Let's Encrypt

安裝

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update

Nginx

$ sudo apt-get install python-certbot-nginx

Apache

$ sudo apt-get install python-certbot-apache

執行憑證驗證

$ sudo certbot

自動更新憑證

更新憑證

sudo certbot renew

測試更新憑證

sudo certbot renew --dry-run

Crontab 自動更新

需要輸入完整執行檔案名稱，然後指定需要自動更新時間

30 2 * * 1  certbot renew

/etc/ssl/certs/dhparam.pem

在安裝 SSL 憑證時，會出現下列訊息時，可以使用 openssl 去新增 dhparam.pem 憑證

nginx: [emerg] BIO_new_file("/etc/ssl/certs/dhparam.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/ssl/certs/dhparam.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

使用下列指令可以新增 dhparam.pem 憑證

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

移除指定憑證

如果不需要 SSL 憑證了，可以使用下列指令將網域移除

sudo certbot delete --cert-name kejyun.com

解決 certbot-auto 版本過舊問題

在使用舊版 certbot-auto 安裝憑證時，因為 certbot-auto 會自動更新自己的版本，導致發生 python 版本過舊導致無法驗證憑證

Installing Python packages...
/opt/eff.org/certbot/venv/bin/python: No module named pip.__main__; 'pip' is a package and cannot be directly executed
Traceback (most recent call last):
  File "/tmp/tmp.OGGbtieawI/pipstrap.py", line 177, in <module>
    sys.exit(main())
  File "/tmp/tmp.OGGbtieawI/pipstrap.py", line 149, in main
    pip_version = StrictVersion(check_output([python, '-m', 'pip', '--version'])
  File "/usr/lib/python2.7/subprocess.py", line 544, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '['/opt/eff.org/certbot/venv/bin/python', '-m', 'pip', '--version']' returned non-zero exit status 1

可以使用 --no-self-upgrade 參數，讓 certbot-auto 不要自動更新版本

wget https://raw.githubusercontent.com/certbot/certbot/75499277be6699fd5a9b884837546391950a3ec9/certbot-auto
chmod +x ./certbot-auto
./certbot-auto --no-self-upgrade

執行 certbot 出現錯誤 Another instance of Certbot is already running

在執行 certbot 時出錯錯誤的訊息

Another instance of Certbot is already running

Certbot 不正常關閉，導致原本的 .certbot.lock 檔案還存在於主機中，此時可以透過下方指令找出 .certbot.lock 檔案是否還存在

find / -type f -name ".certbot.lock"

若檔案存在，則可以用下列指令移除所有 .certbot.lock 檔案

find / -type f -name ".certbot.lock" -exec rm {} \;

移除後再次執行 certbot 就可以正常執行了

參考資料

• How to install Certbot on Ubuntu 16.04 (Auto Cert Renew!) - Ceos3c
• How To Secure Nginx with Let's Encrypt on Ubuntu 16.04 | DigitalOcean
• Get Certbot — Certbot 0.25.0.dev0 documentation
• How To Secure Nginx with Let's Encrypt on Ubuntu 16.04 | DigitalOcean
• How To Secure Apache with Let's Encrypt on Ubuntu 16.04 | DigitalOcean
• SSL and nginx missing file: /etc/ssl/certs/dhparam.pem · Issue #10 · ummjackson/mastodon-guide
• Correct Way to Delete a Certbot SSL Certificate – Matthew Hagemann – Medium
• With 0.32.0, certbot-auto stopped working for some EOL distributions · Issue #6824 · certbot/certbot · GitHub
• Another instance of Certbot is already running - Solved - Linux guru