使用Let's Encrypt申请免费通配符SSL证书的方法,今天在更新证书的时候发现生成证书有问题,原因是因为certbot-auto不再支持所有的操作系统:
1、错误提示:
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.
2、certbot-auto不被支持的原因:
The biggest factor that drove this deprecation now was Python 2 reaching its end-of-life this year. When this script was initially written 5 years ago, it was written to use Python 2 on most systems. While Python 2 is still receiving security support by various distros, the Python ecosystem has moved on and many of our dependencies are dropping support for Python 2. In order to continue to provide updates to our users, we have to get them on Python 3. We tried to migrate certbot-auto users to Python 3 in the past, but it's a ton of work and extremely error prone. Instead of trying to do this work and hope we didn't break anything (like we did last time 3), we decided to sunset the script in favor of other distribution methods.
3、解决方法:
certbot团队使用了基于snap的新的分发方法。
4、安装方法:
(1)、先安装epel:
|
1 |
yum install epel-release |
(2)、安装snapd:
|
1 |
yum install snapd |
(3)、启用snapd.socket:
|
1 |
systemctl enable --now snapd.socket |
(4)、创建/var/lib/snapd/snap和/snap之间的链接:
|
1 |
ln -s /var/lib/snapd/snap /snap |
(5)、重启系统(确保snap启动正常,否则可能提示error: too early for operation, device not yet seeded or device model not acknowledged):
|
1 |
reboot |
(6)、更新snap至最新版本:
|
1 2 |
snap install core snap refresh core |
(7)、卸载certbot(如果之前yum装过certbot):
|
1 |
yum remove certbot |
(8)、删除certbot相关文件(如果之前yum装过certbot):
|
1 |
rm /usr/local/bin/certbot-auto |
(9)、删除certbot附加软件包(如果之前yum装过certbot):
|
1 |
rm -rf /opt/eff.org/certbot |
(11)、通过snap安装certbot:
|
1 |
snap install --classic certbot |
(12)、创建/snap/bin/certbot软链接:
|
1 |
ln -s /snap/bin/certbot /usr/bin/certbot |
5、申请证书(通配格式):
|
1 |
certbot certonly -d "1987619.com" -d "*.1987619.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory |
执行到这里的时候,我们需要先去域名添加对应的DNS TXT记录之后,再去回车继续执行,会显示验证成功并生成了ssl证书文件
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
Waiting for verification... Cleaning up challenges Subscribe to the EFF mailing list (email: service@1987619.com). IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/1987619.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/1987619.com/privkey.pem Your cert will expire on 2021-01-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
6、参数说明:
(1)、certbot相关参数:
|
1 2 3 4 |
certonly 表示插件,Certbot有很多插件。不同的插件都可以申请证书,用户可以根据需要自行选择。 -d 为哪些主机申请证书。如果是通配符,输入 *.xxx.com(根据实际情况替换为你自己的域名) --preferred-challenges dns-01 使用DNS方式校验域名所有权 --server Let's Encrypt ACME v2版本使用的服务器不同于v1版本,需要指定 |
(2)、校验域名的所有权的3种方式:
|
1 2 3 |
dns-01:给域名添加一个 DNS TXT 记录。 http-01:在域名对应的 Web 服务器下放置一个 HTTP well-known URL 资源文件。 tls-sni-01:在域名对应的 Web 服务器下放置一个 HTTPS well-known URL 资源文件。 |
7、注意事项:
(1)、申请通配符证书,只能使用 dns-01 的方式。
(2)、证书的有效期是90天
(3)、如果统配和根域名都要使用的话,生成的时候需要写成-d "1987619.com" -d "*.1987619.com" ,域名替换成自己的即可