let's encrypt SSL证书续期 
星期五, 四月 14, 2017, 10:32 AM
最近接到邮件,说自己SSL证书将于10日内过期,于是赶紧续期。renew.

使用 letsencrypt 官方推荐的客户端 Certbot 完成操作。

下载该工具,根据各自的系统和包管理器,下载安装。

由于我的系统比较老,所以下载了 binary 文件。


wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto


给了执行权限,继续操作。


[root@xzx ~]# ./certbot-auto certonly --force-renewal -d xiazhengxin.name --no-self-upgrade
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find executable apachectl in PATH: /opt/lighttpd/sbin:/opt/php/sbin:/opt/php/bin:/opt/mysql/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for xiazhengxin.name
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/xiazhengxin.name/fullchain.pem. Your cert
   will expire on 2017-07-13. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


续期成功,其实我感觉是重新生成了一份新的。
查看证书存放地址:

[root@xzx ~]# ./certbot-auto certificates --force-renewal -d xiazhengxin.name --no-self-upgrade
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following matching certs:
  Certificate Name: xiazhengxin.name
    Domains: xiazhengxin.name
    Expiry Date: 2017-07-13 09:26:00+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/xiazhengxin.name/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/xiazhengxin.name/privkey.pem
-------------------------------------------------------------------------------


现在要做的就是删除老的快过期的证书,然后用新生成的替换掉它,重启WEB SERVER即可。


[root@xzx ~]# cp /etc/letsencrypt/live/xiazhengxin.name/fullchain.pem /home/http/blog_xiazhengxin_name/ssl.pem
[root@xzx ~]# cat /etc/letsencrypt/live/xiazhengxin.name/privkey.pem >> /home/http/blog_xiazhengxin_name/ssl.pem


搞定!!!!

关于 Certbot 的用法参数说明,参见:
https://certbot.eff.org/docs/using.html#certbot-command-line-options

https://certbot.eff.org/ Certbot 官网
https://letsencrypt.org/docs/client-options/ Certbot 其他变种

评论