[Ubuntu] 使用 Certbot 自動更新 Let's Encrypt 憑證

SSL For Free 是一個可以申請免費 SSL 憑證的網站，只需要準備自己的網域名稱就可以申請為期三個月的免費 SSL 憑證，小小的缺點是憑證過期後需要重新申請憑證，並且更換伺服器的舊憑證。而 Certbot 是一個可以簡化申請流程，又可以在憑證過期之前自動更新憑證的超方便工具。

透過 certbot.eff.org 快速安裝

Certbot 官方網站很貼心的做了一個快速指引，只需要選擇你現在使用的 OS 與 HTTP Server，就會列出安裝指令讓你直接複製貼上輕鬆安裝，不過比較新一點版本的 OS 可能還不支援。

選擇好 OS 與 HTTP Server 後，就一步一步複製指令開始安裝吧！本文以 Ubuntu 16.04 + Apache HTTP Server 實作。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


# 安裝軟體管理套件
sudo apt-get install -y software-properties-common

# 加入 certbot ppa repository，並透過 apt-get update 取得套件資訊
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

# 安裝 certbot for apache
sudo apt-get install -y python-certbot-apache 

# 開始進行 Apache 的憑證安裝
sudo certbot --apache

如果執行時出現類似這種訊息 (例如走 nginx 安裝):
1
2
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested nginx plugin does not appear to be installed
需要另外安裝外掛程式，可以使用 apt search python-certbot 或 apt search python3-certbot 查詢相關套件名稱並安裝。

當輸入到 sudo certbot –apache 時，系統會進入對談式的安裝程序，Certbot 會掃描 HTTP Server 的設定，根據掃描結果列出主機上所擁有的網域，並且詢問要為哪些網域安裝憑證。可以同時選擇多個網域，每個網域以空白或是逗號分隔。如果直接 Enter，就會替所有網域都安裝憑證。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: caloskao.org
2: blog.caloskao.org
3: www.caloskao.org
4: example.caloskao.org
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel):

選擇安裝網域後，接下來 Certbot 會複製原始設定檔並加入 SSL 相關設定後，同時幫你啟用新的設定檔。

1
2
3
4
5
6
7
8


Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge caloskao.org
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/caloskao.org-le-ssl.conf
Deploying Certificate for caloskao.org to VirtualHost /etc/apache2/sites-available/caloskao.org-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/caloskao.org-le-ssl.conf

第二個問題是要不要將所有的 HTTP Request 全部重導向到 HTTPS，建議如果沒有特殊需求，就選擇 2 全部都轉過去吧。

1
2
3
4
5
6
7
8


Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

最後就是恭喜你設定完成，現在你可以使用 HTTPS 開啟你的網站試試看。並且顯示憑證檔案的系統路徑以及逾期時間。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://caloskao.org

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=caloskao.org
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/caloskao.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/caloskao.org/privkey.pem
   Your cert will expire on 2018-03-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

安裝後的確認工作

前面的訊息同時也提醒你可以利用 SSL Labs 的 SSL Test 測試你的網站是否正確安裝了 SSL 憑證，用瀏覽器開啟 Certbot 提供的網址，就可以看到測試結果。

Certbot 預設會啟動自動更新，輸入 sudo systemctl status certbot.timer 確認自動更新有沒有正常執行：

1
2
3
4
5
6


sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
   Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
   Active: active (waiting) since Thu 2018-06-21 09:02:48 CST; 6 days ago

Jun 21 09:02:48 apps-csie systemd[1]: Started Run certbot twice daily.

你可以透過 sudo certbot renew --dry-run 指令測試 Cerbot 是否能夠正常執行憑證更新。移除參數 --dry-run 就會正常執行，會覆蓋舊憑證。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28


sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/caloskao.org.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for caloskao.org
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/caloskao.org/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/caloskao.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------

透過 certbot.eff.org 快速安裝

安裝後的確認工作

References: