Let's Encrypt
Ubuntu SSL Let’s Encrypt 建置常用指令
Categories:
Let’s Encrypt
安装
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
Nginx
$ sudo apt-get install python-certbot-nginx
Apache
$ sudo apt-get install python-certbot-apache
执行凭证验证
$ sudo certbot
自动更新凭证
更新凭证
sudo certbot renew
测试更新凭证
sudo certbot renew --dry-run
Crontab 自动更新
需要输入完整执行档案名称,然后指定需要自动更新时间
30 2 * * 1 certbot renew
/etc/ssl/certs/dhparam.pem
在安装 SSL 凭证时,会出现下列讯息时,可以使用 openssl 去新增 dhparam.pem 凭证
nginx: [emerg] BIO_new_file("/etc/ssl/certs/dhparam.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/ssl/certs/dhparam.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
使用下列指令可以新增 dhparam.pem 凭证
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
移除指定凭证
如果不需要 SSL 凭证了,可以使用下列指令将网域移除
sudo certbot delete --cert-name kejyun.com
解决 certbot-auto 版本过旧问题
在使用旧版 certbot-auto 安装凭证时,因为 certbot-auto 会自动更新自己的版本,导致发生 python 版本过旧导致无法验证凭证
Installing Python packages...
/opt/eff.org/certbot/venv/bin/python: No module named pip.__main__; 'pip' is a package and cannot be directly executed
Traceback (most recent call last):
File "/tmp/tmp.OGGbtieawI/pipstrap.py", line 177, in <module>
sys.exit(main())
File "/tmp/tmp.OGGbtieawI/pipstrap.py", line 149, in main
pip_version = StrictVersion(check_output([python, '-m', 'pip', '--version'])
File "/usr/lib/python2.7/subprocess.py", line 544, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '['/opt/eff.org/certbot/venv/bin/python', '-m', 'pip', '--version']' returned non-zero exit status 1
可以使用 --no-self-upgrade 参数,让 certbot-auto 不要自动更新版本
wget https://raw.githubusercontent.com/certbot/certbot/75499277be6699fd5a9b884837546391950a3ec9/certbot-auto
chmod +x ./certbot-auto
./certbot-auto --no-self-upgrade
执行 certbot 出现错误 Another instance of Certbot is already running
在执行 certbot 时出错错误的讯息
Another instance of Certbot is already running
Certbot 不正常关闭,导致原本的 .certbot.lock 档案还存在于主机中,此时可以透过下方指令找出 .certbot.lock 档案是否还存在
find / -type f -name ".certbot.lock"
若档案存在,则可以用下列指令移除所有 .certbot.lock 档案
find / -type f -name ".certbot.lock" -exec rm {} \;
移除后再次执行 certbot 就可以正常执行了
参考资料
- How to install Certbot on Ubuntu 16.04 (Auto Cert Renew!) - Ceos3c
- How To Secure Nginx with Let’s Encrypt on Ubuntu 16.04 | DigitalOcean
- Get Certbot — Certbot 0.25.0.dev0 documentation
- How To Secure Nginx with Let’s Encrypt on Ubuntu 16.04 | DigitalOcean
- How To Secure Apache with Let’s Encrypt on Ubuntu 16.04 | DigitalOcean
- SSL and nginx missing file: /etc/ssl/certs/dhparam.pem · Issue #10 · ummjackson/mastodon-guide
- Correct Way to Delete a Certbot SSL Certificate – Matthew Hagemann – Medium
- With 0.32.0, certbot-auto stopped working for some EOL distributions · Issue #6824 · certbot/certbot · GitHub
- Another instance of Certbot is already running - Solved - Linux guru