申請 Let’s Encrypt 憑證，並設定自動更新

在「使用 Let’s Encrypt 申請 Wildcard 憑證，並設定 NGINX」這篇文章中，介紹如何為自己的 NGINX 網站申請 Let’s Encrypt 憑證。不過，這個方法沒辦法自動申請更新憑證。本文就來介紹如何申請 Let’s Encrypt 憑證，並自動更新。

本文假設網站 DNS 由 Cloudflare 代管，若由其他業者代管的，則只需安裝相對應的 Plug-in (本文會介紹安裝方法)，然後參考這篇文章，來設定相對應的 plug-in。

Step 1: 安裝 snapd (以 Ubuntu 為例)

$ sudo apt update
$ sudo apt install snapd

Step 2: 確認 snapd 為最新版本

$ sudo snap install core
$ sudo snap refresh core

Step 3: 移除之前安裝的 Certbot 套件

$ sudo apt remove certbot

Step 4: 安裝 Certbot

$ sudo snap install --classic certbot

Step 5: 製作連結

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 6: 確認 plug-in 與 Certbot 屬於同一個 containment

$ sudo snap set certbot trust-plugin-with-root=ok

Step 7: 安裝對應的 DNS plug-in

如果網站的 DNS 代管業者是 Cloudflare，則輸入下面的指令：

$ sudo snap install certbot-dns-cloudflare

如果代管業者是這篇文章中的其中一個，則輸入下面指令，將 certbot-dns-<PLUGIN> 改成文章中對應的名稱：

$ sudo snap install certbot-dns-<PLUGIN>

Step 8: 至 Cloudflare 取得認證 Token

登入 Cloudflare，點選右上角頭像，點選「我的設定檔」：

進入設定檔之後，點選 API Token：

點選「建立 Toekn」：

在編輯區域 DNS 欄中，點選「使用範本」：

在「權限」段落中，下拉選單選擇「區域」、「DNS」、「編輯」，然後在「區域資源」段落裡，選擇要認證的 domain 名稱。如果要認證多個 domain，則點選「＋新增其他」，加入所有要認證的 domain。

點選「確定」之後，就會產生出 API Token 了。這時候點選「Copy」，把 Token 拷貝下來，下一個步驟會用到。

Step 9: 編寫 Plug-in 的設定檔

以下範例是以 Cloudflare 為例，如果是其他業者，請參考這篇文章，並點選相對應 plug-in 的連結進入，按照其內容編寫設定檔。

Cloudflare plug-in 的設定檔說明文件在這裡。

$ cd /etc/letsencrypt
$ nano dns-cloudflare.conf

在編輯「dns-cloudflare.conf」時，填入下面這行，「等於」符號後面填入在上一步驟拷貝下來的 API Token：

dns_cloudflare_api_token = KxXXXXXXXXXXXXYYYYYYYYYYZZZmyMkziYBS5

存檔之後，將權限改成只有 root 可以讀取，以防止外洩。

$ sudo chmod 600 dns-cloudflare.conf

Step 10: 申請/展期(renew)憑證

$ sudo certbot certonly \
>   --dns-cloudflare \
>   -i nginx \
>   --dns-cloudflare-credentials /etc/letsencrypt/dns-cloudflare.conf \
>   -d example.com \
>   -d *.example.com \
>   --dns-cloudflare-propagation-seconds 30 \

下面是成功申請或展延訊息：

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer nginx
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for *.example.com
Waiting 30 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2021-02-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Step 11: 設定並重新啟動 NGIX

編輯 NGINX 的設定檔，在裡面加入紅字的部分：

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

重新啟動 NGINX

$ sudo systemctl restart nginx

Step 12: 確認自動延展更新(renew)功能

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer nginx
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for *.example.com
Waiting 30 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$

確認 certbot 是否已經列入自動執行：

$ sudo systemctl list-timers

檢查執行紀錄(log)：

$ sudo su -
# cd /var/log/letsencrypt
# more letsencrypt.log