一、Let's Encrypt、Certbot和Snap的关系
Let's Encrypt是一个免费、自动化和开放的证书颁发机构,由非营利的互联网安全研究小组(ISRG)为您提供。
Certbot使用EFF的Certbot在您的网站上自动启用HTTPS,部署Let's Encrypt证书。
Snap则是用于下载安装Certbot的包管理器。
所以,核心是Let's Encrypt证书,Snap和Certbot则是用于生成管理证书的工具。
二、官方Certbot安装(与nginx进行证书绑定)
1、安装snapd
1.1、增加EPEL仓库
sudo yum -y install epel-release
1.2、安装snapd
sudo yum -y install snapd
1.3、启用snapd socket
systemctl enable --now snapd.socket
1.4、创建一个软连接 /snap 到 /var/lib/snapd/snap,安装软件需要在 /snap中。
sudo ln -s /var/lib/snapd/snap /snap
2、安装certbot
2.1、 确保snapd是最新版本
sudo snap install core;sudo snap refresh core
2.2、移除certbot-auto和任何Certbot OS包
sudo yum remove certbot
2.3、安装certbot
sudo snap install --classic certbot
2.4、准备Certbot命令
sudo ln -s /snap/bin/certbot /usr/bin/certbot
2.5、选择nginx运行方式
自动配置nginx
sudo certbot --nginx
手动配置nginx
sudo certbot certonly --nginx
2.6、自动续期
sudo certbot renew
2.7、签发证书
2.7.1使用dns方式(需在域名管理中配置
_acme-challenge.<YOUR_DOMAIN>
的TXT记录)
certbot certonly --email xxx@126.com --manual --preferred-challenges dns -d a.xxx.com
2.8、修改nginx配置文件
server {
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/your.domain.com/chain.pem;
// ... other settings ...
}
2.9、配置好 Nginx 配置文件,重载使修改生效
sudo nginx -s reload
2.10、crontab -e的命令来启用自动任务,命令行:
sudo crontab -e
2.11、打开定时任务配置文件,我们可以按i进入编辑模式,然后输入:
0 23 28 * * /usr/bin/certbot renew >> /var/log/le-renew.log
添加定时任务,每月28号23点执行脚本
三、Certbot命令用法
certbot [子命令] [选项] [-d 域名] [-d 域名] ...
获取, 安装, 更新证书:
(默认) run 获取并安装证书到当前网页服务器
certonly 获取或更新证书,但是不安装
renew 更新已经获取但快过期的所有证书
-d 域名列表 指定证书对应的域名列表,域名之间使用逗号分隔
--apache 使用Apache插件进行身份认证和安装
--standalone 运行一个独立的网页服务器用于身份认证
--nginx 使用Nginx插件进行身份认证和安装
--webroot 把身份认证文件放置在服务器的网页根目录下
--manual 使用交互式或脚本钩子的方式获取证书
-n 非交互式运行
--test-cert 从预交付服务器上获取测试证书
--dry-run 测试获取或更新证书,但是不存储到本地硬盘
四、常见问题
4.1 snap2.57.6-1.el7版本安装出现bug,出现go语言runtime stack错误。
解决方法:
①yum remove snapd
②yum remove snap-confine.x86_64
③yum remove snapd-selinux.noarch
④从 https://mirror.lt.ucsc.edu/epel/7/x86_64/Packages/s/ 下载2.54版本的snap。具体如下:
snapd-2.54.4-1.el7.x86_64.rpm,
snapd-selinux-2.54.4- 1.el7.noarch.rpm,
snap-confine-2.54.4-1.el7.x86_64.rpm
⑤yum本地安装
rpm yum localinstall snapd-2.54.4-1.el7.x86_64.rpm
rpm yum localinstall snapd-selinux-2.54.4- 1.el7.noarch.rpm
rpm yum localinstall snap-confine-2.54.4-1.el7.x86_64.rpm
4.2、具体错误内容如下
[21:21:31 ERR] Connection id "0HMN066E9362B", Request id "0HMN066E9362B:00000002": An unhandled exception was thrown by the application.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ChallengeAsync(AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties)
at Microsoft.AspNetCore.Authorization.Policy.AuthorizationMiddlewareResultHandler.HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult)
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.CspMiddleware.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.HandleException(HttpContext context, ExceptionDispatchInfo edi)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
解决方法:
安装服务端ca证书集。目录在/etc/ssl/certs。
如果未安装,请运行:yum install ca-certificates
安装完成,进行证书更新:update-ca-trust force-enable
版权归原作者 wangyun381974024 所有, 如有侵权,请联系我们删除。