Certbot === ###### tags: `Let’s Encrypt` `Certbot` `Certificate` `SSL` ``` Finily Updata Date: MAY 19, 2022 14:30 PM ``` ## Operating System - Ubuntu 20.04 LTS --- :dart: Install Let’s Encrypt Client（Certbot） --- - 更新軟件包並安裝 software-properties-common - [ ] sudo apt-get update - [ ] sudo apt-get install software-properties-common - [ ] sudo add-apt-repository universe - 安裝 Certbot - [ ] sudo apt-get update - [ ] sudo apt-get install certbot -y --- ## 新手測試配置取得 SSL 憑證（Certificate）: - [ ] sudo certbot certonly --standalone --dry-run ``` Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): ``` > 配置網域，範例: `iotboard.ga` ``` Obtaining a new certificate Performing the following challenges: http-01 challenge for iotboard.ga Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - The dry run was successful. ``` > successful 表示測試成功 - [`--dry-run`](https://letsencrypt.org/zh-tw/docs/staging-environment/): 測試參數，[`查詢 crt.sh`](https://crt.sh/)域名(DNS)是否超過限制。 --- ## 取得 SSL 憑證（Certificate） - [ ] sudo certbot certonly --standalone ``` Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): ``` > 輸入一個電子郵件地址，可在緊急續訂和安全通知的情況下與你聯繫。 ``` Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: ``` > 輸入 `A` 後 `ENTER` 同意服務條款 ``` Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: ``` > 輸入 `N` 後 `ENTER` > (表示不與 Electronic Frontier Foundation 分享你的電子郵件地址) ``` Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): ``` > 配置網域 ``` Obtaining a new certificate Performing the following challenges: http-01 challenge for iotboard.ga Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/iotboard.ga/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/iotboard.ga/privkey.pem Your cert will expire on 2022-08-17. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le ``` - [ ] cp -r /etc/letsencrypt/live/YOUR-DOMAIN-NAME/ /home/USER/PATH/ - EX-1: cp -r /etc/letsencrypt/archive/iotboard.ga/ /home/ubuntu/nginx/volume/certbot/conf/archive/ ``` └── iotboard.ga ├── cert1.pem ├── chain1.pem ├── fullchain1.pem └── privkey1.pem 1 directory, 4 files ``` - EX-2: cp -r /etc/letsencrypt/live/iotboard.ga/ /home/ubuntu/nginx/volume/certbot/conf/live/ ``` . ├── README └── iotboard.ga ├── README ├── cert.pem -> ../../archive/iotboard.ga/cert1.pem ├── chain.pem -> ../../archive/iotboard.ga/chain1.pem ├── fullchain.pem -> ../../archive/iotboard.ga/fullchain1.pem └── privkey.pem -> ../../archive/iotboard.ga/privkey1.pem ``` --- ## 更改特定的所有者及權限 - [ ] chown :ubuntu /home/USER/PATH/conf/live/YOUR-DOMAIN-NAME/*.pem - EX: chown :ubuntu /home/ubuntu/nginx/volume/certbot/conf/archive/iotboard.ga/*.pem - [ ] chmod 640 /home/USER/PATH/conf/live/YOUR-DOMAIN-NAME/*.pem - EX: chmod 640 /home/ubuntu/nginx/volume/certbot/conf/archive/iotboard.ga/*.pem - [ ] sudo cp -r /home/ubuntu/nginx/volume/certbot/conf/archive/YOUR-DOMAIN-NAME/fullchain1.pem /home/ubuntu/nginx/volume/nginx/conf/live/YOUR-DOMAIN-NAME/fullchain.pem - [ ] sudo cp -r /home/ubuntu/nginx/volume/certbot/conf/archive/YOUR-DOMAIN-NAME/fullchain1.pem /home/ubuntu/nginx/volume/nginx/conf/live/YOUR-DOMAIN-NAME/privkey.pem - EX: sudo cp -r /home/ubuntu/nginx/volume/certbot/conf/archive/iotboard.ga/fullchain1.pem /home/ubuntu/nginx/volume/nginx/conf/live/iotboard.ga/fullchain.pem - EX: sudo cp -r /home/ubuntu/nginx/volume/certbot/conf/archive/iotboard.ga/fullchain1.pem /home/ubuntu/nginx/volume/nginx/conf/live/iotboard.ga/privkey.pem ``` volume/nginx/conf/live/iotboardtest.tk/ ├── fullchain.pem └── privkey.pem 0 directories, 2 files ``` --- #### Nginx 目錄憑證 - EX: cp -r /home/ubuntu/nginx/volume/certbot/conf/archive/iotboard.ga/`fullchain1.pem` /home/ubuntu/nginx/volume/nginx/conf/live/iotboard.ga/`fullchain.pem` - EX: cp -r /home/ubuntu/nginx/volume/certbot/conf/archive/iotboard.ga/`privkey1.pem` /home/ubuntu/nginx/volume/nginx/conf/live/iotboard.ga/`privkey.pem` - chown :ubuntu /home/ubuntu/nginx/volume/nginx/conf/live/iotboard.ga/ - chmod 640 /home/ubuntu/nginx/volume/nginx/conf/live/iotboard.ga/ - chown :ubuntu /home/ubuntu/nginx/volume/nginx/conf/live/iotboard.ga/*.pem - chmod 640 /home/ubuntu/nginx/volume/nginx/conf/live/iotboard.ga/*.pem - cp -r /etc/letsencrypt/renewal/iotboard.ga.conf /home/ubuntu/nginx/volume/certbot/conf/renewal/ ``` └── iotboard.ga.conf ``` #### Nginx Setting - [ ] cat volume/nginx/conf/default.conf ``` server { listen 80; listen [::]:80; server_name iotboard.ga; #server_tokens off; location /.well-known/acme-challenge/ { root /var/www/certbot; } # location / { # return 301 https://iotboard.ga$request_uri; # } } server { listen 443 ssl; listen [::]:443 ssl; server_name iotboard.ga; #server_tokens off; ssl_certificate /etc/nginx/ssl/live/iotboard.ga/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/live/iotboard.ga/privkey.pem; location / { proxy_pass http://iotboard.ga:3000/; # set client body size to 2M # client_max_body_size 50M; } } ``` --- ## 測試 SSL > https://www.ssllabs.com/ssltest/  --- ## 自動續訂（Auto Renewal） 由於 Let’s Encrypt 憑證在 90 天後到期，因此需要定期檢查它們是否續訂。 Certbot 將每天自動運行兩次，並更新任何在 30 天內到期的證書。 - [ ] certbot renew --dry-run ``` Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/iotboard.ga.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator standalone, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for iotboard.ga Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/iotboard.ga/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/iotboard.ga/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ``` --- ### 如果需要在 Grafana 上使用憑證: - [ ] cp -r /home/USER/conf/live/YOUR-DOMAIN-NAME/ /home/USER/GRAFANA-PATH/conf/live/ - cp -r /home/ubuntu/nginx/volume/nginx/conf/live/iotboard.ga/ /home/ubuntu/grafana/volume/grafana/conf/live/ ``` volume/grafana/conf/live/iotboard.ga/ ├── fullchain.pem └── privkey.pem 0 directories, 2 files ``` --- :mag: Reference --- - https://letsencrypt.org/zh-tw/docs/staging-environment/ - https://letsencrypt.org/zh-tw/docs/rate-limits/