Содержание

Let's Encrypt + nginx в CentOS 7
Обсуждение

Let's Encrypt + nginx в CentOS 7

В заголовке заметки указаны CentOS/nginx, но ниже будут примеры для CentOS 8 и Apache, чтобы не создавать отдельные страницы в wiki.

CentOS 7

Подключаем EPEL

# yum install epel-release

Устанавливаем certbot для nginx

# yum install python2-certbot-nginx

Для apache

# yum install python2-certbot-apache

Видимо в скором времени придется перейти на более легковесное решение acme.sh, потому-что уж больно много пакетов устанавливается. А сайт certbot чересчур активно продвигает установку через snapd.

Не сликом ли много?! 🙉/🙈

Dependencies Resolved

=====================================================================================================================
 Package                                        Arch              Version                   Repository          Size
=====================================================================================================================
Installing:
 certbot                                        noarch            1.9.0-1.el7               epel                46 k
 python2-certbot-nginx                          noarch            1.9.0-1.el7               epel                78 k
Installing for dependencies:
 audit-libs-python                              x86_64            2.8.5-4.el7               base                76 k
 libcgroup                                      x86_64            0.41-21.el7               base                66 k
 libselinux-python                              x86_64            2.5-15.el7                base               236 k
 libsemanage-python                             x86_64            2.5-14.el7                base               113 k
 policycoreutils-python                         x86_64            2.5-34.el7                base               457 k
 pyOpenSSL                                      x86_64            0.13.1-4.el7              base               135 k
 pyparsing                                      noarch            1.5.6-9.el7               base                94 k
 python-IPy                                     noarch            0.75-6.el7                base                32 k
 python-backports                               x86_64            1.0-8.el7                 base               5.8 k
 python-backports-ssl_match_hostname            noarch            3.5.0.1-1.el7             base                13 k
 python-cffi                                    x86_64            1.6.0-5.el7               base               218 k
 python-configobj                               noarch            4.7.2-7.el7               base               117 k
 python-enum34                                  noarch            1.0.4-1.el7               base                52 k
 python-idna                                    noarch            2.4-1.el7                 base                94 k
 python-ipaddress                               noarch            1.0.16-2.el7              base                34 k
 python-ndg_httpsclient                         noarch            0.3.2-1.el7               epel                43 k
 python-ply                                     noarch            3.4-11.el7                base               123 k
 python-pycparser                               noarch            2.14-1.el7                base               104 k
 python-requests                                noarch            2.6.0-9.el7_8             updates             94 k
 python-requests-toolbelt                       noarch            0.8.0-3.el7               epel                78 k
 python-setuptools                              noarch            0.9.8-7.el7               base               397 k
 python-six                                     noarch            1.9.0-2.el7               base                29 k
 python-urllib3                                 noarch            1.10.2-7.el7              base               103 k
 python-zope-component                          noarch            1:4.1.0-5.el7             epel               228 k
 python-zope-event                              noarch            4.0.3-2.el7               epel                79 k
 python-zope-interface                          x86_64            4.0.5-4.el7               base               138 k
 python2-acme                                   noarch            1.9.0-1.el7               epel                82 k
 python2-certbot                                noarch            1.9.0-1.el7               epel               379 k
 python2-configargparse                         noarch            0.11.0-2.el7              epel                31 k
 python2-cryptography                           x86_64            1.7.2-2.el7               base               502 k
 python2-distro                                 noarch            1.2.0-3.el7               epel                29 k
 python2-future                                 noarch            0.18.2-2.el7              epel               806 k
 python2-josepy                                 noarch            1.3.0-2.el7               epel                89 k
 python2-mock                                   noarch            1.0.1-10.el7              epel                92 k
 python2-parsedatetime                          noarch            2.4-6.el7                 epel                78 k
 python2-pyasn1                                 noarch            0.1.9-7.el7               base               100 k
 python2-pyrfc3339                              noarch            1.1-3.el7                 epel                16 k
 python2-six                                    noarch            1.9.0-0.el7               epel               2.9 k
 pytz                                           noarch            2016.10-2.el7             base                46 k
 setools-libs                                   x86_64            3.3.8-4.el7               base               620 k

Получаем сертификат для nginx

# certbot certonly --nginx

Получаем сертификат для apache

# certbot certonly --apache

Опция certonly подразумевает, что certbot только получит сертификат, но не будет автоматически менять конфигурационный файл веб-сервера.

При первом запуске certbot необходимо будет указать email и принять ToS.

Вот так это выглядит 🙉/🙈

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): john@foobar.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: wiki.foobar.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for wiki.foobar.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/wiki.foobar.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/wiki.foobar.com/privkey.pem
   Your cert will expire on 2021-02-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

CentOS 8

Подключаем EPEL

# dnf install epel-release

Устанавливаем certbot для nginx

# dnf install python3-certbot-nginx

Для apache

# dnf install python3-certbot-apache

Проверка автоматического обновления сертификатов

# certbot renew --dry-run

Вот так это выглядит 🙉/🙈

# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wiki.foobar.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wiki.foobar.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/wiki.foobar.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/cloud.iddqd.net/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Автоматическое обновление

Никаких /etc/crontab или /etc/cron.d. В сети много вредных советов.

Для автоматического обновления существует systemd timer.

systemd service файл

# cat /usr/lib/systemd/system/certbot-renew.service
[Unit]
Description=This service automatically renews any certbot certificates found

[Service]
EnvironmentFile=/etc/sysconfig/certbot
Type=oneshot
ExecStart=/usr/bin/certbot renew --noninteractive --no-random-sleep-on-renew $PRE_HOOK $POST_HOOK $RENEW_HOOK $DEPLOY_HOOK $CERTBOT_ARGS

systemd таймер

# cat /usr/lib/systemd/system/certbot-renew.timer  
[Unit]
Description=This is the timer to set the schedule for automated renewals

[Timer]
OnCalendar=*-*-* 00/12:00:00
RandomizedDelaySec=12hours
Persistent=true

[Install]
WantedBy=timers.target

Нужно только запустить их и добавить в автозагрузку

# systemctl enable certbot-renew.service
# systemctl start certbot-renew.service
# systemctl enable certbot-renew.timer
# systemctl start certbot-renew.timer

EOM

linux, centos, ssl, lets encrypt, nginx, certbot

Обсуждение

Полное имя:

Эл. адрес:

Ваш комментарий. Вики-синтаксис разрешён:

Нужно набрать RTFM на русском языке Пожалуйста, оставьте это поле пустым:

Подписаться на комментарии