在「使用 Let’s Encrypt 申請 Wildcard 憑證,並設定 NGINX」這篇文章中,介紹如何為自己的 NGINX 網站申請 Let’s Encrypt 憑證。不過,這個方法沒辦法自動申請更新憑證。本文就來介紹如何申請 Let’s Encrypt 憑證,並自動更新。

本文假設網站 DNS 由 Cloudflare 代管,若由其他業者代管的,則只需安裝相對應的 Plug-in (本文會介紹安裝方法),然後參考這篇文章,來設定相對應的 plug-in。

Step 1: 安裝 snapd (以 Ubuntu 為例)

$ sudo apt update
$ sudo apt install snapd

Step 2: 確認 snapd 為最新版本

$ sudo snap install core
$ sudo snap refresh core

Step 3: 移除之前安裝的 Certbot 套件

$ sudo apt remove certbot

Step 4: 安裝 Certbot

$ sudo snap install --classic certbot

Step 5: 製作連結

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 6: 確認 plug-in 與 Certbot 屬於同一個 containment

$ sudo snap set certbot trust-plugin-with-root=ok

Step 7: 安裝對應的 DNS plug-in

如果網站的 DNS 代管業者是 Cloudflare,則輸入下面的指令:

$ sudo snap install certbot-dns-cloudflare

如果代管業者是這篇文章中的其中一個,則輸入下面指令,將 certbot-dns-<PLUGIN> 改成文章中對應的名稱:

$ sudo snap install certbot-dns-<PLUGIN>

Step 8: 至 Cloudflare 取得認證 Token

登入 Cloudflare,點選右上角頭像,點選「我的設定檔」:

進入設定檔之後,點選 API Token:

點選「建立 Toekn」:

在編輯區域 DNS 欄中,點選「使用範本」:

在「權限」段落中,下拉選單選擇「區域」、「DNS」、「編輯」,然後在「區域資源」段落裡,選擇要認證的 domain 名稱。如果要認證多個 domain,則點選「+新增其他」,加入所有要認證的 domain。

點選「確定」之後,就會產生出 API Token 了。這時候點選「Copy」,把 Token 拷貝下來,下一個步驟會用到。

Step 9: 編寫 Plug-in 的設定檔

以下範例是以 Cloudflare 為例,如果是其他業者,請參考這篇文章,並點選相對應 plug-in 的連結進入,按照其內容編寫設定檔。

Cloudflare plug-in 的設定檔說明文件在這裡

$ cd /etc/letsencrypt
$ nano dns-cloudflare.conf

在編輯「dns-cloudflare.conf」時,填入下面這行,「等於」符號後面填入在上一步驟拷貝下來的 API Token:

dns_cloudflare_api_token = KxXXXXXXXXXXXXYYYYYYYYYYZZZmyMkziYBS5

存檔之後,將權限改成只有 root 可以讀取,以防止外洩。

$ sudo chmod 600 dns-cloudflare.conf

Step 10: 申請/展期(renew)憑證

$ sudo certbot certonly \
>   --dns-cloudflare \
>   -i nginx \
>   --dns-cloudflare-credentials /etc/letsencrypt/dns-cloudflare.conf \
>   -d example.com \
>   -d *.example.com \
>   --dns-cloudflare-propagation-seconds 30 \

下面是成功申請或展延訊息:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer nginx
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for *.example.com
Waiting 30 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2021-02-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Step 11: 設定並重新啟動 NGIX

編輯 NGINX 的設定檔,在裡面加入紅字的部分:

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

重新啟動 NGINX

$ sudo systemctl restart nginx

Step 12: 確認自動延展更新(renew)功能

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer nginx
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for *.example.com
Waiting 30 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$

確認 certbot 是否已經列入自動執行:

$ sudo systemctl list-timers

檢查執行紀錄(log):

$ sudo su -
# cd /var/log/letsencrypt
# more letsencrypt.log

這個網站採用 Akismet 服務減少垃圾留言。進一步瞭解 Akismet 如何處理網站訪客的留言資料