SSL 免费证书申请 - Certbot

我们知道使用 SSL（安全套接层）证书对于网站和在线服务来说非常重要，SSL 证书通过加密用户和服务器之间的通信，保护数据不被窃听或篡改。

本章节我们将介绍使用 Certbot 工具申请免费的 SSL 证书。

什么是 Certbot？

Certbot 是一个开源的自动化工具，用于获取和续订由 Let's Encrypt 提供的免费 SSL/TLS 证书。

Let's Encrypt 是一个由互联网安全研究小组（ISRG）运营的证书颁发机构（CA），它提供了一个自动化的流程来生成和更新证书，使得网站管理员可以轻松地为他们的站点启用 HTTPS 加密。

Certbot 的主要特点包括：

• 自动化：它可以自动验证域名所有权，并申请证书。
• 免费：它使用的是 Let's Encrypt 提供的免费证书。
• 兼容性：支持多种 web 服务器，如 Apache、Nginx 等。
• 易用性：提供了命令行界面，使得安装和使用变得简单。
• 续订：自动处理证书的续订，确保网站的 HTTPS 连接始终保持有效。

Let's Encrypt 颁发的证书有效期为 90 天，Certbot 会自动配置证书的续期任务，确保证书不会过期。

---

Certbot 安装

1. 在 Ubuntu/Debian 系统上安装 Certbot

使用 APT 安装：

sudo apt update

sudo apt install certbot

安装完成后，Certbot 就可以用了。

安装 Snap 版本：

Snap 是 Certbot 官方推荐的安装方式，尤其是针对长期支持的 Ubuntu 版本。

sudo snap install core

sudo snap refresh core

sudo snap install --classic certbot



sudo ln -s /snap/bin/certbot /usr/bin/certbot  # 这一步是为了确保 certbot 命令能全局使用

2. 在 CentOS/RHEL 系统上安装 Certbot

安装 EPEL 仓库（适用于 CentOS 7 及以下）：

sudo yum install epel-release

sudo yum install certbot

3. 在 macOS 上安装 Certbot

macOS 上可以使用 Homebrew 安装 Certbot：

brew install certbot

更多内容我们可以在 Certbot 网站 https://certbot.eff.org/ 查看各个系统平台的安装方法：

安装完成后，使用以下命令查看 certbot 安装的版本：

certbot --version

---

证书申请与续签

安装好certbot 后就可以使用以下命令来申请证书了，注意 *.ez4code.com 为你自己的域名，需要修改：

certbot certonly  -d *.ez4code.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory 

执行以上命令后，填写信息：

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Enter email address (used for urgent renewal and security notices)

 (Enter 'c' to cancel): [email protected]. # 这里输入你的邮箱



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in

order to register with the ACME server. Do you agree?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y    # 输入 Y



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing, once your first certificate is successfully issued, to

share your email address with the Electronic Frontier Foundation, a founding

partner of the Let's Encrypt project and the non-profit organization that

develops Certbot? We'd like to send you email about our work encrypting the web,

EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y       # 输入 Y



Account registered.

Requesting a certificate for *.ez4code.com



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name:



xxxxxxx.ez4code.com. # 这里需要设置域名解析，需要到域名后台填写信息，参考下图



with the following value:



aIwqY00CZtziVwr-xxxxxxxxxxxxxx  # 这里是域名解析的内容，参考下图



Before continuing, verify the TXT record has been deployed. Depending on the DNS

provider, this may take some time, from a few seconds to multiple minutes. You can

check if it has finished deploying with aid of online tools, such as the Google

Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.ez4code.com.

Look for one or more bolded line(s) below the line ';ANSWER'. It should show the

value(s) you've just added.



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue  # 参考下图设置完域名解析后，按回车就可以生成了，记住一定要先解析设置完成后再回车，然后生成的证书信息如下：



Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/ez4code.com/fullchain.pem

Key is saved at:         /etc/letsencrypt/live/ez4code.com/privkey.pem

This certificate expires on 2024-12-21.

These files will be updated when the certificate renews.



NEXT STEPS:

- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If you like Certbot, please consider supporting our work by:

 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

 * Donating to EFF:                    https://eff.org/donate-le

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

设置域名解析用于验证证书：

Let's Encrypt 颁发的证书有效期为 90 天，可以使用以下命令进行续签证书:

certbot certonly --force-renewal --manual -d '*.ez4code.com' \

--preferred-challenges dns \

--server https://acme-v02.api.letsencrypt.org/directory

执行以上续签命令后，就会让我们更新下 DNS 解析记录：

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Requesting a certificate for *.jysahre.com



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please deploy a DNS TXT record under the name:



_acme-challenge.jysahre.com.



with the following value:



ckxo1wGXbP1CtNQ3ZRfvHxxxxxx          # 这里会显示你要更改的 DNS 解析记录值，设置好就可以完成更新了



Before continuing, verify the TXT record has been deployed. Depending on the DNS

provider, this may take some time, from a few seconds to multiple minutes. You can

check if it has finished deploying with aid of online tools, such as the Google

Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.jysahre.com.

Look for one or more bolded line(s) below the line ';ANSWER'. It should show the

value(s) you've just added.



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -