Let's Encrypt SSL 证书, 基于 Snapd 的 Certbot 安装设置

2022-11-10

• https://certbot.eff.org/
• Certbot 用户指南

一. 安装 snap

a. 安装 EPEL 存储库

[root@mail ~]# dnf install epel-release

b. 安装 snapd 软件包

[root@mail ~]# dnf install snapd

c. 启用管理主snap通信套接字的systemd单元

[root@mail ~]# systemctl enable --now snapd.socket

d. 要启用 snap 快照支持，请输入以下命令在和之间创建符号链接

[root@mail ~]# ln -s /var/lib/snapd/snap /snap
[root@mail ~]# ll
total 123888
..............
drwx------.  3 root root       20 Jul 26 14:40 snap

注销并重新登录或重新启动系统以确保 snap 的路径正确更新。

e. 删除已安装的软件包

[root@mail ~]# snap list --all
Name     Version    Rev    Tracking       Publisher     Notes
certbot  1.31.0     2414   latest/stable  certbot-eff✓  disabled,classic
certbot  1.32.0     2511   latest/stable  certbot-eff✓  classic
core     16-2.57.1  13741  latest/stable  canonical✓    core,disabled
core     16-2.57.2  13886  latest/stable  canonical✓    core
core20   20220919   1634   latest/stable  canonical✓    base,disabled
core20   20221027   1695   latest/stable  canonical✓    base
[root@mail ~]# snap stop certbot
Stopped.
[root@mail ~]# snap remove certbot
certbot removed
[root@mail ~]# snap list --all
Name    Version    Rev    Tracking       Publisher   Notes
core    16-2.57.1  13741  latest/stable  canonical✓  core,disabled
core    16-2.57.2  13886  latest/stable  canonical✓  core
core20  20220919   1634   latest/stable  canonical✓  base,disabled
core20  20221027   1695   latest/stable  canonical✓  base

[root@mail ~]# snap stop core
error: snap "core" has no services
[root@mail ~]# snap remove core
error: cannot remove "core": snap "core" is not removable: snap is used by the model

[root@mail ~]# snap remove core --revision 13741
core (revision 13741) removed
[root@mail ~]# snap remove core20 --revision 1634
core20 (revision 1634) removed
[root@mail ~]# snap list --all
Name    Version    Rev    Tracking       Publisher   Notes
core    16-2.57.2  13886  latest/stable  canonical✓  core
core20  20221027   1695   latest/stable  canonical✓  base

二. 确保您的 snapd 版本是最新的

执行以下命令，以确保您的 snapd 拥有最新版本。

[root@mail ~]# snap install core; snap refresh core # 如果未安装过 core 时，执行此命令。
[root@mail ~]# snap refresh # 如果已安装过 core 时，执行此命令。
All snaps up to date.

三. 删除 certbot-auto 和任何 Certbot OS 软件包(已有的)

[root@mail ~]# dnf remove certbot

四. 安装 certbot

[root@mail ~]# snap install --classic certbot

五. 准备 Certbot 命令

[root@mail ~]# ln -s /snap/bin/certbot /usr/bin/certbot

六. 选择您希望如何运行 Certbot

本例选择以 Webroot (Web 根目录) 方式获取 SSL 证书。

如果您要同时获得多个域的证书，则插件 需要知道每个域的文件从哪里提供，这可以 可能是每个域的单独目录。请求 多个域的证书，每个域将使用最新的 指定。因此，例如，--webroot-path

[root@mail ~]# certbot certonly --webroot -w /var/www/webmail -d mail.ktxsz.cn -d imap.ktxsz.cn -d smtp.ktxsz.cn -d pop3.ktxsz.cn -w /var/www/ktxsz -d www.ktxsz.cn
# 或者
[root@mail ~]# certbot certonly --webroot --nginx -w /var/www/webmail -d mail.ktxsz.cn -d imap.ktxsz.cn -d smtp.ktxsz.cn -d pop3.ktxsz.cn -w /var/www/ktxsz -d www.ktxsz.cn # --webroot (以 Web 根目录) 和 --nginx (以 Nginx 服务器) 方式获取 SSL 证书。   -w 后面跟的是要获取证书的网站根目录。  -d 后面指的是对应前面 web 根目录所使用的网站域名(即要获取证书的域名），有多个域名时，一个 -d 对应一个域名。 

七. 测试自动续订

您系统上的 Certbot 软件包附带一个 cron 作业或 systemd 计时器，它将在证书过期之前自动续订您的证书。除非您更改配置，否则无需再次运行 Certbot。您可以通过运行以下命令来测试证书的自动续订：

