# certbot安装使用

By [Mongo](https://paragraph.com/@mongo) · 2021-11-06

---

certbot可以配合nginx，自动化配置和更新SSL证书

配置环境: Ubuntu 20.04 2核4G内存安装包版本：gitlab-ce\_13.8.4 arm64文件系统： linux ext4

目录
==

*   安装前准备
    
*   下载安装
    
*   配置nginx
    
*   用certbot生成证书
    
    *   可能碰到的错误
        
*   检查新的nginx配置
    
*   参考资料
    
*   windows版使用
    

安装前准备
-----

确认本机已经安装nginx，并且在编译时添加了ssl模块 `--with-http_ssl_module` 已经有一个域名，并且将DNS解析到了本机 防火墙打开希望配置的http和https端口，这里以80和443为例

下载安装
----

    apt-get update
    sudo apt-get install -y certbot python3-certbot-nginx
    

配置nginx
-------

自己先配置一个http的版本即可，例如

    server {
        listen 80 default_server;
        root /var/www/html;
        server_name example.com www.example.com;
    }
    

重新启动nginx`nginx -t && nginx -s reload`测试访问`http://example.com`

用certbot生成证书
------------

`sudo certbot --nginx -d example.com -d www.example.com`

可能碰到的错误
-------

1.  Could not find a usable 'nginx' binary 找不到nginx，是因为没有将nginx放到环境变量中，设置nginx软连接
    
        ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx
        ln -b /usr/local/nginx/conf/nginx.conf /etc/nginx/nginx.conf
        
    
2.  Nginx build is missing SSL module (--with-http\_ssl\_module).
    
    nginx缺少模块，重新编译nginx
    
        cd /opt/software/nginx-1.18.0
        ./configure --with-http_ssl_module
        make && make install
        
    

得到输出

    Congratulations! You have successfully enabled https://example.com and https://www.example.com 
    
    -------------------------------------------------------------------------------------
    IMPORTANT NOTES: 
    
    Congratulations! Your certificate and chain have been saved at: 
    /etc/letsencrypt/live/example.com/fullchain.pem 
    Your key file has been saved at: 
    /etc/letsencrypt/live/example.com//privkey.pem
    Your cert will expire on 2017-12-12.
    

测试访问 `https://example.com`

检查新的nginx配置
-----------

看到的应该类似这样

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        server_name  example.com www.example.com;
    
        listen 443 ssl; # managed by Certbot
    
        # RSA certificate
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    
        # Redirect non-https traffic to https
        if ($scheme != "https") {
            return 301 https://$host$request_uri;
        } # managed by Certbot
    }
    

参考资料
----

[将Let's Encrypt与NGINX一起使用](https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/)

[nginx免费https证书（certbot）](https://my.oschina.net/blueskyer/blog/3220726)

windows版使用
----------

按照这两个文档配置即可

[官方文档](https://certbot.eff.org/lets-encrypt/windows-nginx)

[域名验证方式](https://letsencrypt.org/zh-cn/docs/challenge-types/)

运行

    certbot certonly --webroot

---

*Originally published on [Mongo](https://paragraph.com/@mongo/certbot)*