Stylesheet conf/userstyle.css not found, please contact the developer of "dokuwiki_2024" template.
linux:letsencrypt_centos
Содержание
Let's Encrypt + nginx в CentOS 7
<note important>В заголовке заметки указаны CentOS/nginx, но ниже будут примеры для CentOS 8 и Apache, чтобы не создавать отдельные страницы в wiki.</note>
CentOS 7
Подключаем EPEL
# yum install epel-release
Устанавливаем certbot для nginx
# yum install python2-certbot-nginx
Для apache
# yum install python2-certbot-apache
Видимо в скором времени придется перейти на более легковесное решение acme.sh, потому-что уж больно много пакетов устанавливается. А сайт certbot чересчур активно продвигает установку через snapd.
++++ Не сликом ли много?! 🙉/🙈 |
Dependencies Resolved ===================================================================================================================== Package Arch Version Repository Size ===================================================================================================================== Installing: certbot noarch 1.9.0-1.el7 epel 46 k python2-certbot-nginx noarch 1.9.0-1.el7 epel 78 k Installing for dependencies: audit-libs-python x86_64 2.8.5-4.el7 base 76 k libcgroup x86_64 0.41-21.el7 base 66 k libselinux-python x86_64 2.5-15.el7 base 236 k libsemanage-python x86_64 2.5-14.el7 base 113 k policycoreutils-python x86_64 2.5-34.el7 base 457 k pyOpenSSL x86_64 0.13.1-4.el7 base 135 k pyparsing noarch 1.5.6-9.el7 base 94 k python-IPy noarch 0.75-6.el7 base 32 k python-backports x86_64 1.0-8.el7 base 5.8 k python-backports-ssl_match_hostname noarch 3.5.0.1-1.el7 base 13 k python-cffi x86_64 1.6.0-5.el7 base 218 k python-configobj noarch 4.7.2-7.el7 base 117 k python-enum34 noarch 1.0.4-1.el7 base 52 k python-idna noarch 2.4-1.el7 base 94 k python-ipaddress noarch 1.0.16-2.el7 base 34 k python-ndg_httpsclient noarch 0.3.2-1.el7 epel 43 k python-ply noarch 3.4-11.el7 base 123 k python-pycparser noarch 2.14-1.el7 base 104 k python-requests noarch 2.6.0-9.el7_8 updates 94 k python-requests-toolbelt noarch 0.8.0-3.el7 epel 78 k python-setuptools noarch 0.9.8-7.el7 base 397 k python-six noarch 1.9.0-2.el7 base 29 k python-urllib3 noarch 1.10.2-7.el7 base 103 k python-zope-component noarch 1:4.1.0-5.el7 epel 228 k python-zope-event noarch 4.0.3-2.el7 epel 79 k python-zope-interface x86_64 4.0.5-4.el7 base 138 k python2-acme noarch 1.9.0-1.el7 epel 82 k python2-certbot noarch 1.9.0-1.el7 epel 379 k python2-configargparse noarch 0.11.0-2.el7 epel 31 k python2-cryptography x86_64 1.7.2-2.el7 base 502 k python2-distro noarch 1.2.0-3.el7 epel 29 k python2-future noarch 0.18.2-2.el7 epel 806 k python2-josepy noarch 1.3.0-2.el7 epel 89 k python2-mock noarch 1.0.1-10.el7 epel 92 k python2-parsedatetime noarch 2.4-6.el7 epel 78 k python2-pyasn1 noarch 0.1.9-7.el7 base 100 k python2-pyrfc3339 noarch 1.1-3.el7 epel 16 k python2-six noarch 1.9.0-0.el7 epel 2.9 k pytz noarch 2016.10-2.el7 base 46 k setools-libs x86_64 3.3.8-4.el7 base 620 k
++++
Получаем сертификат для nginx
# certbot certonly --nginx
Получаем сертификат для apache
# certbot certonly --apache
Опция certonly подразумевает, что certbot только получит сертификат, но не будет автоматически менять конфигурационный файл веб-сервера.
При первом запуске certbot необходимо будет указать email и принять ToS.
++++ Вот так это выглядит 🙉/🙈 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: a - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: n Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: wiki.foobar.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: http-01 challenge for wiki.foobar.com Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/wiki.foobar.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/wiki.foobar.com/privkey.pem Your cert will expire on 2021-02-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
++++
CentOS 8
Подключаем EPEL
# dnf install epel-release
Устанавливаем certbot для nginx
# dnf install python3-certbot-nginx
Для apache
# dnf install python3-certbot-apache
Проверка автоматического обновления сертификатов
# certbot renew --dry-run
++++ Вот так это выглядит 🙉/🙈 |
# certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/wiki.foobar.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator nginx, Installer nginx Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for wiki.foobar.com Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of nginx server; fullchain is /etc/letsencrypt/live/wiki.foobar.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/cloud.iddqd.net/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
++++
Автоматическое обновление
Никаких /etc/crontab или /etc/cron.d. В сети много вредных советов.
Для автоматического обновления существует systemd timer.
systemd service файл
# cat /usr/lib/systemd/system/certbot-renew.service [Unit] Description=This service automatically renews any certbot certificates found [Service] EnvironmentFile=/etc/sysconfig/certbot Type=oneshot ExecStart=/usr/bin/certbot renew --noninteractive --no-random-sleep-on-renew $PRE_HOOK $POST_HOOK $RENEW_HOOK $DEPLOY_HOOK $CERTBOT_ARGS
systemd таймер
# cat /usr/lib/systemd/system/certbot-renew.timer [Unit] Description=This is the timer to set the schedule for automated renewals [Timer] OnCalendar=*-*-* 00/12:00:00 RandomizedDelaySec=12hours Persistent=true [Install] WantedBy=timers.target
Нужно только запустить их и добавить в автозагрузку
# systemctl enable certbot-renew.service # systemctl start certbot-renew.service # systemctl enable certbot-renew.timer # systemctl start certbot-renew.timer
EOM
linux/letsencrypt_centos.txt · Последнее изменение: 2021/06/23 15:33 — dx
