【原文章】
从提供免费SSL证书的Let's Encrypt获取SSL证书。
请参阅下面的 Let's Encrypt 官方网站的详细信息。
⇒ https://letsencrypt.org/
证书的到期日期为 90 天。
但是,检查和更新证书的 Systemd Timer 包含在 Certbot 包中,您无需手动更新。
[1] 安装 Certbot 客户端,这是从 Let's Encrypt 获取证书的工具。
root@dlp:~ # pkg install -y py39-certbot
[2] 获取证书。
它需要像 Apache httpd 或 Nginx 这样的 Web 服务器必须在您工作的服务器上运行。
如果没有 Web 服务器正在运行,请跳过此部分并参考 [3] 部分。
此外,由于 Let's Encrypt 的验证,它需要能够从 Internet 访问端口 80 上的工作服务器。
# 对于选项 [--webroot],使用服务器上 webroot 下的目录作为工作临时工
# -w [document root] -d [您想要获取证书的 FQDN]
# FQDN (完全限定域名) : Hostname.Domainname
# 如果要获取 2 个以上 FQDN 的证书,请指定所有证书,
如下所示 # ex : if get [srv.world] and [www.srv.world]
# ⇒ [-d srv.world -d dlp.srv.world]
root@dlp:~ # certbot certonly --webroot -w /usr/local/www/apache24/data -d dns.srv.world
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
# for the initial use, you need to register your email address
# specify your valid email address
(Enter 'c' to cancel): root@mail.srv.world
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# agree to the terms of use
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for dns.srv.world
Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/dns.srv.world/fullchain.pem
Key is saved at: /usr/local/etc/letsencrypt/live/dns.srv.world/privkey.pem
This certificate expires on 2024-03-19.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# success if [Successfully received certificate] is shown
# certs are created under the [/etc/letsencrypt/live/(FQDN)/] directory
# cert.pem ⇒ SSL Server cert(includes public-key)
# chain.pem ⇒ intermediate certificate
# fullchain.pem ⇒ combined file cert.pem and chain.pem
# privkey.pem ⇒ private-key file
[3] 如果您的工作服务器上没有运行 Web 服务器,则可以使用 Certbot 的 Web 服务器功能获取证书。 无论如何,由于 Let's Encrypt 的验证,它需要能够从 Internet 访问端口 80 上的工作服务器。
# 对于选项 [--standalone],请使用 Certbot 的 Web 服务器功能
# -d [您希望获取证书的 FQDN]
# FQDN(完全限定域名):Hostname.Domainname
# 如果要获取 2 个以上 FQDN 的证书,请指定所有证书,如下
所示 # ex : if get [srv.world] and [www.srv.world] ⇒ specify [-d srv.world -d www.srv.world]
root@dlp:~ # certbot certonly --standalone -d rx-9.srv.world
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for rx-9.srv.world
Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/rx-9.srv.world/fullchain.pem
Key is saved at: /usr/local/etc/letsencrypt/live/rx-9.srv.world/privkey.pem
This certificate expires on 2024-03-19.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[4] 要手动更新现有证书,请使用 [renew] 子命令。
要运行 [renew] 子命令,将更新所有过期时间少于 30 天的证书。
如果要更新过期时间超过 30 天的证书,请添加 [--force-renew] 选项。
此外,Certbot 软件包附带一个更新脚本,您可以启用该脚本以自动更新。
# 手动更新,运行如下
root@dlp:~ # certbot renew
# 软件包自带更新脚本
root@dlp:~ # ls -l /usr/local/etc/periodic/weekly/500.certbot-3.9
-r-xr-xr-x 1 root wheel 2494 Dec 13 07:53 /usr/local/etc/periodic/weekly/500.certbot-3.9
# 开启更新脚本,如下设置
root@dlp:~ # vi /etc/periodic.conf
# create new
weekly_certbot_enable="YES"
[5] 如果要将证书转换为 Windows 的 PKCS12 (PFX) 格式,请执行以下操作。
root@dlp:~ # openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out dlp_for_iis.pfx
Enter Export Password: # set any export password
Verifying - Enter Export Password: