淘宝双十一超级红包 》
SSL 免费证书申请 - Certbot
我们知道使用 SSL(安全套接层)证书对于网站和在线服务来说非常重要,SSL 证书通过加密用户和服务器之间的通信,保护数据不被窃听或篡改。
本章节我们将介绍使用 Certbot 工具申请免费的 SSL 证书。
什么是 Certbot?
Certbot 是一个开源的自动化工具,用于获取和续订由 Let's Encrypt 提供的免费 SSL/TLS 证书。
Let's Encrypt 是一个由互联网安全研究小组(ISRG)运营的证书颁发机构(CA),它提供了一个自动化的流程来生成和更新证书,使得网站管理员可以轻松地为他们的站点启用 HTTPS 加密。
Certbot 的主要特点包括:
- 自动化:它可以自动验证域名所有权,并申请证书。
- 免费:它使用的是 Let's Encrypt 提供的免费证书。
- 兼容性:支持多种 web 服务器,如 Apache、Nginx 等。
- 易用性:提供了命令行界面,使得安装和使用变得简单。
- 续订:自动处理证书的续订,确保网站的 HTTPS 连接始终保持有效。
Let's Encrypt 颁发的证书有效期为 90 天,Certbot 会自动配置证书的续期任务,确保证书不会过期。
Certbot 安装
1. 在 Ubuntu/Debian 系统上安装 Certbot
使用 APT 安装:
sudo apt update sudo apt install certbot
安装完成后,Certbot 就可以用了。
安装 Snap 版本:
Snap 是 Certbot 官方推荐的安装方式,尤其是针对长期支持的 Ubuntu 版本。
sudo snap install core sudo snap refresh core sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot # 这一步是为了确保 certbot 命令能全局使用
2. 在 CentOS/RHEL 系统上安装 Certbot
安装 EPEL 仓库(适用于 CentOS 7 及以下):
sudo yum install epel-release
sudo yum install certbot
3. 在 macOS 上安装 Certbot
macOS 上可以使用 Homebrew 安装 Certbot:
brew install certbot
更多内容我们可以在 Certbot 网站 https://certbot.eff.org/ 查看各个系统平台的安装方法:
安装完成后,使用以下命令查看 certbot 安装的版本:
certbot --version
证书申请与续签
安装好certbot 后就可以使用以下命令来申请证书了,注意 *.runoob.com 为你自己的域名,需要修改:
certbot certonly -d *.runoob.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
执行以上命令后,填写信息:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): xxx@qq.com. # 这里输入你的邮箱 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y # 输入 Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y # 输入 Y Account registered. Requesting a certificate for *.runoob.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name: xxxxxxx.runoob.com. # 这里需要设置域名解析,需要到域名后台填写信息,参考下图 with the following value: aIwqY00CZtziVwr-xxxxxxxxxxxxxx # 这里是域名解析的内容,参考下图 Before continuing, verify the TXT record has been deployed. Depending on the DNS provider, this may take some time, from a few seconds to multiple minutes. You can check if it has finished deploying with aid of online tools, such as the Google Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.runoob.com. Look for one or more bolded line(s) below the line ';ANSWER'. It should show the value(s) you've just added. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue # 参考下图设置完域名解析后,按回车就可以生成了,记住一定要先解析设置完成后再回车,然后生成的证书信息如下: Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/runoob.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/runoob.com/privkey.pem This certificate expires on 2024-12-21. These files will be updated when the certificate renews. NEXT STEPS: - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
设置域名解析用于验证证书:
Let's Encrypt 颁发的证书有效期为 90 天,可以使用以下命令进行续签证书:
certbot certonly --force-renewal --manual -d '*.runoob.com' \ --preferred-challenges dns \ --server https://acme-v02.api.letsencrypt.org/directory
执行以上续签命令后,就会让我们更新下 DNS 解析记录:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for *.jysahre.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name: _acme-challenge.jysahre.com. with the following value: ckxo1wGXbP1CtNQ3ZRfvHxxxxxx # 这里会显示你要更改的 DNS 解析记录值,设置好就可以完成更新了 Before continuing, verify the TXT record has been deployed. Depending on the DNS provider, this may take some time, from a few seconds to multiple minutes. You can check if it has finished deploying with aid of online tools, such as the Google Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.jysahre.com. Look for one or more bolded line(s) below the line ';ANSWER'. It should show the value(s) you've just added. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -