运维-SSL 证书安装 certbot-auto

作者: 小敏-blog | 发表于 | 分类于 | | 阅读次数:

certbot是专门为Let’s encrypt制作的一个管理证书工具,可以通过它来生成证书管理更新Let’s encrypt证书。

安装

  1. Installing snap on CentOS
1
2
3
4
yum install epel-release
yum install snapd
systemctl enable --now snapd.socket
ln -s /var/lib/snapd/snap /snap
1
2
snap install core
snap refresh core
1
yum remove certbot
  1. Install Certbot
1
2
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
  1. Run Certbot
1
certbot certonly --standalone
  1. Automatic Renewal(nginx服务 80端口)
1
2
3
4
5
6
7
sh -c 'printf "#!/bin/sh\nsystemctl stop nginx\n" > /etc/letsencrypt/renewal-hooks/pre/nginx.sh'
sh -c 'printf "#!/bin/sh\nsystemctl start nginx\n" > /etc/letsencrypt/renewal-hooks/post/nginx.sh'
chmod 755 /etc/letsencrypt/renewal-hooks/pre/nginx.sh
chmod 755 /etc/letsencrypt/renewal-hooks/post/nginx.sh

crontab -e
0 6 1 * * /usr/bin/crontab renew > /dev/null 2>&1 &

安装(已过期)

  1. 下载
1
wget https://dl.eff.org/certbot-auto
  1. 安装
1
2
mv certbot-auto /usr/local/bin/certbot-auto
chmod a+x /usr/local/bin/certbot-auto
  1. 生成证书
1
certbot-auto certonly --standalone -d www.themismin.com --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
  1. 设置自动更新
1
2
# 每两个月2号4点16分 域名证书更新
16 4 2 */2 * /usr/local/bin/certbot-auto renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" > /dev/null 2>&1 &

问题1

OCSP check failed
OSCP 无法访问 

1
2
3
在/etc/hosts中添加

23.32.3.72 ocsp.int-x3.letsencrypt.org
您的支持将鼓励我继续创作