申請 Let’s Encrypt 憑證,並設定自動更新

    在「使用 Let’s Encrypt 申請 Wildcard 憑證,並設定 NGINX」這篇文章中,介紹如何為自己的 NGINX 網站申請 Let’s Encrypt 憑證。不過,這個方法沒辦法自動申請更新憑證。本文就來介紹如何申請 Let’s Encrypt 憑證,並自動更新。

    本文假設網站 DNS 由 Cloudflare 代管,若由其他業者代管的,則只需安裝相對應的 Plug-in (本文會介紹安裝方法),然後參考這篇文章,來設定相對應的 plug-in。

    Step 1: 安裝 snapd (以 Ubuntu 為例)

    $ sudo apt update
    $ sudo apt install snapd

    Step 2: 確認 snapd 為最新版本

    $ sudo snap install core
    $ sudo snap refresh core

    Step 3: 移除之前安裝的 Certbot 套件

    $ sudo apt remove certbot

    Step 4: 安裝 Certbot

    $ sudo snap install --classic certbot

    Step 5: 製作連結

    $ sudo ln -s /snap/bin/certbot /usr/bin/certbot

    Step 6: 確認 plug-in 與 Certbot 屬於同一個 containment

    $ sudo snap set certbot trust-plugin-with-root=ok

    Step 7: 安裝對應的 DNS plug-in

    如果網站的 DNS 代管業者是 Cloudflare,則輸入下面的指令:

    $ sudo snap install certbot-dns-cloudflare

    如果代管業者是這篇文章中的其中一個,則輸入下面指令,將 certbot-dns-<PLUGIN> 改成文章中對應的名稱:

    $ sudo snap install certbot-dns-<PLUGIN>

    Step 8: 至 Cloudflare 取得認證 Token

    登入 Cloudflare,點選右上角頭像,點選「我的設定檔」:

    進入設定檔之後,點選 API Token:

    點選「建立 Toekn」:

    在編輯區域 DNS 欄中,點選「使用範本」:

    在「權限」段落中,下拉選單選擇「區域」、「DNS」、「編輯」,然後在「區域資源」段落裡,選擇要認證的 domain 名稱。如果要認證多個 domain,則點選「+新增其他」,加入所有要認證的 domain。

    點選「確定」之後,就會產生出 API Token 了。這時候點選「Copy」,把 Token 拷貝下來,下一個步驟會用到。

    Step 9: 編寫 Plug-in 的設定檔

    以下範例是以 Cloudflare 為例,如果是其他業者,請參考這篇文章,並點選相對應 plug-in 的連結進入,按照其內容編寫設定檔。

    Cloudflare plug-in 的設定檔說明文件在這裡

    $ cd /etc/letsencrypt
    $ nano dns-cloudflare.conf

    在編輯「dns-cloudflare.conf」時,填入下面這行,「等於」符號後面填入在上一步驟拷貝下來的 API Token:

    dns_cloudflare_api_token = KxXXXXXXXXXXXXYYYYYYYYYYZZZmyMkziYBS5

    存檔之後,將權限改成只有 root 可以讀取,以防止外洩。

    $ sudo chmod 600 dns-cloudflare.conf

    Step 10: 申請/展期(renew)憑證

    $ sudo certbot certonly \
    >   --dns-cloudflare \
    >   -i nginx \
    >   --dns-cloudflare-credentials /etc/letsencrypt/dns-cloudflare.conf \
    >   -d example.com \
    >   -d *.example.com \
    >   --dns-cloudflare-propagation-seconds 30 \

    下面是成功申請或展延訊息:

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator dns-cloudflare, Installer nginx
    Obtaining a new certificate
    Performing the following challenges:
    dns-01 challenge for example.com
    dns-01 challenge for *.example.com
    Waiting 30 seconds for DNS changes to propagate
    Waiting for verification...
    Cleaning up challenges
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/example.com/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/example.com/privkey.pem
       Your cert will expire on 2021-02-10. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot
       again. To non-interactively renew *all* of your certificates, run
       "certbot renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    

    Step 11: 設定並重新啟動 NGIX

    編輯 NGINX 的設定檔,在裡面加入紅字的部分:

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    重新啟動 NGINX

    $ sudo systemctl restart nginx

    Step 12: 確認自動延展更新(renew)功能

    $ sudo certbot renew --dry-run
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/example.com.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Cert not due for renewal, but simulating renewal for dry run
    Plugins selected: Authenticator dns-cloudflare, Installer nginx
    Renewing an existing certificate
    Performing the following challenges:
    dns-01 challenge for example.com
    dns-01 challenge for *.example.com
    Waiting 30 seconds for DNS changes to propagate
    Waiting for verification...
    Cleaning up challenges
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    new certificate deployed without reload, fullchain is
    /etc/letsencrypt/live/example.com/fullchain.pem
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ** DRY RUN: simulating 'certbot renew' close to cert expiry
    **          (The test certificates below have not been saved.)
    
    Congratulations, all renewals succeeded. The following certs have been renewed:
      /etc/letsencrypt/live/example.com/fullchain.pem (success)
    ** DRY RUN: simulating 'certbot renew' close to cert expiry
    **          (The test certificates above have not been saved.)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    $

    確認 certbot 是否已經列入自動執行:

    $ sudo systemctl list-timers

    檢查執行紀錄(log):

    $ sudo su -
    # cd /var/log/letsencrypt
    # more letsencrypt.log

    發佈留言

    發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

    這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料