測試環境為 Ubuntu 20.04 x86_64 + Apache2 (虛擬機平台 Linode)
主要要幫 https://benjr.tw (WordPress) 改成為 https://benjr.tw , 什麼是 https(http with SSL+CA) 可以參考 – https://benjr.tw/96655
https 需要 Root CA 幫忙驗證身分,如果要免費使用可以去 Let’s Encrypt – https://letsencrypt.org/zh-tw/ 申請 , 下面是透過 certbot 提共的工具來申請.參考步驟說明 – https://certbot.eff.org/instructions?ws=apache&os=ubuntufocal
安裝 certbot 套件
先確定你的 Ubuntu 套件都是最新的.
root@localhost:~# apt update && sudo apt upgrade
certbot 需要使用 snap 套件管理程式來安裝.
root@localhost:~# snap
The snap command lets you install, configure, refresh and remove snaps.
Snaps are packages that work across many different Linux distributions,
enabling secure delivery and operation of the latest apps and utilities.
Usage: snap <command> [<options>...]
Commonly used commands can be classified as follows:
Basics: find, info, install, remove, list
...more: refresh, revert, switch, disable, enable, create-cohort
History: changes, tasks, abort, watch
Daemons: services, start, stop, restart, logs
Permissions: connections, interface, connect, disconnect
Configuration: get, set, unset, wait
App Aliases: alias, aliases, unalias, prefer
Account: login, logout, whoami
Snapshots: saved, save, check-snapshot, restore, forget
Device: model, reboot, recovery
... Other: warnings, okay, known, ack, version
Development: download, pack, run, try
For more information about a command, run 'snap help <command>'.
For a short summary of all commands, run 'snap help --all'.
安裝所需套件.
root@localhost:~# snap install core; sudo snap refresh core 2022-02-09T03:42:13Z INFO Waiting for automatic snapd restart... core 16-2.54.2 from Canonical✓ installed snap "core" has no updates available
安裝 certbot
root@localhost:~# snap install --classic certbot certbot 1.23.0 from Certbot Project (certbot-eff✓) installed
root@localhost:~# ln -s /snap/bin/certbot /usr/bin/certbot
設定 Let’s Encrypt
透過 certbot 程式來申請 Let’s Encrypt ,我的 web server 為 Apache .並回答下面相對應問題.
你的 E-mail
root@localhost:~# certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): xxxxxxx@gmail.com
同意說明.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Account registered.
我的 Apache 裡面只有一個 benjr.tw 網頁.
Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: benjr.tw - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Requesting a certificate for benjr.tw
已經成功了,你的 CA 與加密 Key 存放在以下的路徑.
Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/benjr.tw/fullchain.pem Key is saved at: /etc/letsencrypt/live/benjr.tw/privkey.pem This certificate expires on 2022-05-10. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. Deploying certificate Successfully deployed certificate for benjr.tw to /etc/apache2/sites-available/000-default-le-ssl.conf Congratulations! You have successfully enabled HTTPS on https://benjr.tw - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
檢視 設定檔,需手動增加 [[webroot_map]] 區塊.
root@localhost:~# cat /etc/letsencrypt/renewal/benjr.tw.conf # renew_before_expiry = 30 days version = 1.25.0 archive_dir = /etc/letsencrypt/archive/benjr.tw cert = /etc/letsencrypt/live/benjr.tw/cert.pem privkey = /etc/letsencrypt/live/benjr.tw/privkey.pem chain = /etc/letsencrypt/live/benjr.tw/chain.pem fullchain = /etc/letsencrypt/live/benjr.tw/fullchain.pem # Options used in the renewal process [renewalparams] account = f1216512346c851a05c181f356fdc832 authenticator = webroot server = https://acme-v02.api.letsencrypt.org/directory key_type = rsa [[webroot_map]] benjr.tw = /var/www/html
編輯 Apache2 https 設定檔
在 /etc/apache2/sites-available/000-default.conf 設定檔
root@localhost:~# vi /etc/apache2/sites-available/000-default.conf
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/benjr.tw/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/benjr.tw/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/benjr.tw/chain.pem
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
並 Reload 服務.