[root@mail ~]# certbot renew --dry-run # --dry-run 表示只是执行测试命令，而不会将任何证书保存到磁盘上。
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.ktxsz.cn-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for mail.ktxsz.cn and 3 more domains

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.ktxsz.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for www.ktxsz.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/mail.ktxsz.cn-0001/fullchain.pem (success)
  /etc/letsencrypt/live/www.ktxsz.cn/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

续订 certbot 的命令安装在以下位置之一：

• /etc/crontab/
• /etc/cron.*/*
• systemctl list-timers

[root@mail ~]# systemctl list-timers # 查看自动更新服务
NEXT                         LEFT          LAST                         PASSED               UNIT                         ACTIVATES
Thu 2022-11-10 16:50:42 CST  2h 55min left Wed 2022-11-09 16:50:42 CST  21h ago              systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Thu 2022-11-10 19:00:00 CST  5h 4min left  n/a                          n/a                  snap.certbot.renew.timer     snap.certbot.renew.service
n/a                          n/a           Tue 2022-07-26 16:32:26 CST  3 months 15 days ago systemd-readahead-done.timer systemd-readahead-done.service

3 timers listed.
Pass --all to see loaded but inactive timers, too.

八. 重新创建和更新现有证书

[root@mail ~]# certbot --expand -d www.ktxsz.cn
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Requesting a certificate for www.ktxsz.cn

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.ktxsz.cn/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/www.ktxsz.cn/privkey.pem
This certificate expires on 2023-02-08.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for www.ktxsz.cn to /etc/nginx/conf.d/ktxsz.conf
Congratulations! You have successfully enabled HTTPS on https://www.ktxsz.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


[root@mail ~]# certbot --nginx --expand -d mail.ktxsz.cn,imap.ktxsz.cn,smtp.ktxsz.cn,pop3.ktxsz.cn
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for mail.ktxsz.cn and 3 more domains

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mail.ktxsz.cn-0001/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/mail.ktxsz.cn-0001/privkey.pem
This certificate expires on 2023-02-08.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for mail.ktxsz.cn to /etc/nginx/conf.d/webmail.conf
Successfully deployed certificate for imap.ktxsz.cn to /etc/nginx/conf.d/webmail.conf
Successfully deployed certificate for smtp.ktxsz.cn to /etc/nginx/conf.d/webmail.conf
Successfully deployed certificate for pop3.ktxsz.cn to /etc/nginx/conf.d/webmail.conf
Congratulations! You have successfully enabled HTTPS on https://mail.ktxsz.cn, https://imap.ktxsz.cn, https://smtp.ktxsz.cn, and https://pop3.ktxsz.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



[root@mail ~]# certbot certificates # 查看现有的证书
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/mail.ktxsz.cn.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: mail.ktxsz.cn-0001
    Serial Number: 3c**********************************
    Key Type: RSA
    Domains: mail.ktxsz.cn imap.ktxsz.cn pop3.ktxsz.cn smtp.ktxsz.cn
    Expiry Date: 2023-02-08 02:23:26+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/mail.ktxsz.cn-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mail.ktxsz.cn-0001/privkey.pem
  Certificate Name: www.ktxsz.cn
    Serial Number: 3e**********************************
    Key Type: RSA
    Domains: www.ktxsz.cn
    Expiry Date: 2023-02-08 01:49:36+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.ktxsz.cn/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.ktxsz.cn/privkey.pem

The following renewal configurations were invalid: 以下更新配置无效:
  /etc/letsencrypt/renewal/mail.ktxsz.cn.conf

九. 修改现有证书的续订配置

a. 使用修改后的选项对单个证书执行试运行续订：

certbot renew --cert-name example.com --webroot-path(原有web目录) /path/to/new/location(新的web目录) --dry-run

b. 通过使用 经修订的备选方案，包括：--force-renewal (强制续订)

certbot renew --cert-name example.com --webroot-path /path/to/new/location --force-renewal

• --cert-name选择要修改的特定证书。如果没有此选项，将选择所有证书。
• --webroot-path是要更改的选项。所有其他先前选择的选项将保持不变 并且不需要包含在命令中。 --webroot-path 等于 -w /var/www/*
• --force-renewal 如果证书尚未过期，则需要使用强制续订。
• --dry-run 测试“renew”或“certonly”命令，而不会将任何证书保存到磁盘上。