I. 通过 SSH 连接到服务器
以具有 sudo 权限的用户身份通过 SSH 连接到运行 HTTP 网站的服务器。
II. 删除 Certbot 包
如果您使用 apt、dnf 或 yum 等操作系统包管理器安装了任何 Certbot 包,您应该在安装 Certbot snap 之前删除它们,以确保在运行命令 certbot 时使用 snap,而不是从操作系统包管理器安装。执行此操作的确切命令取决于您的操作系统,但常见的示例包括:
1sudo apt-get remove certbot
2sudo dnf remove certbot
3sudo yum remove certbot
III. 安装 snapd
参考文档:Installing snapd
3.1 在 Rocky Linux 上安装 snap
参考文档:Installing snap on Rocky Linux
3.1.1 将 EPEL 添加到 Rocky Linux 8
Rocky Linux 的 snap 包可以在 Extra Packages for Enterprise Linux (EPEL) 存储库中找到。可以使用以下命令将 EPEL 存储库添加到 Rocky Linux 系统中:
1sudo dnf install epel-release
2sudo dnf upgrade
3.1.2 安装 snapd
将 EPEL 存储库添加到 Rocky Linux 安装中后,只需安装 snapd 软件包(以 root 身份/或使用 sudo):
1sudo yum install snapd
安装后,需要启用管理主 snap 通信套接字的 systemd 单元:
1sudo systemctl enable --now snapd.socket
要启用经典快照支持,请输入以下内容以在 /var/lib/snapd/snap 和 /snap 之间创建符号链接:
1sudo ln -s /var/lib/snapd/snap /snap
注销并重新登录或重新启动系统以确保快照的路径正确更新。
3.2 在 CentOS 7 上安装 snap
参考文档:Installing snap on CentOS
3.2.1 将 EPEL 添加到 CentOS 7
可以使用以下命令将 EPEL 存储库添加到 CentOS 7 系统:
1sudo yum install epel-release
3.2.2 安装 snapd
将 EPEL 存储库添加到 CentOS 安装后,只需安装 snapd 软件包:
1sudo yum install snapd
安装后,需要启用管理主 snap 通信套接字的 systemd 单元:
1sudo systemctl enable --now snapd.socket
要启用经典快照支持,请输入以下内容以在 /var/lib/snapd/snap 和 /snap 之间创建符号链接:
1sudo ln -s /var/lib/snapd/snap /snap
注销并重新登录或重新启动系统以确保快照的路径正确更新。
IV. 安装 Certbot
在计算机上的命令行上运行此命令以安装 Certbot。
1sudo snap install --classic certbot
V. 准备 Certbot 命令
在本机命令行执行以下指令,确保 certbot 命令能够运行。
1sudo ln -s /snap/bin/certbot /usr/bin/certbot
VI. 选择您希望如何运行 Certbot
6.1 获取并安装您的证书…
运行此命令来获取证书,并让 Certbot 自动编辑您的 nginx 配置来为其提供服务,一步即可打开 HTTPS 访问。
1sudo certbot --nginx
Certbot 可以读取 Nginx 配置,列出这些域名并让用户选择为哪些域名申请证书。这里为 sannaha.moe 和 _ thinklong.me_ 两个域名分别申请证书:
1# 为运行在Nginx上的网站配置HTTPS
2# 申请后Certbot会自动修改Nginx配置,建议在使用该命令前备份Nginx配置文件
3$ certbot --nginx
4# 首次访问Let’s Encrypt服务器时需要根据提示创建账户
5Saving debug log to /var/log/letsencrypt/letsencrypt.log
6Enter email address (used for urgent renewal and security notices)
7 (Enter 'c' to cancel): <email@sannaha.moe>
8
9- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
10Please read the Terms of Service at
11https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
12agree in order to register with the ACME server. Do you agree?
13- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14(Y)es/(N)o: Y
15
16- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17Would you be willing, once your first certificate is successfully issued, to
18share your email address with the Electronic Frontier Foundation, a founding
19partner of the Let's Encrypt project and the non-profit organization that
20develops Certbot? We'd like to send you email about our work encrypting the web,
21EFF news, campaigns, and ways to support digital freedom.
22- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
23(Y)es/(N)o: N
24Account registered.
25
26# 选择要申请证书的域名
27Which names would you like to activate HTTPS for?
28We recommend selecting either all domains, or all domains in a VirtualHost/server block.
29- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
301: sannaha.moe
312: thinklong.me
32- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
33Select the appropriate numbers separated by commas and/or spaces, or leave input
34blank to select all options shown (Enter 'c' to cancel): 1,2
35Requesting a certificate for sannaha.moe and thinklong.me
36
37Successfully received certificate.
38Certificate is saved at: /etc/letsencrypt/live/sannaha.moe/fullchain.pem
39Key is saved at: /etc/letsencrypt/live/sannaha.moe/privkey.pem
40This certificate expires on 2023-02-15.
41These files will be updated when the certificate renews.
42Certbot has set up a scheduled task to automatically renew this certificate in the background.
43
44Deploying certificate
45Successfully deployed certificate for sannaha.moe to /etc/nginx/conf.d/sannaha.conf
46Successfully deployed certificate for thinklong.me to /etc/nginx/conf.d/thinklong.conf
47Congratulations! You have successfully enabled HTTPS on https://sannaha.moe and https://thinklong.me
48
49- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
50If you like Certbot, please consider supporting our work by:
51 * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
52 * Donating to EFF: https://eff.org/donate-le
53- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6.2 或者直接拿个证书
如果您感觉更保守并且想手动更改 nginx 配置,请运行此命令。
1sudo certbot certonly --nginx
VII. 测试自动续订
您系统上的 Certbot 软件包附带一个 cron 作业或 systemd 计时器,可在证书过期之前自动更新您的证书。您不需要再次运行 Certbot,除非您更改配置。您可以通过运行以下命令来测试证书的自动续订:
1sudo certbot renew --dry-run
续订 certbot 的命令安装在以下位置之一:
/etc/crontab//etc/cron./systemctl list-timers
VIII. 确认 Certbot 有效
要确认您的网站设置正确,请在浏览器中访问 https://yourwebsite.com/ 并在 URL 栏中查找锁定图标。
IX. 其它用法
9.1 查看所有正在运行的定时器
1systemctl list-timers
