基于letsencrypt 的免费证书自动续期

安装certbot

以 ubuntu apt 为例 ,如果是 centos 改成 yum,其他参数基本相同。

sudo apt install certbot

测试安装成功:

# certbot --version
certbot 2.9.0

配置 http 80 端口可用的 web server 路径

certbot 在生成证书时,要验证域名归属,所以需要先保证基本的域名可访问,假如想申请 BBB 域名的证书,先保证 BBB 的 http 的网址可访问,并且 web 根目录可正常读写。
对于 nginx 来说就是配置简单的 80 端口,域名和 root path等基本信息就可以,手动测试能访问到根目录下的文件。

生成证书

certbot certonly --webroot -w AAA -d BBB

BBB代表你要支持的域名,一般是子域名,比如 b.bbb.com,AAA是BBB当前已经可以访问的根目录,需要使用绝对路径。

生成成功后,域名路径一般在:

/etc/letsencrypt/live/BBB/fullchain.pem;
/etc/letsencrypt/live/BBB/privkey.pem;

注意:建议不要移动路径,全局使用这个生成的默认路径,因为这个免费证书只有 3 个月的有效期,我们后面还要通过 certbot 续期,默认续期的路径就是这个生成路径。

续期

certbot renew

自动续期

Linux 下,推荐用 cron服务

crontab -e

如果单独更新证书:

30 2 * * * sleep $(($RANDOM \% 600)) && certbot renew --quiet

如果配合 nginx使用,更新证书后,一定要重启 nginx 才能生效,所以需要额外参数:

30 2 * * * sleep $(($RANDOM \% 600)) && certbot renew --quiet --deploy-hook "nginx -s reload"

how to upgrade certbot from acmev1 to acmev2

original

certbot version:0.9.3
centos version:CentOS Linux release 7.0.1406 (Core)

upgrade the certbot version

#sudo yum update certbot

# certbot --version
certbot 1.3.0

upgrade the acme account

#certbot update_account
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxx@xxx.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Starting new HTTPS connection (1): supporters.eff.org

IMPORTANT NOTES:
 - Your e-mail address was updated to xxx@xxx.com.

check upagrade result

ls /etc/letsencrypt/accounts
acme-staging.api.letsencrypt.org  acme-v01.api.letsencrypt.org  acme-v02.api.letsencrypt.org

you can see the acme-v02 information, it indicate that the upgrade is successful.

done, have fun!