05.tufau.com
Expiry Date: 2024-06-06 01:50:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/apache05.tufau.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/apache05.tufau.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

证书删除

如果确实不需要某个证书,可以使用 certbot delete 命令删除证书及其相关的配置:

1
certbot delete --cert-name cert.example.com

其中,cert.example.com 是证书的名称,此处仅作示例之用,请依据实际情况填写。特别注意,如果证书私钥被泄露,应考虑首先吊销证书而非删除。

证书吊销

当证书私钥被不慎泄露时,攻击者有能力伪造你的服务器向用户发送数据。此时应当考虑将对应证书进行吊销操作。这样,浏览器在访问网站时会检查对应证书的有效性,降低攻击者使用无效证书伪造身份的危险性。Certbot 的吊销证书过程非常简单,只需:

1
certbot revoke --cert-path /etc/letsencrypt/live/CERTNAME/cert.pem --reason keycompromise

其中,–cert-path 选项后接的是证书私钥文件的地址,请使用 certbot certificates 命令查看已有证书的地址。可选项 --reason后可以填写有关为何吊销该证书的一段说明性文字.

为已有证书添加或删除域名

我们拥有向已有证书添加或删除新域名,而非为每个域名单独申请证书的需求。这样,我们可以在一张 SSL/TLS 证书中包含多个(而非一个)域名来使用。该操作非常简单,首先我们使用以下命令查看由 Certbot 管理的全部证书列表:

1
sudo certbot certificates

我们从中选择需要添加或删除域名的证书,记下来证书名称(Certificate Name)字段。使用类似下述命令编辑已有证书所包含的域名:

1
sudo certbot certonly --cert-name example.com -d example.com -d a.example.com -d b.example.com

上述示例为一个名为 example.com,且包含两个域名的证书 example.coma.example.com 的证书添加了 b.example.com 域名,--cert-name 参数后包含证书名称。而 -d 选项后紧跟的是希望证书对应的全部新域名。

如果我们希望将 a.example.com 域名从该证书中删除,则使用下述命令:

1
sudo certbot certonly --cert-name example.com -d example.com -d b.example.com

这样一来,该证书在重新认证后将会仅包含 example.comb.example.com 两个域名。