root@localhost:~# systemctl reload apache2
root@localhost:~# systemctl status apache2
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2022-03-29 00:51:19 UTC; 2h 13min ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 1643448 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
Main PID: 1615340 (apache2)
Tasks: 6 (limit: 2282)
Memory: 62.4M
CGroup: /system.slice/apache2.service
├─1615340 /usr/sbin/apache2 -k start
├─1643452 /usr/sbin/apache2 -k start
├─1643453 /usr/sbin/apache2 -k start
├─1643454 /usr/sbin/apache2 -k start
├─1643455 /usr/sbin/apache2 -k start
└─1643456 /usr/sbin/apache2 -k start
可以透過 https://crt.sh/?q=benjr.tw 來檢視你的 https 認證的使用期限.
自動更新
這樣就結束了,不過 Let’s Encrypt 憑證會在 90 天後到期,自動更新方式有兩種
- Crontab
可以透過 Crontab (cron.monthly 每個月自動執行一次) 來自動更新.root@localhost:~# vi /etc/cron.monthly/benjr #! /bin/bash certbot renew --webroot --dry-run
root@localhost:~# chmod a+x /etc/cron.monthly/benjr
編輯完可以測試一下 cron.monthly 目錄裡的檔案使否正常.
root@localhost:~# run-parts --test /etc/cron.monthly/ /etc/cron.monthly//benjr
- snap.certbot.renew.timer
snap.certbot.renew.timer 這個服務可以自動更新.
預設每天 在 09:23 與 17:43 自動更新.[Timer] root@localhost:~# cat /etc/systemd/system/timers.target.wants/snap.certbot.renew.timer [Unit] # Auto-generated, DO NOT EDIT Description=Timer renew for snap application certbot.renew Requires=snap-certbot-1888.mount After=snap-certbot-1888.mount X-Snappy=yes [Timer] Unit=snap.certbot.renew.service OnCalendar=*-*-* 09:23 OnCalendar=*-*-* 17:43 [Install] WantedBy=timers.target
檢視一下服務狀態.
root@localhost:~# systemctl status snap.certbot.renew.timer ● snap.certbot.renew.timer - Timer renew for snap application certbot.renew Loaded: loaded (/etc/systemd/system/snap.certbot.renew.timer; enabled; vendor preset: enabled) Active: active (waiting) since Wed 2022-03-16 22:48:03 UTC; 1 weeks 5 days ago Trigger: Tue 2022-03-29 09:23:00 UTC; 6h left Triggers: ● snap.certbot.renew.service Mar 16 22:48:03 localhost systemd[1]: Started Timer renew for snap application certbot.renew.root@localhost:~# systemctl list-timers --no-pager | grep -i snap.certbot.renew.timer Tue 2022-03-29 09:23:00 UTC 6h left Tue 2022-03-29 00:47:04 UTC 2h 32min ago snap.certbot.renew.timer snap.certbot.renew.service
遇過的問題
- 無法透過 apt 安裝 certbot
參考 Linode 文章 – https://www.linode.com/docs/guides/install-lets-encrypt-to-create-ssl-certificates/ 卻遇到以下的問題,後來使用上面的方式才成功.root@localhost:~# apt-get install git root@localhost:~# git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt root@localhost:~# cd /opt/letsencrypt root@localhost:/opt/letsencrypt# sudo -H ./letsencrypt-auto-source/letsencrypt-auto certonly --standalone -d example.com -d benjr.tw Skipping bootstrap because certbot-auto is deprecated on this system. Your system is not supported by certbot-auto anymore. Certbot cannot be installed. Please visit https://certbot.eff.org/ to check for other alternatives.
