步骤一:将要申请 Let’s Encrypt SSL 的域名解析到要进行操作的服务器 IP 地址上
(步骤略)
步骤二:安装 certbot
# yum -y install certbot
(补充:这里以在 Fedora 35 上安装 certbot 为例)
步骤三:使用 certbot 生成 Let’s Encrypt SSL 证书
# certbot certonly --email mingyu.zhu@eternalcenter.com -n --agree-tos --webroot -w /usr/share/nginx/html/ -d eternalcenter.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for eternalcenter.com
Performing the following challenges:
http-01 challenge for eternalcenter.com
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/eternalcenter.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/eternalcenter.com/privkey.pem
Your certificate will expire on 2022-03-20. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
(
补充:这里以
1) 使用 mingyu.zhu@eternalcenter.com 邮箱
2) 以非交互式的方式
3) 通过给 /usr/share/nginx/html/ 网站目录里添加验证文件进行验证
4) 给 eternalcenter.com 域名申请 Let’s Encrypt SSL 证书为例
)
步骤四:显示已经生成的 Let’s Encrypt SSL 证书
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: eternalcenter.com
Serial Number: 3e8cdb74a1abfbf3d535ec1c3f8cb3e4e4c
Key Type: RSA
Domains: eternalcenter.com
Expiry Date: 2022-03-20 13:48:48+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/eternalcenter.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/eternalcenter.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(
补充:
1) /etc/letsencrypt/live/eternalcenter.com/fullchain.pem 是公钥
2) /etc/letsencrypt/live/eternalcenter.com/privkey.pem 是私钥
)
步骤五:延期 Let’s Encrypt SSL 证书
5.1 显示 Let’s Encrypt SSL 证书的延期策略
# cat /etc/letsencrypt/renewal/eternalcenter.com.conf
# renew_before_expiry = 30 days
version = 1.20.0
archive_dir = /etc/letsencrypt/archive/eternalcenter.com
cert = /etc/letsencrypt/live/eternalcenter.com/cert.pem
privkey = /etc/letsencrypt/live/eternalcenter.com/privkey.pem
chain = /etc/letsencrypt/live/eternalcenter.com/chain.pem
fullchain = /etc/letsencrypt/live/eternalcenter.com/fullchain.pem
(补充:可以看出 Let’s Encrypt SSL 证书是在过期前 30 天才能更新)
5.2 手动延期 Let’s Encrypt SSL 证书
# /usr/bin/certbot renew
(补充:这里以延期 Let’s Encrypt SSL 证书为例)
5.3 自动延期 Let’s Encrypt SSL 证书
# crontab -e
添加以下内容:
......
0 0 */30 * * /usr/bin/certbot renew
(补充:这里以每过 30 天的 0 时 0 分延期 Let’s Encrypt SSL 证书为例)
(
注意:更新 SSL 之后需要同时重启使用 SSL 证书的服务,例如如果使用 SSL 证书的是 Nginx 的话建议添加以下内容:
......
0 0 */30 * * /usr/bin/certbot renew ; /usr/bin/systemctl restart nginx
)
步骤六:Let’s Encrypt SSL 证书的生成限制
1) 一个域名申请次数不能超过 5 次/周
2) 允许申请失败次数不能超过 5 次/时
3) 属于同一个顶级域名的二级域名申请次数不能超过 20 次/周
4) 申请请求频率不能超过 20 次/秒
5) 一个 IP 地址创建用户个数不能超过 10 个/3 小时
6) 一个用户最多 pending 审核的数不能超过 300 个