Certbot CA 证书 https

certbot

(base) a@test:~# certbot --help

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near
expiry
enhance Add security enhancements to your existing configuration
-d DOMAINS Comma-separated list of domains to obtain a certificate for

(the certbot apache plugin is not installed)
--standalone Run a standalone webserver for authentication
--nginx Use the Nginx plugin for authentication & installation
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script
hooks

-n Run non-interactively
--test-cert Obtain a test certificate from a staging server
--dry-run Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-path or --cert-name)
delete Delete a certificate

manage your account with Let's Encrypt:
register Create a Let's Encrypt ACME account
update_account Update a Let's Encrypt ACME account
--agree-tos Agree to the ACME server's Subscriber Agreement
-m EMAIL Email address for important account notifications

More detailed help:

-h, --help [TOPIC] print this message, or detailed help on a topic;
the available TOPICS are:

all, automation, commands, paths, security, testing, or any of the
subcommands or plugins (certonly, renew, install, register, nginx,
apache, standalone, webroot, etc.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(base) a@test:~# nginx -t^C
(base) a@test:~# ^C
(base) a@test:~# ^C
(base) a@test:~# certbot run -d a.test.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for a.test.com
Using default address 80 for authentication.
Waiting for verification...
Cleaning up challenges
Could not automatically find a matching server block for a.test.com. Set the `server_name` directive to use the Nginx installer.

IMPORTANT NOTES:
- Unable to install the certificate
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/a.test.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/a.test.com/privkey.pem
Your cert will expire on 2020-10-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
(base) a@test:~#

Certbot - Ubuntuother Nginx https://certbot.eff.org/lets-encrypt/ubuntuother-nginx

(base) a@test:~# certbot run -d a.test.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/a.test.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
nginx: [warn] conflicting server name "test.com" on 0.0.0.0:443, ignored

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
No matching insecure server blocks listening on port 80 found.
nginx: [warn] conflicting server name "test.com" on 0.0.0.0:443, ignored

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://a.test.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=a.test.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/a.test.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/a.test.com/privkey.pem
Your cert will expire on 2020-10-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

(base) a@test:~#

(base) root@SIT:/etc/nginx/sites-enabled/test# cat www.test.com.conf

server {

server_name www.test.com;

root /root/oo_game_official_website_pc_Tmp_domain/oo_game_official_website_pc/dist/;

}

(base) root@SIT:/etc/nginx/sites-enabled/test# certbot run -d www.test.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for www.test.com

Waiting for verification...

Cleaning up challenges

Failed authorization procedure. www.test.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.test.com - check that a DNS record exists for this domain

IMPORTANT NOTES:

- The following errors were reported by the server:

Domain: www.test.com

Type:   None

Detail: DNS problem: NXDOMAIN looking up A for www.test.com -

check that a DNS record exists for this domain

(base) root@SIT:/etc/nginx/sites-enabled/test# certbot run -d www.test.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for www.test.com

Waiting for verification...

Cleaning up challenges

Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/test/www.test.com.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: No redirect - Make no further changes to the webserver configuration.

2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/test/www.test.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations! You have successfully enabled https://www.test.com

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=www.test.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/www.test.com/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/www.test.com/privkey.pem

Your cert will expire on 2020-10-14. To obtain a new or tweaked

version of this certificate in the future, simply run certbot again

with the "certonly" option. To non-interactively renew *all* of

your certificates, run "certbot renew"

- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

Donating to EFF:                    https://eff.org/donate-le

(base) root@SIT:/etc/nginx/sites-enabled/test# cat www.test.com.conf

server {

server_name www.test.com;

root /root/oo_game_official_website_pc_Tmp_domain/oo_game_official_website_pc/dist/;

listen 443 ssl; # managed by Certbot

ssl_certificate /etc/letsencrypt/live/www.test.com/fullchain.pem; # managed by Certbot

ssl_certificate_key /etc/letsencrypt/live/www.test.com/privkey.pem; # managed by Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {

if ($host = www.test.com) {

return 301 https://$host$request_uri;

} # managed by Certbot

server_name www.test.com;

listen 80;

return 404; # managed by Certbot

}(base) root@SIT:/etc/nginx/sites-enabled/test#

(base) root@uat-ms-server:/etc/nginx/sites-enabled/test# cat www.test.com.conf
server {    server_name www.test.com;    root /root/oo_game_official_website_pc_Tmp_domain/oo_game_official_website_pc/dist/;}(base) root@uat-ms-server:/etc/nginx/sites-enabled/test# certbot run -d www.test.comSaving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator nginx, Installer nginxObtaining a new certificatePerforming the following challenges:http-01 challenge for www.test.comWaiting for verification...Cleaning up challengesFailed authorization procedure. www.test.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.test.com - check that a DNS record exists for this domain
IMPORTANT NOTES: - The following errors were reported by the server:
   Domain: www.test.com   Type:   None   Detail: DNS problem: NXDOMAIN looking up A for www.test.com -   check that a DNS record exists for this domain(base) root@uat-ms-server:/etc/nginx/sites-enabled/test# certbot run -d www.test.comSaving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator nginx, Installer nginxObtaining a new certificatePerforming the following challenges:http-01 challenge for www.test.comWaiting for verification...Cleaning up challengesDeploying Certificate to VirtualHost /etc/nginx/sites-enabled/test/www.test.com.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1: No redirect - Make no further changes to the webserver configuration.2: Redirect - Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you're confident your site works on HTTPS. You can undo thischange by editing your web server's configuration.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/test/www.test.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Congratulations! You have successfully enabled https://www.test.com
You should test your configuration at:https://www.ssllabs.com/ssltest/analyze.html?d=www.test.com- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at:   /etc/letsencrypt/live/www.test.com/fullchain.pem   Your key file has been saved at:   /etc/letsencrypt/live/www.test.com/privkey.pem   Your cert will expire on 2020-10-14. To obtain a new or tweaked   version of this certificate in the future, simply run certbot again   with the "certonly" option. To non-interactively renew *all* of   your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate   Donating to EFF:                    https://eff.org/donate-le
(base) root@uat-ms-server:/etc/nginx/sites-enabled/test# cat www.test.com.conf
server {    server_name www.test.com;    root /root/oo_game_official_website_pc_Tmp_domain/oo_game_official_website_pc/dist/;

    listen 443 ssl; # managed by Certbot    ssl_certificate /etc/letsencrypt/live/www.test.com/fullchain.pem; # managed by Certbot    ssl_certificate_key /etc/letsencrypt/live/www.test.com/privkey.pem; # managed by Certbot    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {    if ($host = www.test.com) {        return 301 https://$host$request_uri;    } # managed by Certbot

    server_name www.test.com;    listen 80;    return 404; # managed by Certbot

}(base) root@uat-ms-server:/etc/nginx/sites-enabled/test#