root@localhost:/opt/letsencrypt# wget https://raw.githubusercontent.com/certbot/certbot/7f0fa18c570942238a7de73ed99945c3710408b4/letsencrypt-auto-source/letsencrypt-auto /opt/letsencrypt/ --2022-02-09 02:23:12-- https://raw.githubusercontent.com/certbot/certbot/7f0fa18c570942238a7de73ed99945c3710408b4/letsencrypt-auto-source/letsencrypt-auto Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 2606:50c0:8003::154, 2606:50c0:8002::154, 2606:50c0:8001::154, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8003::154|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 80017 (78K) [text/plain] Saving to: ‘letsencrypt-auto’ letsencrypt-auto 100%[=================================================>] 78.14K --.-KB/s in 0.001s 2022-02-09 02:23:12 (97.4 MB/s) - ‘letsencrypt-auto’ saved [80017/80017] /opt/letsencrypt/: Scheme missing. FINISHED --2022-02-09 02:23:12-- Total wall clock time: 0.01s Downloaded: 1 files, 78K in 0.001s (97.4 MB/s) root@localhost:/opt/letsencrypt# chmod a+x letsencrypt-auto root@localhost:/opt/letsencrypt# sudo -H ./letsencrypt-auto certonly --standalone -d example.com -d benjr.tw Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap) Hit:1 http://mirrors.linode.com/ubuntu focal InRelease Hit:2 http://security.ubuntu.com/ubuntu focal-security InRelease Hit:3 http://mirrors.linode.com/ubuntu focal-updates InRelease Hit:4 http://mirrors.linode.com/ubuntu focal-backports InRelease Reading package lists... Done Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'python-is-python2' instead of 'python' Note, selecting 'python-dev-is-python2' instead of 'python-dev' Package python-virtualenv is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source E: Package 'python-virtualenv' has no installation candidate
- Renew 失敗1
root@localhost:~# certbot renew --webroot --dry-runewal/benjr.tw.conf Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/benjr.tw.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Simulating renewal of an existing certificate for benjr.tw Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: benjr.tw Type: unauthorized Detail: Invalid response from https://benjr.tw/.well-known/acme-challenge/c7Mbza-MumwtaOGsp0oWBaHTt6i0CFrahE3Xpyc0p8I [172.105.215.98]: 404 Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. Failed to renew certificate benjr.tw with error: Some challenges have failed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All simulated renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/benjr.tw/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
指定錯誤的 webroot , 需指定正確的 [[webroot_map]]
root@localhost:~# vi /etc/letsencrypt/renewal/benjr.tw.conf # renew_before_expiry = 30 days version = 1.25.0 archive_dir = /etc/letsencrypt/archive/benjr.tw cert = /etc/letsencrypt/live/benjr.tw/cert.pem privkey = /etc/letsencrypt/live/benjr.tw/privkey.pem chain = /etc/letsencrypt/live/benjr.tw/chain.pem fullchain = /etc/letsencrypt/live/benjr.tw/fullchain.pem # Options used in the renewal process [renewalparams] account = f1216512346c851a05c181f356fdc832 authenticator = webroot server = https://acme-v02.api.letsencrypt.org/directory key_type = rsa [[webroot_map]] benjr.tw = /var/www/html
- Renew 失敗2
certbot renew --webroot --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/benjr.tw.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Simulating renewal of an existing certificate for benjr.tw Failed to renew certificate benjr.tw with error: Missing command line flag or config entry for this setting: Input the webroot for benjr.tw: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All simulated renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/benjr.tw/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
須指定 webroot 為正確的 [[webroot_map]] 路徑,並重新申請一次.
root@localhost:~# vi /etc/letsencrypt/renewal/benjr.tw.conf # renew_before_expiry = 30 days version = 1.25.0 archive_dir = /etc/letsencrypt/archive/benjr.tw cert = /etc/letsencrypt/live/benjr.tw/cert.pem privkey = /etc/letsencrypt/live/benjr.tw/privkey.pem chain = /etc/letsencrypt/live/benjr.tw/chain.pem fullchain = /etc/letsencrypt/live/benjr.tw/fullchain.pem # Options used in the renewal process [renewalparams] account = f1216512346c851a05c181f356fdc832 authenticator = webroot server = https://acme-v02.api.letsencrypt.org/directory key_type = rsa [[webroot_map]] benjr.tw = /var/www/html
root@localhost:~# certbot renew --webroot --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/benjr.tw.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Simulating renewal of an existing certificate for benjr.tw - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/benjr.tw/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
沒有解決問題,試試搜尋本站其他內容