certbot-auto applies for Let's Encrypt's https certificate for free

Let's Encrypt supports free wildcard certificates, which is a great thing to hear from colleagues. Before we got free certificates, we always used Aliyun's, which only has one domain name once a year. Although this pan-domain name certificate is applied for once every 90 days, it's good to apply for it automatically, say nothing more, and get started.

Download certbot

mkdir /opt/certbot
cd /opt/certbot
wget https://dl.eff.org/certbot-auto
chmod 755 certbot-auto

Request a pan-domain name certificate

./certbot-auto certonly  \
-d "*.cnrainbird.com" \
--manual \
--preferred-challenges dns-01  \
--server https://acme-v02.api.letsencrypt.org/directory

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for cnrainbird.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.cnrainbird.com with the following value:

J5FTanSZjRl3P63LVdQqZG5fZ2n6n8vMRPVq8xv0r7Q

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Note that this is where you want to add txt records to your dns domain name provider

Every family is the same, my dnspod

After adding, remember to verify

nslookup -type=txt _acme-challenge.cnrainbird.com
Server:         139.162.16.5
Address:        139.162.16.5#53

Non-authoritative answer:
_acme-challenge.cnrainbird.com  text = "J5FTanSZjRl3P63LVdQqZG5fZ2n6n8vMRPVq8xv0r7Q"

Authoritative answers can be found from:
cnrainbird.com  nameserver = f1g1ns1.dnspod.net.
cnrainbird.com  nameserver = f1g1ns2.dnspod.net.

Normally a new record is added without waiting too long. It can be added in a minute or two. If you can get the text's return instructions above, you can go to the previous window and Press Enter to Continue will continue

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cnrainbird.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cnrainbird.com/privkey.pem
   Your cert will expire on 2020-06-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

As above, the wildcard certificate was successfully applied for and expired 90 days later

Certificate File Storage

/etc/letsencrypt/live/cnrainbird.com/fullchain.pem
/etc/letsencrypt/live/cnrainbird.com/privkey.pem

One thing to note is that the *.cnrainbird.com certificate does not include the primary domain cnrainbird.com, so we need to apply for a cnrainbird.com certificate separately

Request Master Domain Name Certificate

To apply for a pan domain name certificate, we use the manual + dns method

To apply for a primary domain certificate, we use the automatic authentication method. Here we should note that: /opt/certbot is the default website path for the website, i.e., enter ip directly to the directory you access

./certbot-auto certonly \
--preferred-challenges http \
-d cnrainbird.com \
--webroot -w /opt/certbot

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cnrainbird.com
Using the webroot path /opt/certbot for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cnrainbird.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cnrainbird.com-0001/privkey.pem
   Your cert will expire on 2020-06-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Full automation, no participation required, primary domain certificate

/etc/letsencrypt/live/cnrainbird.com-0001/fullchain.pem
/etc/letsencrypt/live/cnrainbird.com-0001/privkey.pem

Generate dhparams

Generating dhparams using the openssl tool

openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048

Nginx Configuration

blog.cnrainbird.com.conf Configuration:

server {
    server_name blog.cnrainbird.com;
    listen 443;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/cnrainbird.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cnrainbird.com/privkey.pem;
    ssl_dhparam /etc/ssl/certs/dhparams.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+CHACHA20 EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
}

Then restart the nginx service

/etc/init.d/nginx reload
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.

Force a jump to https

Now that the certificates are available, for default http access, we do a 301 jump

server {
    server_name blog.cnrainbird.com;
    listen 80;
    return 301 https://$server_name$request_uri;
}

Certificate Update

This is easier

./certbot-auto renew

You can update all domain names

You can also update the specified domain name

./certbot-auto renew -d cnrainbird.com

crontab adds scheduled tasks

#Update every two months
45 2 */2 * * cd /opt/certbot&& ./certbot-auto renew && /etc/init.d/nginx reload

Safair effect

that's all

Tags: Linux Nginx DNS SSL OpenSSL

Posted on Wed, 18 Mar 2020 19:46:55 -0400 by neogranas