ssl证书申请及续签

环境介绍

众所周知，ssl 证书一般是要花钱买的。但是我这次要讲的证书是免费的，同时也受浏览器认可。证书机构Let’s Encrypt，一家国外的机构。那么具体操作就看下面操作部分了。

SSL证书申请及自动续期

将 EPEL 存储库添加到您的 RHEL 安装中后，只需安装snapd包：

[root@blog ~]# yum -y install snapd

安装后，需要启用管理主 snap 通信套接字的systemd单元：

[root@blog ~]# sudo systemctl enable –now snapd.socket
Created symlink /etc/systemd/system/sockets.target.wants/snapd.socket → /usr/lib/systemd/system/snapd.socket.

要启用经典snap 支持，请输入以下内容以在/var/lib/snapd/snap和之间创建符号链接/snap：

[root@blog ~]# sudo ln -s /var/lib/snapd/snap /snap

安装证书机器人在机器上的命令行上运行此命令以安装 Certbot。

[root@blog ~]# sudo snap install –classic certbot
certbot 1.32.0 from Certbot Project (certbot-eff✓) installed

在机器上的命令行执行以下指令，确保certbot命令可以运行。

[root@blog ~]# ln -s /snap/bin/certbot /usr/bin/certbot

运行此命令以获取证书并让 Certbot 自动编辑您的 Nginx 配置以提供服务，只需一步即可打开 HTTPS 访问。如果你希望自己修改nginx配置文件，那么执行下一步，跳过该步。

[root@blog ~]# certbot certonly

如果您感觉更保守并希望手动更改 Nginx 配置，那么选择这一步骤，自己去改nginx配置文件。

[root@blog ~]# certbot certonly –nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter ‘c’ to cancel):  #输入你的邮箱
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
(Y)es/(N)o: Y
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let’s Encrypt project and the non-profit organization that
develops Certbot? We’d like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
(Y)es/(N)o: Y
Account registered.
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: blog.xtgby.com
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Requesting a certificate for blog.xtgby.com
 
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/blog.xtgby.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/blog.xtgby.com/privkey.pem
This certificate expires on 2023-02-20.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

测试证书的自动续订

[root@blog ~]# certbot renew –dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Processing /etc/letsencrypt/renewal/blog.xtgby.com.conf
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Account registered.
Simulating renewal of an existing certificate for blog.xtgby.com
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/blog.xtgby.com/fullchain.pem (success)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

结束之有话想说

既然申请完https证书之后，就赶紧配置你的网站去吧骚年。👊