前言
在我自己在linode vps憑證時的紀錄
舊的配置方式(已棄用) base on python 2
新的配置方式 base on python 3
甚麼是Certbot?
Certbot是一種工具,可以自動執行通過Let’s Encrypt獲取簽名證書並與TLS一起使用。
對於大多數操作系統和Web伺服器配置,Certbot會創建簽名證書,管理Web伺服器以接受安全連接,並可以自動續訂已創建的證書。 在大多數情況下,Certbot可以無縫啟用HTTPS,而不會導致服務器停機。
在開始之前
確保您已經註冊了完全合格的域名(FQDN),並設置了指向您的Linode的公共IPv4和IPv6地址的A和AAAA DNS記錄。 請查閱我們的DNS記錄:簡介和DNS管理器指南,以獲取有關設置域的幫助。
如果您使用的是Apache,請在以下部分中將每個nginx更改為apache。
開始
- 安裝Certbot和特定於Web伺服器的套件,然後運行Certbot:
1
2
3
4sudo apt-get update
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get install python-certbot-nginx
sudo certbot --nginx - Certbot將詢問有關被註冊網站的資訊。你的回覆將保存為證書的一部分:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): admin@example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): www.rajie.wiki
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.example.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Certbot還會詢問你是否要自動將HTTP流量重導向到HTTPS流量。 建議您選擇此選項。
- 工具完成後,Certbot將所有生成的密鑰和已頒發的證書存儲在 **/ etc / letsencrypt / live / $ domain ** 目錄中,其中$ domain是在Certbot證書生成步驟中輸入的網域的名稱。
1
2Certbot建議將您的Web伺服器配置指向默認證書目錄或建立符號連結。 密鑰和證書不應移動到其他目錄。
最後,Certbot將更新您的Web伺服器配置,以便它使用新證書,並且如果您選擇了該選項,還將HTTP流量重定向到HTTPS。 - 如果您在Linode上配置了防火牆,則可能需要添加防火牆規則,以允許傳入和傳出連接到HTTPS服務。 例如,如果您使用的是UFW,則可以使用以下命令啟用HTTP和HTTPS流量 :
1
2
3
4sudo systemctl start ufw && sudo systemctl enable ufw
sudo ufw allow http
sudo ufw allow https
sudo ufw enable - 附註.如果把DNS設定在CloudFlareg上時你可能會遇到像這樣的問題,我個人也有遇到
1
2
3
4
5
6
7
8
9
10Domain: 你的domain
Type: unauthorized
Detail: Invalid response from
[2606:4700:30::681b:be3f]: "<html lang=“en-US”
class=“boxed”><meta charset=“UTF-8”><meta
name=“viewport” content=“width=device-width, i”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
我goole後找到了這篇
解決方法原文
把Cloudflare的 SSL 模式改為 彈性
重跑一次 sudo certbot –nginx就解決了
譯者結語
前陣子官方把舊版的py2的Certbot更新成py3了,連帶著硬體上的變更,以及部分功能的棄用,auto renew功能還能不能用,筆者有找到方法會立即更新上去