next up previous contents
Next: About this document ... Up: Let's Encrypt Previous: Let's Encrypt 憑證更新   Contents

Certbot

  1. Let's Encrypt 已不用上網申請,等通過審查。手動上網下載憑證教學參考,但架設 https 及 憑證放置目錄要手動設定。
  2. 憑證下載及更新程式由原 letencrypt-auto 已改成 certbot,先下載 certbot-auto 程式。
    [root@dns bin]# mkdir certbot
    [root@dns bin]# cd certbot
    [root@dns certbot]# wget https://dl.eff.org/certbot-auto
    [root@dns certbot]# chmod +x certbot-auto
    
  3. 執行 certbot-auto 出現找不到 apache2ctl 程式的錯誤,但 CentOS 6 只有 apachectl 指令。
    [root@dns certbot]# ./certbot-auto --apache
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Failed to find executable apache2ctl in expanded PATH: /tmp/product:/tmp/updates:/usr/bin:/bin:
    /sbin:/usr/sbin:/mnt/sysimage/bin:/mnt/sysimage/usr/bin:/mnt/sysimage/usr/sbin:/mnt/sysimage/sbin:
    /mnt/sysimage/usr/X11R6/bin:/sbin:/usr/sbin:/root/bin:/root/bin:/usr/local/bin:/usr/local/sbin
    The apache plugin is not working; there may be problems with your existing configuration.
    The error was: NoInstallationError('Cannot find Apache control command apache2ctl',)
    
  4. 以 apachectl 代替 apache2ctl,再執行 certbot-auto 出現 apache 設定錯誤。
    [root@dns certbot]# ln -s /usr/sbin/apachectl /usr/sbin/apache2ctl 
    [root@dns certbot]# ./certbot-auto --apache -d web.csie.cyut.edu.tw
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    The apache plugin is not working; there may be problems with your existing configuration.
    The error was: NoInstallationError('Could not find configuration root',)
    
  5. 因為 CentOS 6 apache 版本不滿足 certbot,改用 webroot 方式下載憑證,下載成功後提示憑證放在 /etc/letsencrypt/live/web.csie.cyut.edu.tw 目錄下。
    [root@dns certbot]# ./certbot-auto --webroot -w /var/www/html -d web.csie.cyut.edu.tw certonly
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for web.csie.cyut.edu.tw
    Using the webroot path /var/www/html for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/web.csie.cyut.edu.tw/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/web.csie.cyut.edu.tw/privkey.pem
       Your cert will expire on 2018-01-22. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot-auto
       again. To non-interactively renew *all* of your certificates, run
       "certbot-auto renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
  6. 查看 /etc/letsencrypt/live/web.csie.cyut.edu.tw 目錄下的檔案。
    [root@dns ~]# ll /etc/letsencrypt/live/web.csie.cyut.edu.tw/
    total 4
    lrwxrwxrwx. 1 root root  49 Oct 24 11:40 cert.pem -> ../../archive/web.csie.cyut.edu.tw/cert1.pem
    lrwxrwxrwx. 1 root root  50 Oct 24 11:40 chain.pem -> ../../archive/web.csie.cyut.edu.tw/chain1.pem
    lrwxrwxrwx. 1 root root  54 Oct 24 11:40 fullchain.pem -> ../../archive/web.csie.cyut.edu.tw/fullchain1.pem
    lrwxrwxrwx. 1 root root  52 Oct 24 11:40 privkey.pem -> ../../archive/web.csie.cyut.edu.tw/privkey1.pem
    -rw-r--r--. 1 root root 543 Oct 24 11:40 README
    
  7. 編輯 ssl.conf 並重新載入。
    [root@dns renewal]# vim ^SSLCert /etc/httpd/conf.d/ssl.conf
    [root@dns renewal]# grep ^SSLCert /etc/httpd/conf.d/ssl.conf
    SSLCertificateFile /etc/letsencrypt/live/web.csie.cyut.edu.tw/cert.pem  
    SSLCertificateKeyFile /etc/letsencrypt/live/web.csie.cyut.edu.tw/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/web.csie.cyut.edu.tw/chain.pem    
    [root@dns renewal]# /etc/init.d/httpd reload
    
  8. 更新憑證。
    [root@dns certbot]# ./certbot-auto renew
    



2017-10-27