====== Let's Encrypt + nginx в CentOS 7 ======
В заголовке заметки указаны CentOS/nginx, но ниже будут примеры для CentOS 8 и Apache, чтобы не создавать отдельные страницы в wiki.
===== CentOS 7 =====
Подключаем EPEL
# yum install epel-release
Устанавливаем certbot для nginx
# yum install python2-certbot-nginx
Для apache
# yum install python2-certbot-apache
Видимо в скором времени придется перейти на более легковесное решение [[https://github.com/acmesh-official/acme.sh|acme.sh]], потому-что уж больно много пакетов устанавливается. А сайт [[https://certbot.eff.org/instructions|certbot]] чересчур активно продвигает установку через snapd.
++++ Не сликом ли много?! 🙉/🙈 |
Dependencies Resolved
=====================================================================================================================
Package Arch Version Repository Size
=====================================================================================================================
Installing:
certbot noarch 1.9.0-1.el7 epel 46 k
python2-certbot-nginx noarch 1.9.0-1.el7 epel 78 k
Installing for dependencies:
audit-libs-python x86_64 2.8.5-4.el7 base 76 k
libcgroup x86_64 0.41-21.el7 base 66 k
libselinux-python x86_64 2.5-15.el7 base 236 k
libsemanage-python x86_64 2.5-14.el7 base 113 k
policycoreutils-python x86_64 2.5-34.el7 base 457 k
pyOpenSSL x86_64 0.13.1-4.el7 base 135 k
pyparsing noarch 1.5.6-9.el7 base 94 k
python-IPy noarch 0.75-6.el7 base 32 k
python-backports x86_64 1.0-8.el7 base 5.8 k
python-backports-ssl_match_hostname noarch 3.5.0.1-1.el7 base 13 k
python-cffi x86_64 1.6.0-5.el7 base 218 k
python-configobj noarch 4.7.2-7.el7 base 117 k
python-enum34 noarch 1.0.4-1.el7 base 52 k
python-idna noarch 2.4-1.el7 base 94 k
python-ipaddress noarch 1.0.16-2.el7 base 34 k
python-ndg_httpsclient noarch 0.3.2-1.el7 epel 43 k
python-ply noarch 3.4-11.el7 base 123 k
python-pycparser noarch 2.14-1.el7 base 104 k
python-requests noarch 2.6.0-9.el7_8 updates 94 k
python-requests-toolbelt noarch 0.8.0-3.el7 epel 78 k
python-setuptools noarch 0.9.8-7.el7 base 397 k
python-six noarch 1.9.0-2.el7 base 29 k
python-urllib3 noarch 1.10.2-7.el7 base 103 k
python-zope-component noarch 1:4.1.0-5.el7 epel 228 k
python-zope-event noarch 4.0.3-2.el7 epel 79 k
python-zope-interface x86_64 4.0.5-4.el7 base 138 k
python2-acme noarch 1.9.0-1.el7 epel 82 k
python2-certbot noarch 1.9.0-1.el7 epel 379 k
python2-configargparse noarch 0.11.0-2.el7 epel 31 k
python2-cryptography x86_64 1.7.2-2.el7 base 502 k
python2-distro noarch 1.2.0-3.el7 epel 29 k
python2-future noarch 0.18.2-2.el7 epel 806 k
python2-josepy noarch 1.3.0-2.el7 epel 89 k
python2-mock noarch 1.0.1-10.el7 epel 92 k
python2-parsedatetime noarch 2.4-6.el7 epel 78 k
python2-pyasn1 noarch 0.1.9-7.el7 base 100 k
python2-pyrfc3339 noarch 1.1-3.el7 epel 16 k
python2-six noarch 1.9.0-0.el7 epel 2.9 k
pytz noarch 2016.10-2.el7 base 46 k
setools-libs x86_64 3.3.8-4.el7 base 620 k
++++
Получаем сертификат для nginx
# certbot certonly --nginx
Получаем сертификат для apache
# certbot certonly --apache
Опция certonly подразумевает, что certbot только получит сертификат, но не будет автоматически менять конфигурационный файл веб-сервера.
При первом запуске certbot необходимо будет указать email и принять ToS.
++++ Вот так это выглядит 🙉/🙈 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): john@foobar.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: wiki.foobar.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for wiki.foobar.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/wiki.foobar.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/wiki.foobar.com/privkey.pem
Your cert will expire on 2021-02-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
++++
===== CentOS 8 =====
Подключаем EPEL
# dnf install epel-release
Устанавливаем certbot для nginx
# dnf install python3-certbot-nginx
Для apache
# dnf install python3-certbot-apache
===== Проверка автоматического обновления сертификатов =====
# certbot renew --dry-run
++++ Вот так это выглядит 🙉/🙈 |
# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wiki.foobar.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wiki.foobar.com
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/wiki.foobar.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/cloud.iddqd.net/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
++++
===== Автоматическое обновление =====
Никаких **/etc/crontab** или **/etc/cron.d**. В сети много вредных советов.
Для автоматического обновления существует systemd timer.
systemd service файл
# cat /usr/lib/systemd/system/certbot-renew.service
[Unit]
Description=This service automatically renews any certbot certificates found
[Service]
EnvironmentFile=/etc/sysconfig/certbot
Type=oneshot
ExecStart=/usr/bin/certbot renew --noninteractive --no-random-sleep-on-renew $PRE_HOOK $POST_HOOK $RENEW_HOOK $DEPLOY_HOOK $CERTBOT_ARGS
systemd таймер
# cat /usr/lib/systemd/system/certbot-renew.timer
[Unit]
Description=This is the timer to set the schedule for automated renewals
[Timer]
OnCalendar=*-*-* 00/12:00:00
RandomizedDelaySec=12hours
Persistent=true
[Install]
WantedBy=timers.target
Нужно только запустить их и добавить в автозагрузку
# systemctl enable certbot-renew.service
# systemctl start certbot-renew.service
# systemctl enable certbot-renew.timer
# systemctl start certbot-renew.timer
EOM
{{tag>linux centos ssl lets_encrypt nginx certbot}}