关于Certbot

什么是Certbot？ Certbot是一个免费的开放源代码软件工具，可用于在手动管理的网站上自动使用Let's Encrypt证书来启用HTTPS。

Certbot由电子前沿基金会（EFF）制造，这是一家位于加利福尼亚州旧金山的501（c）3非营利组织，致力于捍卫数字隐私，言论自由和创新。

Certbot适合我吗？ 如果您希望在网站上添加HTTPS证书的安全性和隐私优势，则可能不需要Certbot。许多托管服务提供商都有内部工具来启用HTTPS。在使用Certbot之前，请检查您的托管服务提供商是否为其中之一。

简单的说，就是 Let's Encrypt 这个免费、自动化、开放的证书签发服务的客户端工具，是用 Python 开发的。

接下来通过结合 CentOS 7 和 Nginx 环境来说说如何安装使用 certbot。

1.安装 pyOpenSSL

1. 先卸载 pyOpenSSL sudo yum erase pyOpenSSL

2. 在http://rpm.pbone.net/index.php3/stat/2/simple/2 搜 pyOpenSSL

3. 下载选择的文件

    https://blog.8090top.cn/upload/2019/11/python2-pyOpenSSL-16.2.0-3.el7.noarch-3e7802097b4e4c8c949af04dcfe7e773.rpm
   

4. 安装 sudo rpm -Uvh python2-pyOpenSSL-16.2.0-3.el7.noarch.rpm

2.安装 certbot

只要一条命令即可：

sudo yum install certbot certbot-nginx

3.使用 certbot

使用也很方便，只要输入命令，然后根据提示即可： certbot --nginx

我服务器上的操作步骤

[root@iZbp18nyz28va2zwadft2qZ sbin]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): yu902650@163.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): c
Please specify --domains, or --installer that will help in domain names autodiscovery, or --cert-name for an existing certificate name.

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
[root@iZbp18nyz28va2zwadft2qZ sbin]# 
[root@iZbp18nyz28va2zwadft2qZ sbin]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: blog.8090top.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for blog.8090top.cn
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/nginx.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Future versions of Certbot will automatically configure the webserver so that all requests redirect to secure HTTPS access. You can control this behavior and disable this warning with the --redirect and --no-redirect flags.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://blog.8090top.cn

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=blog.8090top.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/blog.8090top.cn/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/blog.8090top.cn/privkey.pem
   Your cert will expire on 2020-02-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@iZbp18nyz28va2zwadft2qZ sbin]# 
[root@iZbp18nyz28va2zwadft2qZ sbin]# 

1.which nginx  如果结果是not in ... 那么你nginx就需要配置下。
我是重装了nginx . 
再加上
  ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx
  ln -s /usr/local/nginx/conf/ /etc/nginx

再次which nginx 
[root@iZbp18nyz28va2zwadft2qZ sbin]# which nginx
/usr/bin/nginx

nginx  is ok 

https://www.ssllabs.com/ssltest/analyze.html?d=上面的网址