使用 Certbot 获取 Let’s Encrypt 证书并自动续期，为网站开启 HTTPS。

Let’s Encrypt

Let’s Encrypt 是一家全球性的证书颁发机构（CA），作为一个非营利性组织，它的任务是通过推广 HTTPS 来创建一个更加安全和尊重隐私的 Web 环境。Let’s Encrypt 提供了免费的 SSL 证书供每个人使用。

Let’s Encrypt 使用自动化证书管理环境（ACME）协议来验证域名控制权以及颁发证书，使用 Certbot 首次连接 Let’s Encrypt 服务器时会要求输入邮箱等信息来自动创建账户，帐户 ID 可以在 /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/<ID> 路径中找到，如果在使用中遇到问题，可以提供账户 ID 信息进行反馈。

SSL证书类型

目前主流的 SSL 证书有以下三种：

域名验证型（DV）证书：通过验证域名所有权即可签发证书，只验证网站域名所有权，适合个人和小微企业申请，能起到加密传输的作用，但是证书中无法显示企业信息。
组织验证型（OV）证书：通过验证域名所有权和申请企业的真实身份信息才能签发证书，适合中型企业和互联网业务申请，能通过证书查看到企业相关信息。
扩展验证型（EV）证书：在 OV 证书的基础上额外验证企业的其他相关信息，比如 GoDaddy 会在在授予企业 EV 证书前验证企业是否符合以下条件：已合法注册、目前正常运营、位于所列地址、所列电话号码有效、拥有网站域名。多使用于银行、金融、证券、支付等高安全标准行业。

Let’s Encrypt 提供的是域名验证型（DV）证书，不提供组织验证型（OV）或扩展验证型（EV）证书。

Certbot安装流程

Let’s Encrypt 官方推荐使用 Cerbot 来自动执行证书的颁发和安装，Cerbot 团队建议大多数用户通过 snap 这个包管理工具来安装 Certbot，以避免其他包管理系统上发行的 Cerbot 因为未及时更新而存在问题。因此 Certbot 的安装分为两步：

安装 snap；
通过 snap 安装 Certbot。

如果使用的是其他 Linux 发行版可以查阅 certbot instructions 。

下面简单介绍下 Certbot 在 CentOS 7 和 Denian 系统下的安装流程。

安装snap

CentOS 7

CentOS 7 下 snap 的安装过程参考自官方教程：Installing snap on CentOS 。

# 将EPEL扩展库添加到CentOS 7
$ yum install epel-release

# 安装snapd
$ yum install snapd

# 启用snapd.socket
$ systemctl enable --now snapd.socket

# 创建软链接，用来启用classic snap支持
$ ln -s /var/lib/snapd/snap /snap

# 确保snapd版本是最新的
$ snap install core
$ snap refresh core

# 移除yum上的certbot，进一步确保certbot是通过snap安装的
$ yum remove certbot

Debian

Debian 下可以直接通过 apt 安装 snap：

$ apt update
$ apt install snapd
$ snap install core
$ snap refresh core

安装Certbot

# 安装Certbot
$ snap install --classic certbot

# 创建软链接，使certbot命令可以正常使用
$ ln -s /snap/bin/certbot /usr/bin/certbot

访问网站，验证是否启用 HTTPS：

使用Certbot

Certbot 提供了两个功能：

获取证书：自动验证对域名的控制，将证书保存到 /etc/letsencrypt/live/ 并定期更新。
安装证书：通过自动修改服务器的配置，将该证书安装到受支持的 Web 服务器（如 Apache 或 Nginx）和其他类型的服务器。

申请证书时常见的两种场景：

为每个域名申请独立的证书：Nginx 中配置了一个或多个域名，为每个域名（包括子域名）申请独立的证书并启用 HTTPS；
主域名和多个子域名共用同一个通配符证书：Nginx 中除了主域名还配置了多个子域名，比如 sannaha.moe、watermelonrank.sannaha.moe、bigwatermelon.sannaha.moe，申请一个通配符证书可以用于所有子域名。

独立证书

申请独立证书

Certbot 可以读取 Nginx 配置，列出这些域名并让用户选择为哪些域名申请证书。这里为 sannaha.moe 和 thinklong.me 两个域名分别申请证书：

# 为运行在Nginx上的网站配置HTTPS
# 申请后Certbot会自动修改Nginx配置，建议在使用该命令前备份Nginx配置文件
$ certbot --nginx
# 首次访问Let’s Encrypt服务器时需要根据提示创建账户
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): <email@sannaha.moe>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.

# 选择要申请证书的域名
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: sannaha.moe
2: thinklong.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
Requesting a certificate for sannaha.moe and thinklong.me

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/sannaha.moe/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/sannaha.moe/privkey.pem
This certificate expires on 2023-02-15.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for sannaha.moe to /etc/nginx/conf.d/sannaha.conf
Successfully deployed certificate for thinklong.me to /etc/nginx/conf.d/thinklong.conf
Congratulations! You have successfully enabled HTTPS on https://sannaha.moe and https://thinklong.me

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Nginx配置改动

申请后 Certbot 会自动对 Nginx 配置进行修改：配置 SSL 证书路径、添加对 443 端口的监听、将 80 端口的访问请求 301 重定向到 HTTPS：

sannaha.conf

server {
    server_name  sannaha.moe;
    root /home/git/www/hexo/;
    index index.html;
    error_page 404 =301 https://sannaha.moe;

