一、安裝套件:
CentOS7 & Oracle Linux 8.x:
yum install epel-release
yum install certbot
CentOS6:
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto mkdir /opt/letsencrypt mv certbot-auto /opt/letsencrypt/
注意:執行certbot-auto (與certbot 是一樣的東西) 時可能會遇到需要安裝相關套件:
python34
gcc
openssl
libstdc++
......等等
以及openssl i386套件需移除
nginx:
# apt-get update # apt-get install software-properties-common # add-apt-repository ppa:certbot/certbot This is the PPA for packages prepared by Debian Let's Encrypt Team and backported for Ubuntu(s). More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot Press [ENTER] to continue or ctrl-c to cancel adding it gpg: keyring `/tmp/tmphwsex0id/secring.gpg' created gpg: keyring `/tmp/tmphwsex0id/pubring.gpg' created gpg: requesting key 75BCA694 from hkp server keyserver.ubuntu.com gpg: /tmp/tmphwsex0id/trustdb.gpg: trustdb created gpg: key 75BCA694: public key "Launchpad PPA for certbot" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) OK
二、產生指令格式:
Mail2000:
# mkdir -p /webmail/httpd/data/.well-known/acme-challenge/
MB:
mkdir -p /webmail/mbase/htdocs/.well-known/acme-challenge/
certbot certonly --webroot -w [網站根目錄] -d [網站網址] -m [聯絡人 Email] --agree-tos (-d [網站網址] 可有多個子網域,如 -d yummygo.com.tw -d img.yummygo.com.tw -d test.yummygo.com.tw)
注意: -d [網站網址] 所列網址,必須要能對應到 DNS A 或 CNAME 的設定
CentOS7:
範例:
M2K:
# certbot certonly --webroot -w /webmail/httpd/data -d m2ktrial.openfind.com.tw -m support@openfind.com.tw --agree-tos
MB:
# certbot certonly --webroot -w /webmail/mbase/htdocs -d mbtrial.openfind.com.tw -m support@openfind.com.tw --agree-tos
CentOS6:
# /opt/letsencrypt/certbot-auto certonly --webroot -w /webmail/httpd/data -d m2ktrial.openfind.com.tw -m support@openfind.com.tw --agree-tos
憑證檔放置於:
ssl_certificate: /etc/letsencrypt/live/[hostname]/ cert.pem chain.pem privkey.pem fullchain.pem #chain + cert
測試:
CentOS7:
# certbot renew --dry-run
CentOS6:
# certbot-auto renew --dry-run
三、調整 Apache 憑證檔路徑:
cd /webmail/httpd/conf/ssl ln -s /etc/letsencrypt/live/[hostname]/cert.pem cert.pem ln -s /etc/letsencrypt/live/[hostname]/privkey.pem privkey.pem ln -s /etc/letsencrypt/live/[hostname]/fullchain.pem fullchain.pem
vim /webmail/httpd/conf/extra/m2k_ssl.conf SSLCertificateFile "/webmail/httpd/conf/ssl/cert.pem" SSLCertificateKeyFile "/webmail/httpd/conf/ssl/privkey.pem" SSLCertificateChainFile "/webmail/httpd/conf/ssl/fullchain.pem"
四、排程定期更新:
root's crontab:
CentOS7:
# crontab -e # 每月 1 日 03:00 續期憑證,並重啟 Apache 00 03 1 * * /usr/bin/certbot renew --quiet && /webmail/httpd/bin/apachectl restart ## tls.pem changed & daemon restart 10 3 1 * * /usr/bin/cat /webmail/httpd/conf/ssl/cert.pem /webmail/httpd/conf/ssl/fullchain.pem /webmail/httpd/conf/ssl/privkey.pem > /webmail/etc/tls.pem && chown webmail:webmail /webmail/etc/tls.pem && su - webmail -c '/webmail/tools/restartshm' 11 3 1 * * /webmail/tools/m2kctrl smtpd restart && /webmail/tools/m2kctrl imap4d restart && /webmail/tools/m2kctrl pop3d restart
注意:留意 tls.pem組成後是否有黏在一起。
CentOS6:
00 03 1 * * /opt/letsencrypt/certbot-auto renew --quiet && /webmail/httpd/bin/apachectl restart
其餘小常識:
certbot (实际上是 certbot-auto ) 有两种方式生成证书: standalone 方式: certbot 会自己运行一个 web server 来进行验证。如果我们自己的服务器上已经有 web server 正在运行 (比如 Nginx 或 Apache ),用 standalone 方式的话需要先关掉它,以免冲突。 webroot 方式: certbot 会利用既有的 web server,在其 web root目录下创建隐藏文件, Let’s Encrypt 服务端会通过域名来访问这些隐藏文件,以确认你的确拥有对应域名的控制权。
Debug log:
/var/log/letsencrypt/letsencrypt.log
程式更新驗證憑證走的是80 Port,如果有關80Port,需另外開通:66.133.109.36。
參考網站:
https://blog.gtwang.org/linux/secure-nginx-with-lets-encrypt-ssl-certificate-on-ubuntu-and-debian/
https://linuxstory.org/deploy-lets-encrypt-ssl-certificate-with-certbot/
https://certbot.eff.org/#centosrhel7-apache