使用certsbot申请Let’s Encrypt免费SSL证书

上张贴MartinHe使用certsbot申请Let’s Encrypt免费SSL证书已关闭评论

引言:因此前博客运行使用自签证书,浏览器提示非安全链接,进行证书升级为Let’s Encrypt签发的SSL证书,并自动续签证书

官方网址:certsbot官网使用指南centos版

操作步骤

# 安装snapd
sudo yum install snapd

# 开机自启
sudo systemctl enable --now snapd.socket

# To enable classic snap support, enter the following to create a symbolic link between /var/lib/snapd/snap and /snap:
sudo ln -s /var/lib/snapd/snap /snap

# Install Certbot
sudo snap install --classic certbot

# 二进制可运行
sudo ln -s /snap/bin/certbot /usr/bin/certbot

# 如果nginx是yum标准安装则可以执行,否则手动执行生成证书
sudo certbot --nginx

# 手动执行泛域名证书生成,选择合适的DNS解析域名
# 前置条件,下载自动续期脚本,au.sh脚本中根据DNS解析平台,填写ALY_KEY和ALY_TOKEN
sudo yum install git
sudo git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
mv certbot-letencrypt-wildcardcertificates-alydns-au /usr/local/src/certbot-alydns-au
cd /usr/local/src/certbot-alydns-au
vim au.sh
# 修改
# 填写阿里云的AccessKey ID及AccessKey Secret
# 如何申请见https://help.aliyun.com/knowledge_detail/38738.html
ALY_KEY="sssss"
ALY_TOKEN="xxxxxxxxxxxxxxxxxxx"

# 执行命令生成 *.example.top 泛域名证书
# python语言调用aly执行更新TXT DNS解析,确认证书属于本人
# au.sh python aly add 
# python语言调用aly执行删除TXT DNS解析,因已经验证通过,后续无需使用
/usr/bin/certbot certonly \
-d *.example.top \
--manual \
--preferred-challenges dns \
--manual-auth-hook "/usr/local/src/certbot-alydns-au/au.sh python aly add" \
--manual-cleanup-hook "/usr/local/src/certbot-alydns-au/au.sh python aly clean" \
--pre-hook "systemctl stop nginx.service" \
--post-hook "systemctl start nginx.service"

# 生成成功展示:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.top/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.top/privkey.pem
This certificate expires on 2023-11-03.
These files will be updated when the certificate renews.
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le

自动更新证书

#使用定时任务每月1号0点进行检测脚本有效期,临近30天内即可自动更新证书有效期
crontab -e
0 0 1 */1 * /usr/bin/certbot renew --deploy-hook  "/usr/sbin/nginx -t && [ S? == 0 ] && /usr/sbin/nginx -s reload"