使用自动化工具 – CertBot 进行证书更新

Posted on by D0n9X1n

故事的开始就是 https 证书的更新. 在这次使用 CertBot 之前呢, 我采用的还是刀耕火种的方式, 先去阿里云上申请免费的 https 证书, 然后手动下载到对应的 azure 机器上,然后更新 nginx 配置,最后 nginx -s reload 算是更新完成吧. 步骤十分繁琐,但是考虑到每年只会有一次, 而且花一天写脚本有点不太划算, 毕竟手动弄的话,也能在半小时内完成.所以一直都没有考虑自动化的方式.

但是,因为最近出于安全的原因, 我更新了手机号码, 但是忘记更新阿里云上的预留手机号,导致我原有的账号无法登陆.考虑到通过人工申请的方式找回账号费时费力,以及以后不会再使用阿里云相关的服务就开始寻找对应的替代方案了.

抛开阿里云之后,首选就必然是 Let’s Encrypt 了. 对应的网站如下: Let’s Encrypt.

安装方式

这部分应该是这篇文章里面最水的一部分了…我也懒得一点点写步骤,直接贴部分的原文吧:

我使用的是 Ubuntu 20.04 上的 Nginx 作为宿主机器,所以这边以这个版本为例.

SSH into the server

SSH into the server running your HTTP website as a user with sudo privileges.

Install snapd

You’ll need to install snapd and make sure you follow any instructions to enable classic snap support.
Follow these instructions on snapcraft’s site to install snapd.

Ensure that your version of snapd is up to date

Execute the following instructions on the command line on the machine to ensure that you have the latest version of snapd.

sudo snap install core; sudo snap refresh core

Remove certbot-auto and any Certbot OS packages

If you have any Certbot packages installed using an OS package manager like apt, dnf, or yum, you should remove them before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager. The exact command to do this depends on your OS, but common examples are sudo apt-get remove certbot, sudo dnf remove certbot, or sudo yum remove certbot.

If you previously used Certbot through the certbot-auto script, you should also remove its installation by following the instructions here.

Install Certbot

Run this command on the command line on the machine to install Certbot.

sudo snap install --classic certbot

Prepare the Certbot command

Execute the following instruction on the command line on the machine to ensure that the certbot command can be run.

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Choose how you’d like to run Certbot

  • Either get and install your certificates…

Run this command to get a certificate and have Certbot edit your Nginx configuration automatically to serve it, turning on HTTPS access in a single step.
sudo certbot --nginx

  • Or, just get a certificate

If you’re feeling more conservative and would like to make the changes to your Nginx configuration by hand, run this command.
sudo certbot certonly --nginx

Test automatic renewal

The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration.
You can test automatic renewal for your certificates by running this command:
sudo certbot renew --dry-run

If that command completes without errors, your certificates will renew automatically in the background.

Confirm that Certbot worked

To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar.

经验

一开始我还担心 CertBot 会不会自动识别 Nginx 的配置, 所以一开始进行了备份, 然后跑完之后发现他确实可以读取 nginx 的 sites-default, 然后会根据里面的 server name 进行对应的申请.总体而言还是很方便的, 非常推荐其他人进行使用.

算是水了一篇吧, 也是没想到还有这么个方便的套件.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.