随着各个脚本的安全性越来越差,越来越多的我倾向于自行编译lnmp环境。但自行编译环境申请SSL证书一直是个问题,今天给大家介绍一个好用的工具:CertBot来实现证书的申请及自动续期。
以下所有操作均运行在 Debian服务器。本机环境是Debian12
首先,我们要安装 Snapd
su root
apt update
apt install snapd安装Snapd-core
sudo snap install core安装CertBot
sudo snap install --classic certbot链接CertBot到/usr/bin目录
sudo ln -s /snap/bin/certbot /usr/bin/certbot给nginx环境安装证书,指定nginx的conf目录和nginx的执行目录,配置证书是自动完成的。
certbot --nginx --nginx-server-root=/usr/local/nginx/conf --nginx-ctl=/usr/local/nginx/sbin/nginx以下是自动申请证书的输出结果,中间需要输入邮箱及一些确认。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): admin@1stcache.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: oss.1stcache.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for oss.1stcache.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/oss.1stcache.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/oss.1stcache.com/privkey.pem
This certificate expires on 2024-02-14.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for oss.1stcache.com to /usr/local/nginx/conf/nginx.conf
Congratulations! You have successfully enabled HTTPS on https://oss.1stcache.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@sweaty-balance:/usr/local/nginx# 现在再使用https来访问我们的网站,发现已经大功告成了。
别急,我们需要全自动续期呢。
sudo certbot renew --dry-run这个命令会帮我们自动续期,现在才算ok了。
/etc/crontab/
/etc/cron.*/*
systemctl list-timers查看以上目录确认续期ok。
整个流程其实非常简单。脱离面板其实也没有那么难。