随着各个脚本的安全性越来越差,越来越多的我倾向于自行编译lnmp环境。但自行编译环境申请SSL证书一直是个问题,今天给大家介绍一个好用的工具:CertBot来实现证书的申请及自动续期。
以下所有操作均运行在 Debian服务器。本机环境是Debian12
首先,我们要安装 Snapd
- su root
- apt update
- apt install snapd
安装Snapd-core
- sudo snap install core
安装CertBot
- sudo snap install –classic certbot
链接CertBot到/usr/bin目录
- sudo ln -s /snap/bin/certbot /usr/bin/certbot
给nginx环境安装证书,指定nginx的conf目录和nginx的执行目录,配置证书是自动完成的。
- certbot –nginx –nginx-server-root=/usr/local/nginx/conf –nginx-ctl=/usr/local/nginx/sbin/nginx
以下是自动申请证书的输出结果,中间需要输入邮箱及一些确认。
- Saving debug log to /var/log/letsencrypt/letsencrypt.log
- Enter email address (used for urgent renewal and security notices)
- (Enter ‘c’ to cancel): admin@1stcache.com
- – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
- Please read the Terms of Service at
- https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
- agree in order to register with the ACME server. Do you agree?
- – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
- (Y)es/(N)o: y
- – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
- Would you be willing, once your first certificate is successfully issued, to
- share your email address with the Electronic Frontier Foundation, a founding
- partner of the Let’s Encrypt project and the non-profit organization that
- develops Certbot? We’d like to send you email about our work encrypting the web,
- EFF news, campaigns, and ways to support digital freedom.
- – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
- (Y)es/(N)o: y
- Account registered.
- Which names would you like to activate HTTPS for?
- We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
- 1: oss.1stcache.com
- – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
- Select the appropriate numbers separated by commas and/or spaces, or leave input
- blank to select all options shown (Enter ‘c’ to cancel): 1
- Requesting a certificate for oss.1stcache.com
- Successfully received certificate.
- Certificate is saved at: /etc/letsencrypt/live/oss.1stcache.com/fullchain.pem
- Key is saved at: /etc/letsencrypt/live/oss.1stcache.com/privkey.pem
- This certificate expires on 2024-02-14.
- These files will be updated when the certificate renews.
- Certbot has set up a scheduled task to automatically renew this certificate in the background.
- Deploying certificate
- Successfully deployed certificate for oss.1stcache.com to /usr/local/nginx/conf/nginx.conf
- Congratulations! You have successfully enabled HTTPS on https://oss.1stcache.com
- – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
- If you like Certbot, please consider supporting our work by:
- * Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
- * Donating to EFF: https://eff.org/donate-le
- – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
- root@sweaty-balance:/usr/local/nginx#
现在再使用https来访问我们的网站,发现已经大功告成了。
别急,我们需要全自动续期呢。
- sudo certbot renew –dry-run
这个命令会帮我们自动续期,现在才算ok了。
- /etc/crontab/
- /etc/cron.*/*
- systemctl list-timers
查看以上目录确认续期ok。
整个流程其实非常简单。脱离面板其实也没有那么难。