在CentOS8中部署 Let's Encrypt证书并自动更新(LEMP)

在CentOS8中部署 Let's Encrypt证书并自动更新(LEMP)

此文作为《在CentOS7安装Apache并部署Let's Encrypt免费SSL证书》及《在CentOS7安装Nginx并部署Let's Encrypt免费SSL证书》的补充,以前的版本都是在CentOS7中完成,在CentOS8中稍微有点不太一样,大概有这些区别:

  1. CentOS8加入了dnf的支持,所以安装命令依赖于dnf
  2. CentOS中Python舍弃了2.7的版本,默认为最新的3.X了
  3. 证书的自动更新脚本依然使用crontab -e,但是使用的是python完成

进入主题

一 安装Let’s Encrypt客户端 Certbot

添加 CentOS 8 EPEL 安装源

sudo dnf install epel-release

注意:如果出现确认信息一律输入y继续

安装Certbot和Nginx扩展

sudo dnf install certbot python3-certbot-nginx

二 设置防火墙通行规则

查看当前防火墙放行规则

sudo firewall-cmd --permanent --list-all

输出

public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client http ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

httphttps是必须要在services中的,如果没有的话需要添加规则

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

设置好之后需要重启服务生效

sudo firewall-cmd --reload

三 用Certbot客户端生成证书

Certbot的使用方法没有变,在前文中都有写过,这里再写一下吧

生成多个域名证书

sudo certbot --nginx -d your_domain -d www.your_domain

生成一个域名证书

sudo certbot --nginx -d your_domain

根据向导自行创建

sudo certbot --nginx

当你完成域名的生成时它会出现下面提示

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/your_domain/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/your_domain/privkey.pem
   Your cert will expire on 2021-02-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

所有证书文件都存放在目录/etc/letsencrypt/live中。

验证域名https状态的方法:https://www.ssllabs.com/ssltest/analyze.html?d=your_domain

四 设置自动过期续签

Certbot证书续期命令是:

sudo certbot renew --dry-run

输出内容

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/your_domain.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for monitoring.pp.ua
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/your_domain/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/your_domain/fullchain.pem (success)
...

那么要完成自动续期我们只需要将脚本加入计划定期执行就可以了

sudo crontab -e

输入命令

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --quiet

该脚本会在每天凌晨12点开始执行证书续期更新。

完毕,祝君好运!

Post Comment