ACME Client Certbot Install Let's Encrypt CA in FreeDSB Nginx

出自ChevyneWiki
跳至導覽 跳至搜尋

安裝 Certbot 套件

pkg install py37-certbot

安裝後出現說明 

Since version 1.25 HTTPS connections are now verified by default which is done
via "cert_reqs = 'CERT_REQUIRED'".  While certificate verification can be
disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on.

Various consumers of net/py-urllib3 already have implemented routines that
either explicitly enable or disable HTTPS certificate verification (e.g. via
configuration settings, CLI arguments, etc.).

Yet it may happen that there are still some consumers which don't explicitly
enable/disable certificate verification for HTTPS connections which could then
lead to errors (as is often the case with self-signed certificates).

In case of an error one should try first to temporarily disable certificate
verification of the problematic urllib3 consumer to see if that approach will
remedy the issue.
=====
Message from py37-certbot-1.10.1,1:

--
This port installs the "standalone" client only, which does not use and
is not the certbot-auto bootstrap/wrapper script.

The simplest form of usage to obtain certificates is:

 # sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]>

NOTE:

The client requires the ability to bind on TCP port 80 or 443 (depending
on the --preferred-challenges option used). If a server is running on that
port, it will need to be temporarily stopped so that the standalone server
can listen on that port to complete the challenge authentication process.

For more information on the 'standalone' mode, see:

  https://certbot.eff.org/docs/using.html#standalone

The certbot plugins to support apache and nginx certificate installation
will be made available in the following ports:

 * Apache plugin: security/py-certbot-apache
 * Nginx plugin: security/py-certbot-nginx

In order to automatically renew the certificates, add this line to
/etc/periodic.conf:

    weekly_certbot_enable="YES"

More config details in the certbot periodic script:

    /usr/local/etc/periodic/weekly/500.certbot-3.7

申請及安裝 CA 憑證

申請時會用到 80 跟 443 port, 所以要先停止 nginx 

service nginx stop

申請及安裝 CA 憑證 

certbot certonly --standalone -d chevyne.at.tw

依照說明操作 

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): chevyne@donnet.email

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for chevyne.at.tw
Performing the following challenges:
http-01 challenge for chevyne.at.tw
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: chevyne@donnet.email).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /usr/local/etc/letsencrypt/live/chevyne.at.tw/fullchain.pem
   Your key file has been saved at:
   /usr/local/etc/letsencrypt/live/chevyne.at.tw/privkey.pem
   Your cert will expire on 2021-04-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

依照說明修改 /usr/local/etc/nginx/nginx.conf 

ssl_certificate /usr/local/etc/letsencrypt/live/chevyne.at.tw/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/chevyne.at.tw/privkey.pem;

啟動 nginx 

service nginx start

這時候可以用 HTTPS 瀏覽網站了

自動更新 CA 憑證

依照說明修改 /etc/defaults/periodic.conf 

# 500.certbot-3.7
weekly_certbot_enable="YES"  # auto renew certificates

The script /usr/local/etc/periodic/weekly/500.certbot-3.7 to take care of renewals.

Changing existing certificates from RSA to ECDSA

certbot renew --key-type ecdsa --cert-name chevyne.at.tw --force-renewal

Manual

certbot certonly --manual --preferred-challenges dns -d example.com

Manual

service nginx stop
certbot renew -v
service nginx start
取自「https://chevyne.at.tw/w/index.php?title=ACME_Client_Certbot_Install_Let%27s_Encrypt_CA_in_FreeDSB_Nginx&oldid=1403