\u65e9\u524d\u5beb\u4e86\u4e00\u7bc7 knowledge transfer \u6587\u7ae0\uff0c\u8b1b\u89e3\u5982\u4f55\u5f9e Let\u2019s Encrypt \u7c3d TLS cert\uff0c\u73fe\u5728\u540c\u5927\u5bb6\u5206\u4eab\u4e00\u4e0b\u3002<\/p>\n
Certbot<\/a> is an official tool to renew\/sign the cert issued from Let\u2019s Encrypt<\/a>.<\/p>\n Installation of certbot was painful in the old days, so in the first release, I use its official Docker<\/a> image to do the job.<\/p>\n Then, you can find the cert and key in The drawback of this is, you have to stop NGINX<\/a> during the signing. But days have changed, certbot-auto<\/a> provides a fairly easy way to do the same thing.<\/p>\n One big advantages of using certbot-auto instead of Docker is that, you did not need to stop NGINX.<\/p>\n 1. Download certbot-auto<\/strong> 2. Use certbot-auto to install certbot<\/strong> For RHEL\/CentOS\/Oracle Linux: For Debian\/Ubuntu: 3. Use certbot to sign cert<\/strong> It will read the NGINX config, and list out the domain you have for selection.<\/p>\n If passed the challenge and verification, the cert and key will be saved to The file inside that directory are symbolic links only, which will point to So, in NGINX conf, you just make use the cert and key files in the 4. Test and Reload NGINX config<\/strong> 5. Use certbot to renew cert<\/strong> 6. Auto renewal<\/strong> Remark: \u65e9\u524d\u5beb\u4e86\u4e00\u7bc7 knowledge transfer \u6587\u7ae0\uff0c\u8b1b\u89e3\u5982\u4f55\u5f9e Let\u2019s Encrypt \u7c3d TLS cert\uff0c\u73fe\u5728\u540c\u5927\u5bb6\u5206\u4eab\u4e00\u4e0b\u3002 Certbot is an official tool to renew\/sign the cert issued from Let\u2019s Encrypt. Installation of certbot was painful in the old days, so in the first release, I use its official Docker image to do the job. docker run -it –rm -p 443:443 -p 80:80 \\\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[17],"tags":[],"_links":{"self":[{"href":"https:\/\/carlos.aboutmy.info\/blog\/index.php?rest_route=\/wp\/v2\/posts\/630"}],"collection":[{"href":"https:\/\/carlos.aboutmy.info\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/carlos.aboutmy.info\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/carlos.aboutmy.info\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/carlos.aboutmy.info\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=630"}],"version-history":[{"count":22,"href":"https:\/\/carlos.aboutmy.info\/blog\/index.php?rest_route=\/wp\/v2\/posts\/630\/revisions"}],"predecessor-version":[{"id":666,"href":"https:\/\/carlos.aboutmy.info\/blog\/index.php?rest_route=\/wp\/v2\/posts\/630\/revisions\/666"}],"wp:attachment":[{"href":"https:\/\/carlos.aboutmy.info\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=630"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/carlos.aboutmy.info\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=630"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/carlos.aboutmy.info\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=630"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}docker run -it --rm -p 443:443 -p 80:80 \\
\n-v \"\/etc\/letsencrypt:\/etc\/letsencrypt\" \\
\n-v \"\/var\/lib\/letsencrypt:\/var\/lib\/letsencrypt\" \\
\nquay.io\/letsencrypt\/letsencrypt:latest certonly<\/code><\/p>\n\/etc\/letsencrypt\/live\/<domain, e.g. carlos.aboutmy.info>\/<\/code><\/p>\n
\n$ curl -OL https:\/\/dl.eff.org\/certbot-auto<\/code>
\n$ chmod +x .\/certbot-auto<\/code>
\n$ sudo mv .\/certbot-auto \/usr\/local\/bin\/<\/code><\/p>\n
\nCertbot requires Python and Python virtualenv, gcc and some devel packages<\/p>\n
\n$ sudo yum install python-virtualenv python-pip libffi-devel openssl-devel gcc<\/code><\/p>\n
\nsudo apt-get install python-virtualenv python-pip libffi-dev libssl-dev gcc<\/code><\/p>\n$ certbot-auto --no-bootstrap<\/code>
\n`–no-bootstrap` means not to install system package automatically, it\u2019s used to keep system as clean as possible.<\/p>\n
\n$ certbot-auto --nginx certonly<\/code><\/p>\n
\n\/etc\/letsencrypt\/live\/<domain, e.g. carlos.aboutmy.info>\/<\/code><\/p>\n
\n\/etc\/letsencrypt\/archive\/<domain, e.g. carlos.aboutmy.info>\/<\/code> and the file are named with numbers (e.g. xxx1.pem) for old backups.<\/p>\n\/etc\/letsencrypt\/live\/<\/code>, it will auto link to the lastest cert and key.<\/p>\n
\n$ sudo nginx -t<\/code>
\n$ sudo nginx -s reload<\/code><\/p>\n
\n$ certbot-auto --nginx renew<\/code><\/p>\n
\nRun certbot-auto --nginx renew<\/code> every 60 days as recommended by Let\u2019s Encrypt since the cert will expiry every 90 days. <\/p>\n$ crontab -e<\/code>
\n0 4 1 1,3,5,7,9,11 * \/usr\/local\/bin\/certbot-auto --nginx renew > \/dev\/null 2>&1<\/code><\/p>\n
\nIf you are using CloudFlare, you have to replace --nginx<\/code> with --webroot --webroot-path \"%web root path%\"<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"