Certbot是用户友好的自动客户端，可为Web服务器获取和部署SSL/TLS证书。
这是一个EFF的工具，用于从“加密”获取证书并自动启用服务器上的HTTPS。
简而言之，它充当正式的“ Let’s Encrypt客户端”或者“ Let’s Encrypt Python客户端”。
它利用自动证书管理环境（ACME）来自动部署大多数浏览器都信任的免费SSL证书。
因此，它适用于支持ACME协议的任何其他CA。

在本文中，我将解释如何免费获取和安装Ubuntu，在Ubuntu 18.04服务器上使用Certbot为Apache和Nginx加密SSL证书。

准备工作

• 具有root特权的Ubuntu Bionic Beaver（18.04）服务器，可以根据要求安装所需的软件包。
• 已注册并具有正确的DNS记录的完全合格的域。在本文的此处，我一直在使用域名theitroadcloudy.com。

安装Certbot

最初，要获取Letsencrypt SSL证书，我们将需要安装Certbot软件。
尽管Certbot最近在Ubuntu中可用，但这些软件包在该处往往已经过时了。
因此，建议将Ubuntu软件存储库与最新软件一起使用进行安装。
我们可以使用以下命令安装Certbot：

#add-apt-repository ppa:certbot/certbot
#apt update
#apt install certbot

我们可以通过以下命令确认已安装的Certbot版本：

# certbot --version
certbot 0.23.0

此外，我们可以使用此命令“ certbot插件”来了解服务器上安装的可用Certbot插件。

# certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
------------------------------------------------------------------------------

默认情况下，此软件包仅包含独立版和webroot插件。
根据我们的目的，我们可以进一步启用所有必需的插件。

在Apache上设置“Let’s Encrypt SSL证书”

Certbot提供了一个Apache插件，可使用此工具更轻松地发行SSL证书。
我们可以通过在下面运行以下命令来安装此插件：

#apt install python-certbot-apache

现在，我们准备使用此工具，但是要为域配置SSL，我们将需要验证一些Apache配置文件。
为了为域颁发SSL证书，Certbot将尝试在服务器Apache配置中获取确切的域虚拟主机。
我们可以参考我以前的文章，该文章将设置域虚拟主机。

假设存在适合我们域的虚拟主机，我们可以运行此命令为我们的域theitroadcloudy.com安装SSL。

# certbot --apache -d theitroadcloudy.com -d www.theitroadcloudy.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for theitroadcloudy.com
http-01 challenge for www.theitroadcloudy.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/theitroadcloudy.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/theitroadcloudy.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/theitroadcloudy.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/theitroadcloudy.com-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/theitroadcloudy.com.conf to ssl vhost in /etc/apache2/sites-available/theitroadcloudy.com-le-ssl.conf
------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://theitroadcloudy.com and
https://www.theitroadcloudy.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=theitroadcloudy.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.theitroadcloudy.com
------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/theitroadcloudy.com-0002/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/theitroadcloudy.com-0002/privkey.pem
Your cert will expire on 2016-09-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG/Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

上面的交互式过程将指导我们完成为所选域签名/安装证书所需的所有信息。
执行此命令后，将自动在域虚拟主机中正确下载，安装和配置域SSL。
现在，我们可以使用HTTPS访问域并确认其工作正常，或者在SSL检查器中验证SSL状态。

（可选）如果我们配置了多个虚拟主机/域，则可以使用以下命令为它们安装SSL证书。

#certbot --apache

Certbot将要求我们选择新证书中包含的域。

此外，如果我们不希望Certbot使用新的SSL证书自动安装/配置域虚拟主机，则可以使用以下命令仅生成SSL证书。
我们可以稍后手动配置它。

#certbot --apache certonly

在Nginx上设置“Let’s Encrypt SSL证书”

对于运行Nginx Web服务器的服务器，我们可以使用Certbot Nginx插件自动获取并安装SSL证书。
我们可以通过在下面发出以下命令来安装此插件：

#apt install python-certbot-nginx

现在，我们准备使用此工具，但是要为域配置SSL，我们将需要验证某些Nginx配置文件。
为了为域颁发SSL证书，Certbot将尝试在服务器Nginx配置中获取确切的域虚拟主机。
假设存在适合我们域的虚拟主机，我们可以运行此命令为我们的域theitroadcloudy.com安装SSL。

# certbot --nginx -d theitroadcloudy.com -d www.theitroadcloudy.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2016.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
------------------------------------------------------------------------------
(A)gree/(C)ancel: A
------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
------------------------------------------------------------------------------
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for theitroadcloudy.com
http-01 challenge for www.theitroadcloudy.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/theitroadcloudy.com.conf
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/theitroadcloudy.com.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/theitroadcloudy.com.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/theitroadcloudy.com.conf
------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://theitroadcloudy.com and
https://www.theitroadcloudy.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=theitroadcloudy.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.theitroadcloudy.com
------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/theitroadcloudy.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/theitroadcloudy.com/privkey.pem
Your cert will expire on 2016-09-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG/Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

这个自我解释的交互式过程将自动为域生成/安装/配置SSL证书。
执行此命令后，将自动在域虚拟主机中正确下载，安装和配置域SSL。
现在，我们可以使用HTTPS访问域并确认其工作正常，或者在SSL检查器中验证SSL状态。
我们可以将我的域theitroadcloudy.com替换为域，然后运行相同的命令来生成SSL证书。

与Apache插件类似，如果我们配置了多个虚拟主机/域，则可以使用以下命令为所有虚拟主机/域安装SSL证书。

#certbot --nginx

Certbot将要求我们选择新证书中包含的域。

另外，如果我们不希望Certbot使用新的SSL证书自动安装/配置域虚拟主机，则可以使用以下命令生成SSL证书，然后可以手动对其进行配置。

#certbot --nginx certonly

使用Certbot设置“Let’s Encrypt 通配符证书”

Let's Encrypt最近开始使用其新的ACME2协议支持通配符证书。
这意味着我们可以拥有单个通配符证书（例如* .theitroadcloudy.com），并在所有其他域子域（例如docs.theitroadcloudy.com，blog.theitroadcloudy.com，mail.theitroadcloudy.com等）上使用。
非常容易有效地管理众多域子域的证书。
我们可以通过运行以下命令为theitroadcloudy.com生成此通配符SSL证书。
我们可以使用首选域替换theitroadcloudy.com来修改此命令。

# certbot certonly --manual -d *.theitroadcloudy.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for theitroadcloudy.com
------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.theitroadcloudy.com with the following value:
z25SzIfe37x5va0ynh6KdmEYVjjuSvdUOGM_t_twsVk
Before continuing, verify the record is deployed.
------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/theitroadcloudy.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/theitroadcloudy.com-0001/privkey.pem
Your cert will expire on 2016-09-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG/Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

如在此交互式过程中所述，它将要求我们将特定的TXT记录添加到DNS记录中。
就我而言，它报告如下设置了TXT：

------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.theitroadcloudy.com with the following value:
z25SzIfe37x5va0ynh6KdmEYVjjuSvdUOGM_t_twsVk
Before continuing, verify the record is deployed.
------------------------------------------------------------------------------
Press Enter to Continue

在DNS提供商中，我们将使用以下内容创建新的DNS TXT记录：

Record Name: _acme-challenge (you Jan or Jan not need the .theitroadcloudy.com suffix depending on your DNS provider.
Record Value: z25SzIfe37x5va0ynh6KdmEYVjjuSvdUOGM_t_twsVk (replace this with the value provided by Certbot)

保存DNS设置，然后在Certbot窗口中按Enter，以触发检查并完成验证。
我们将需要等待一段时间，新的DNS记录才能在Internet上传播。
我等了30分钟，然后按Enter键。
我们甚至可以设置较低的TTL值，以加快此过程。

恭喜!!生成域theitroadcloudy.com的通配符证书。
现在，我们可以将此通配符证书与我们为域名创建的任何子域一起使用。
例如，我已经为此域创建了一个子域，即docs.theitroadcloudy.com。
它将使用为主域安装的此通配符SSL证书。
我们可以在浏览器中使用HTTPS访问子域并确认其正常工作。

自动更新SSL证书

我们可以使用上述任何一种方法来获取SSL证书。
但是所有这些“Let’s Encrypt ”证书都是短暂的，并且仅可使用90天。
因此，必须在这些证书过期之前对其进行续订，以简化的正常运行。
我们可以根据需要手动执行此操作，也可以使用cronjobs或者Certbot客户端自动执行此过程。

通过执行上述方法成功安装证书后，我们将收到类似于以下消息：

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/theitroadcloudy.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/theitroadcloudy.com/privkey.pem
Your cert will expire on 2016-09-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"

此消息明确说明了将来如何使用“ certbot续订”命令续订证书。

让我们使用以下命令测试自动续订过程：

#certbot renew

此命令将检查域SSL是否要续订，并续订那些需要续订的域SSL。

好消息是，我们服务器上的Certbot软件包附带了一个cronjob，它将在SSL证书过期之前自动更新它们。
由于“Let’s Encrypt ”证书可以使用90天，因此强烈建议我们使用此功能。

# cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
## Upstream recommends attempting renewal twice a day
## Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

该Cron每天运行两次，但除非证书即将过期，否则不会续签证书。