-   listen 80 default_server;
-   listen [::]:80 default_server;
+   listen [::]:443 ssl; # managed by Certbot
+   listen 443 ssl; # managed by Certbot
+   ssl_certificate /etc/letsencrypt/live/sannaha.moe/fullchain.pem; # managed by Certbot
+   ssl_certificate_key /etc/letsencrypt/live/sannaha.moe/privkey.pem; # managed by Certbot
+   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

+ server {
+    if ($host = sannaha.moe) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+    server_name  sannaha.moe;
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    return 404; # managed by Certbot
+ }

通配符证书

通配符证书的使用过程要麻烦一些，需要根据域名选用的 DNS 提供商安装对应的 DNS 插件，授权 Certbot 访问 DNS 提供商，验证对域名的控制权。

安装DNS插件

Certbot 支持的 DNS 插件列表可以查阅 dns-plugins 。比如 DNS 提供商是 cloudflare，需要安装 certbot-dns-cloudflare ：

1	$ snap install certbot-dns-cloudflare

获取token

访问 cloudflare 控制台获取 token。出于安全考虑，建议不要使用秘钥，而是为 Certbot 创建单独的 API 令牌。

创建 API 令牌

选择 API 令牌模板为“编辑区域 DNS”

填写令牌信息，选择要管理的域名

确认摘要信息

创建成功

创建凭据文件

Certbot 是通过 ini 凭据文件读取 token 的，因此需要编写一个下面这样的文件：

/root/cf.ini

1 2	# Cloudflare API token used by Certbot dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

修改凭据文件的权限，限制其他用户的访问：

1
2
3

# 限制其他用户对凭据文件的访问
# 如果Certbot检测到凭据文件可以被其他用户访问，它会显示警告信息
$ chmod 600 /root/cf.ini

申请通配符证书

申请通配符证书但不安装（不修改 Nginx 配置），填写 cloudflare 凭据文件路径，指定申请的域名：

$ certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /root/cf.ini \
  -d sannaha.moe \
  -d *.sannaha.moe
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/sannaha.moe/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/sannaha.moe/privkey.pem

修改Nginx配置

申请到证书后需要手动修改 Nginx 配置，修改内容可以参考上面的 Nginx配置改动，多个子域名共用刚才申请到的同一个证书。

# Game
server {
    server_name  bigwatermelon.sannaha.moe;
    root /data/website/bigwatermelon/;
    index index.html;
    
    listen [::]:443 ssl;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/sannaha.moe/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sannaha.moe/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    error_page 404 =301 https://bigwatermelon.sannaha.moe;
}

server {
    server_name  bigwaterlemon.sannaha.moe prpr.sannaha.moe;
    listen [::]:443 ssl;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/sannaha.moe/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sannaha.moe/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    return 301 https://bigwatermelon.sannaha.moe$request_uri;
}

server {
    server_name  bigwatermelon.sannaha.moe bigwaterlemon.sannaha.moe prpr.sannaha.moe;
    listen       80;
    listen       [::]:80;
    return 301 https://bigwatermelon.sannaha.moe$request_uri;
}

# Rank
server {
    server_name  watermelonrank.sannaha.moe;
    root /data/website/watermelonrank/;
    index index.html;
    
    listen [::]:443 ssl;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/sannaha.moe/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sannaha.moe/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    error_page 404 =301 https://watermelonrank.sannaha.moe;
}

server {
    server_name  watermelon.sannaha.moe;
    listen [::]:443 ssl;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/sannaha.moe/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sannaha.moe/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    return 301 https://watermelonrank.sannaha.moe$request_uri;
}

server {
    server_name  watermelonrank.sannaha.moe watermelon.sannaha.moe;
    listen       80;
    listen       [::]:80;
    return 301 https://watermelonrank.sannaha.moe$request_uri;
}

管理证书

# 显示从Certbot获得的证书的信息
$ certbot certificates

# 撤销证书
$ certbot revoke --cert-name sannaha.moe

# 在不保存任何证书的情况下测试证书续订功能
$ certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sannaha.moe.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for sannaha.moe and *.sannaha.moe
Waiting 10 seconds for DNS changes to propagate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/thinklong.me.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for thinklong.me

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/sannaha.moe/fullchain.pem (success)
  /etc/letsencrypt/live/thinklong.me/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

常用参数说明

certbot 命令详见：certbot-commands 。

# 获取证书，并安装
$ certbot

# certonly:只申请证书，不安装
$ certbot certonly

# -d:指定域名
$ certbot --nginx -d sannaha.moe -d thinklong.me

常见问题

启用HTTPS后无法打开网站

检查服务器防火墙 443 端口是否打开。
查看服务器端口能否被外部访问 open-ports 。

无法安装DNS插件

在 Debian 11 上安装 DNS 插件时报错，按照提示操作即可：

$ snap install certbot-dns-cloudflare
error: cannot perform the following tasks:
- Run hook prepare-plug-plugin of snap "certbot" (run hook "prepare-plug-plugin": 
-----
Only connect this interface if you trust the plugin author to have root on the system.
Run `snap set certbot trust-plugin-with-root=ok` to acknowledge this and then run this command again to perform the connection.
If that doesn't work, you may need to remove all certbot-dns-* plugins from the system, then try installing the certbot snap again.
-----)
$ snap set certbot trust-plugin-with-root=ok
$ snap install certbot-dns-cloudflare
certbot-dns-cloudflare 1.32.2 from Certbot Project (certbot-eff✓) installed

参考资料

CentOS 7 x Nginx 环境下安装与使用 Certbot
Debian x Nginx 环境下安装与使用 Certbot
Installing snap on CentOS
certbot-commands

Hi SANNAHA

用Certbot自动获取Let's Encrypt证书