`certbot(pip)安装要求:安装python3且安装了ssl模块,验证方式:import ssl,如果当前环境已满足要求,则直接跳到三、安装certbot`
#### 一、安装openssl
```bash
##Download openssl file
wget https://www.openssl.org/source/openssl-1.1.1a.tar.gz
tar -xzvf openssl-1.1.1a.tar.gz ##decompression
#Compile and install, install path is/usr/local/openssl
cd openssl-1.1.1a
./config shared zlib --prefix=/usr/local/openssl && make && make install
./config -t
make depend
#Enter / usr/local to execute the following command
ln -s /usr/local/openssl /usr/local/ssl ##Create Links
#In/etc/Ld.so.confAt the end of the file, add the following:
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
#Execute the following command
ldconfig
#Set the environment variable for OPESSL and add it on the last line of the etc/profile file:
cat >> /etc/profile <<EOF
export OPENSSL=/usr/local/openssl/bin
export PATH=\$OPENSSL:\$PATH:\$HOME/bin
EOF
```
#### 二、安装python3
```python
wget https://www.python.org/ftp/python/3.9.2/Python-3.9.2.tgz#Download Python 3.9
tar zxvf Python-3.9.2.tgz #decompression
cd Python-3.9.2
```
编辑文件Python3.9/Module/setup
```python
# Socket module helper for socket(2)
_socket socketmodule.c #Install socket module, source code is socketmodule.c
# Socket module helper for SSL support; you must comment out the other
# socket line above, and possibly edit the SSL variable:
SSL=/usr/local/ssl
_ssl _ssl.c \ #Install SSL module, source code is ssl.c
-DUSE_SSL -I$(SSL)/include -I$(SSL)/include/openssl \
-L$(SSL)/lib -lssl -lcrypto
```
```bash
./configure --with-openssl=/usr/local/openssl #Preinstall openssl directory
--enable-optimizations #Optimize installation
--with-ssl-default-suites=python #Install python's own ssl by default,
#It's a little unclear--the difference between the with-openssl and--with-ssl-default-suites commands, but I still run them together
make
make install
```
##### 测试python的ssl模块
```python
import ssl
```
#### 三、安装certbot
##### 安装python虚拟环境
```bash
python3 -m venv /opt/certbot/
/opt/certbot/bin/pip install --upgrade pip
```
##### 安装certbot包
```bash
/opt/certbot/bin/pip install certbot certbot-nginx
ln -s /opt/certbot/bin/certbot /usr/bin/certbot
```
certbot获取证书两种方式
`方式一:验证nginx获取证书`
```bash
certbot certonly --nginx
```
`方式二:webroot文件获取证书`
修改nginx的server添加验证的location
```bash
server {
listen 443;
server_name ynotes.cn www.ynotes.cn;
...
# 配置webroot验证目录
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/letsencrypt;
}
}
```
webroot方式获取证书
```bash
certbot certonly --webroot --agree-tos --email sheyinsong@qq.com --webroot-path /var/www/letsencrypt --domains ynotes.cn
```
配置nginx的SSL证书
```bash
server {
listen 443;
server_name ynotes.cn www.ynotes.cn;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.ynotes.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.ynotes.cn/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location ^~ / {
root /var/www/html/v3/ynotes.cn;
}
error_page 500 502 503 504 /50x.html;
error_page 404 https://www.ynotes.cn/;
location = /50x.html {
root html;
}
}
```
添加计划任务
```bash
echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
```
