https安全解決方案證書certbot教程

這篇具有很好參考價(jià)值的文章主要介紹了https安全解決方案證書certbot教程。希望對(duì)大家有所幫助。如果存在錯(cuò)誤或未考慮完全的地方，請(qǐng)大家不吝賜教，您也可以點(diǎn)擊"舉報(bào)違法"按鈕提交疑問(wèn)。

一、Let's Encrypt、Certbot和Snap的關(guān)系

Let's Encrypt是一個(gè)免費(fèi)、自動(dòng)化和開放的證書頒發(fā)機(jī)構(gòu)，由非營(yíng)利的互聯(lián)網(wǎng)安全研究小組（ISRG）為您提供。

Certbot使用EFF的Certbot在您的網(wǎng)站上自動(dòng)啟用HTTPS，部署Let's Encrypt證書。

Snap則是用于下載安裝Certbot的包管理器。

所以，核心是Let's Encrypt證書，Snap和Certbot則是用于生成管理證書的工具。

二、官方Certbot安裝（與nginx進(jìn)行證書綁定）

官網(wǎng)地址：https://certbot.eff.org/

1、安裝snapd

1.1、增加EPEL倉(cāng)庫(kù)
sudo yum -y install epel-release
1.2、安裝snapd
sudo yum -y install snapd
1.3、啟用snapd socket
systemctl enable --now snapd.socket
1.4、創(chuàng)建一個(gè)軟連接 /snap 到 /var/lib/snapd/snap，安裝軟件需要在 /snap中。
sudo ln -s /var/lib/snapd/snap /snap

2、安裝certbot

2.1、確保snapd是最新版本
sudo snap install core;sudo snap refresh core
2.2、移除certbot-auto和任何Certbot OS包
sudo yum remove certbot
2.3、安裝certbot
sudo snap install --classic certbot
2.4、準(zhǔn)備Certbot命令
sudo ln -s /snap/bin/certbot /usr/bin/certbot
2.5、選擇nginx運(yùn)行方式
自動(dòng)配置nginx
sudo certbot --nginx
手動(dòng)配置nginx
sudo certbot certonly --nginx
2.6、自動(dòng)續(xù)期
sudo certbot renew
2.7、簽發(fā)證書

2.7.1使用dns方式（需在域名管理中配置_acme-challenge.<YOUR_DOMAIN>的TXT記錄）

certbot certonly --email xxx@126.com --manual --preferred-challenges dns -d a.xxx.com

2.8、修改nginx配置文件
server {
? ? listen 443 ssl;
? ? listen [::]:443 ssl ipv6only=on;

? ? ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;
? ? ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;
? ? ssl_trusted_certificate /etc/letsencrypt/live/your.domain.com/chain.pem;

? ? // ... other settings ...
}
2.9、配置好?Nginx?配置文件，重載使修改生效
sudo?nginx?-s?reload
2.10、crontab -e的命令來(lái)啟用自動(dòng)任務(wù)，命令行：
sudo crontab -e
2.11、打開定時(shí)任務(wù)配置文件，我們可以按i進(jìn)入編輯模式，然后輸入：
0 23 28 * * /usr/bin/certbot renew ?>> /var/log/le-renew.log
添加定時(shí)任務(wù)，每月28號(hào)23點(diǎn)執(zhí)行腳本

三、Certbot命令用法

certbot [子命令] [選項(xiàng)] [-d 域名] [-d 域名] ...

獲取, 安裝, 更新證書:
? ? (默認(rèn)) run ? ? ? 獲取并安裝證書到當(dāng)前網(wǎng)頁(yè)服務(wù)器
? ? certonly ? ? ? ?獲取或更新證書，但是不安裝
? ? renew ? ? ? ? ? 更新已經(jīng)獲取但快過(guò)期的所有證書
? ?-d 域名列表 ? ? ? ?指定證書對(duì)應(yīng)的域名列表，域名之間使用逗號(hào)分隔

? --apache ? ? ? ? ?使用Apache插件進(jìn)行身份認(rèn)證和安裝
? --standalone ? ? ?運(yùn)行一個(gè)獨(dú)立的網(wǎng)頁(yè)服務(wù)器用于身份認(rèn)證
? --nginx ? ? ? ? ? 使用Nginx插件進(jìn)行身份認(rèn)證和安裝
? --webroot ? ? ? ? 把身份認(rèn)證文件放置在服務(wù)器的網(wǎng)頁(yè)根目錄下
? --manual ? ? ? ? ?使用交互式或腳本鉤子的方式獲取證書

? ?-n ? ? ? ? ? ? ? 非交互式運(yùn)行
? --test-cert ? ? ? 從預(yù)交付服務(wù)器上獲取測(cè)試證書
? --dry-run ? ? ? ? 測(cè)試獲取或更新證書，但是不存儲(chǔ)到本地硬盤

四、常見問(wèn)題

4.1?snap2.57.6-1.el7版本安裝出現(xiàn)bug，出現(xiàn)go語(yǔ)言runtime stack錯(cuò)誤。

解決方法：

①yum remove snapd

②yum remove snap-confine.x86_64

③yum remove snapd-selinux.noarch

④從?https://mirror.lt.ucsc.edu/epel/7/x86_64/Packages/s/?下載2.54版本的snap。具體如下：? ? ? ? ?

?snapd-2.54.4-1.el7.x86_64.rpm，

?snapd-selinux-2.54.4- 1.el7.noarch.rpm，

?snap-confine-2.54.4-1.el7.x86_64.rpm

⑤yum本地安裝

?rpm yum localinstall?snapd-2.54.4-1.el7.x86_64.rpm

?rpm yum localinstall?snapd-selinux-2.54.4- 1.el7.noarch.rpm

?rpm yum localinstall?snap-confine-2.54.4-1.el7.x86_64.rpm

4.2、具體錯(cuò)誤內(nèi)容如下

[21:21:31 ERR] Connection id "0HMN066E9362B", Request id "0HMN066E9362B:00000002": An unhandled exception was thrown by the application.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ChallengeAsync(AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties)
at Microsoft.AspNetCore.Authorization.Policy.AuthorizationMiddlewareResultHandler.HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult)
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.CspMiddleware.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.HandleException(HttpContext context, ExceptionDispatchInfo edi)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

解決方法：

安裝服務(wù)端ca證書集。目錄在/etc/ssl/certs。

如果未安裝，請(qǐng)運(yùn)行：yum install ca-certificates

安裝完成，進(jìn)行證書更新：update-ca-trust force-enable文章來(lái)源地址http://www.zghlxwxcb.cn/news/detail-493384.html

到了這里，關(guān)于https安全解決方案證書certbot教程的文章就介紹完了。如果您還想了解更多內(nèi)容，請(qǐng)?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！