next up previous contents
Next: About this document ... Up: Let's Encrypt Previous: Let's Encrypt 憑證更新   Contents


  1. Let's Encrypt 已不用上網申請,等通過審查。手動上網下載憑證教學參考,但架設 https 及 憑證放置目錄要手動設定。
  2. 憑證下載及更新程式由原 letencrypt-auto 已改成 certbot 自動程式負責,先下載 certbot-auto 程式。
    [root@dns bin]# mkdir certbot
    [root@dns bin]# cd certbot
    [root@dns certbot]# wget
    [root@dns certbot]# chmod +x certbot-auto
  3. 執行 certbot-auto 出現找不到 apache2ctl 程式的錯誤,但 CentOS 6 只有 apachectl 指令。
    [root@dns certbot]# ./certbot-auto --apache
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Failed to find executable apache2ctl in expanded PATH: /tmp/product:/tmp/updates:/usr/bin:/bin:
    The apache plugin is not working; there may be problems with your existing configuration.
    The error was: NoInstallationError('Cannot find Apache control command apache2ctl',)
  4. 以 apachectl 代替 apache2ctl,再執行 certbot-auto 出現 apache 設定錯誤。
    [root@dns certbot]# ln -s /usr/sbin/apachectl /usr/sbin/apache2ctl 
    [root@dns certbot]# ./certbot-auto --apache -d
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    The apache plugin is not working; there may be problems with your existing configuration.
    The error was: NoInstallationError('Could not find configuration root',)
  5. 因為 CentOS 6 apache 版本不滿足 certbot,改用 webroot 方式下載憑證,下載成功後提示憑證放在 /etc/letsencrypt/live/ 目錄下。
    [root@dns certbot]# ./certbot-auto --webroot -w /var/www/html -d certonly
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for
    Using the webroot path /var/www/html for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
     - Congratulations! Your certificate and chain have been saved at:
       Your key file has been saved at:
       Your cert will expire on 2018-01-22. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot-auto
       again. To non-interactively renew *all* of your certificates, run
       "certbot-auto renew"
     - If you like Certbot, please consider supporting our work by:
       Donating to ISRG / Let's Encrypt:
       Donating to EFF:          
  6. 查看 /etc/letsencrypt/live/ 目錄下的檔案。
    [root@dns ~]# ll /etc/letsencrypt/live/
    total 4
    lrwxrwxrwx. 1 root root  49 Oct 24 11:40 cert.pem -> ../../archive/
    lrwxrwxrwx. 1 root root  50 Oct 24 11:40 chain.pem -> ../../archive/
    lrwxrwxrwx. 1 root root  54 Oct 24 11:40 fullchain.pem -> ../../archive/
    lrwxrwxrwx. 1 root root  52 Oct 24 11:40 privkey.pem -> ../../archive/
    -rw-r--r--. 1 root root 543 Oct 24 11:40 README
  7. 編輯 ssl.conf 並重新載入。
    [root@dns renewal]# vim ^SSLCert /etc/httpd/conf.d/ssl.conf
    [root@dns renewal]# grep ^SSLCert /etc/httpd/conf.d/ssl.conf
    SSLCertificateFile /etc/letsencrypt/live/  
    SSLCertificateKeyFile /etc/letsencrypt/live/
    SSLCertificateChainFile /etc/letsencrypt/live/    
    [root@dns renewal]# /etc/init.d/httpd reload
  8. 更新憑證。
    [root@dns certbot]# ./certbot-auto renew