在CentOS8中部署 Let's Encrypt证书并自动更新(LEMP)
此文作为《在CentOS7安装Apache并部署Let's Encrypt免费SSL证书》及《在CentOS7安装Nginx并部署Let's Encrypt免费SSL证书》的补充,以前的版本都是在CentOS7中完成,在CentOS8中稍微有点不太一样,大概有这些区别:
- CentOS8加入了
dnf的支持,所以安装命令依赖于dnf - CentOS中Python舍弃了2.7的版本,默认为最新的3.X了
- 证书的自动更新脚本依然使用
crontab -e,但是使用的是python完成
进入主题
一 安装Let’s Encrypt客户端 Certbot
添加 CentOS 8 EPEL 安装源
sudo dnf install epel-release
注意:如果出现确认信息一律输入y继续
安装Certbot和Nginx扩展
sudo dnf install certbot python3-certbot-nginx
二 设置防火墙通行规则
查看当前防火墙放行规则
sudo firewall-cmd --permanent --list-all
输出
public target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client http ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
http和https是必须要在services中的,如果没有的话需要添加规则
sudo firewall-cmd --permanent --add-service=http sudo firewall-cmd --permanent --add-service=https
设置好之后需要重启服务生效
sudo firewall-cmd --reload
三 用Certbot客户端生成证书
Certbot的使用方法没有变,在前文中都有写过,这里再写一下吧
生成多个域名证书
sudo certbot --nginx -d your_domain -d www.your_domain
生成一个域名证书
sudo certbot --nginx -d your_domain
根据向导自行创建
sudo certbot --nginx
当你完成域名的生成时它会出现下面提示
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your_domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your_domain/privkey.pem Your cert will expire on 2021-02-26. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
所有证书文件都存放在目录/etc/letsencrypt/live中。
验证域名https状态的方法:https://www.ssllabs.com/ssltest/analyze.html?d=your_domain
四 设置自动过期续签
Certbot证书续期命令是:
sudo certbot renew --dry-run
输出内容
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/your_domain.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator nginx, Installer nginx Renewing an existing certificate Performing the following challenges: http-01 challenge for monitoring.pp.ua Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of nginx server; fullchain is /etc/letsencrypt/live/your_domain/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/your_domain/fullchain.pem (success) ...
那么要完成自动续期我们只需要将脚本加入计划定期执行就可以了
sudo crontab -e
输入命令
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --quiet
该脚本会在每天凌晨12点开始执行证书续期更新。
完毕,祝君好运!