I. 通过 SSH 连接到服务器#
以具有 sudo 权限的用户身份通过 SSH 连接到运行 HTTP 网站的服务器。
II. 删除 Certbot 包#
如果您使用 apt、dnf 或 yum 等操作系统包管理器安装了任何 Certbot 包,您应该在安装 Certbot snap 之前删除它们,以确保在运行命令 certbot 时使用 snap,而不是从操作系统包管理器安装。执行此操作的确切命令取决于您的操作系统,但常见的示例包括:
1
2
3
| sudo apt-get remove certbot
sudo dnf remove certbot
sudo yum remove certbot
|
III. 安装 snapd#
参考文档:Installing snapd
3.1 在 Rocky Linux 上安装 snap#
参考文档:Installing snap on Rocky Linux
3.1.1 将 EPEL 添加到 Rocky Linux 8#
Rocky Linux 的 snap 包可以在 Extra Packages for Enterprise Linux (EPEL) 存储库中找到。可以使用以下命令将 EPEL 存储库添加到 Rocky Linux 系统中:
1
2
| sudo dnf install epel-release
sudo dnf upgrade
|
3.1.2 安装 snapd#
将 EPEL 存储库添加到 Rocky Linux 安装中后,只需安装 snapd 软件包(以 root 身份/或使用 sudo):
安装后,需要启用管理主 snap 通信套接字的 systemd 单元:
1
| sudo systemctl enable --now snapd.socket
|
要启用经典快照支持,请输入以下内容以在 /var/lib/snapd/snap 和 /snap 之间创建符号链接:
1
| sudo ln -s /var/lib/snapd/snap /snap
|
注销并重新登录或重新启动系统以确保快照的路径正确更新。
3.2 在 CentOS 7 上安装 snap#
参考文档:Installing snap on CentOS
3.2.1 将 EPEL 添加到 CentOS 7#
可以使用以下命令将 EPEL 存储库添加到 CentOS 7 系统:
1
| sudo yum install epel-release
|
3.2.2 安装 snapd#
将 EPEL 存储库添加到 CentOS 安装后,只需安装 snapd 软件包:
安装后,需要启用管理主 snap 通信套接字的 systemd 单元:
1
| sudo systemctl enable --now snapd.socket
|
要启用经典快照支持,请输入以下内容以在 /var/lib/snapd/snap 和 /snap 之间创建符号链接:
1
| sudo ln -s /var/lib/snapd/snap /snap
|
注销并重新登录或重新启动系统以确保快照的路径正确更新。
IV. 安装 Certbot#
在计算机上的命令行上运行此命令以安装 Certbot。
1
| sudo snap install --classic certbot
|
V. 准备 Certbot 命令#
在本机命令行执行以下指令,确保 certbot 命令能够运行。
1
| sudo ln -s /snap/bin/certbot /usr/bin/certbot
|
VI. 选择您希望如何运行 Certbot#
6.1 获取并安装您的证书…#
运行此命令来获取证书,并让 Certbot 自动编辑您的 nginx 配置来为其提供服务,一步即可打开 HTTPS 访问。
Certbot 可以读取 Nginx 配置,列出这些域名并让用户选择为哪些域名申请证书。这里为 sannaha.moe 和 _ thinklong.me_ 两个域名分别申请证书:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
| # 为运行在Nginx上的网站配置HTTPS
# 申请后Certbot会自动修改Nginx配置,建议在使用该命令前备份Nginx配置文件
$ certbot --nginx
# 首次访问Let’s Encrypt服务器时需要根据提示创建账户
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): <email@sannaha.moe>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
# 选择要申请证书的域名
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: sannaha.moe
2: thinklong.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
Requesting a certificate for sannaha.moe and thinklong.me
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/sannaha.moe/fullchain.pem
Key is saved at: /etc/letsencrypt/live/sannaha.moe/privkey.pem
This certificate expires on 2023-02-15.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for sannaha.moe to /etc/nginx/conf.d/sannaha.conf
Successfully deployed certificate for thinklong.me to /etc/nginx/conf.d/thinklong.conf
Congratulations! You have successfully enabled HTTPS on https://sannaha.moe and https://thinklong.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
6.2 或者直接拿个证书#
如果您感觉更保守并且想手动更改 nginx 配置,请运行此命令。
1
| sudo certbot certonly --nginx
|
VII. 测试自动续订#
您系统上的 Certbot 软件包附带一个 cron 作业或 systemd 计时器,可在证书过期之前自动更新您的证书。您不需要再次运行 Certbot,除非您更改配置。您可以通过运行以下命令来测试证书的自动续订:
1
| sudo certbot renew --dry-run
|
续订 certbot 的命令安装在以下位置之一:
/etc/crontab//etc/cron./systemctl list-timers
VIII. 确认 Certbot 有效#
要确认您的网站设置正确,请在浏览器中访问 https://yourwebsite.com/
并在 URL 栏中查找锁定图标。
IX. 其它用法#
9.1 查看所有正在运行的定时器#
X. 参考文档#
Certbot 官网
用 Certbot 自动获取 Let’s Encrypt 证书
