使用Certbot获取并更新免费SSL证书

V2ray,CentOS,TLS

Updated on June 13, 2022 Posted by elmagnifico on June 13, 2022

Forward

自从之前Certbot变了一次规则,导致老版本的都用不了以后,我就用一键脚本了,懒得自己去配置Certbot了。

但是现在碰到了一个Nginx和一键脚本冲突的情况,必须我手动配置证书,只好再折腾一下。

Certbot

https://certbot.eff.org/

使用也非常简单,只要去到官网然后选择你的系统和安装方式,跟着提示走就行了

比如我用Nginx+CentOS和命令行

image-20220613181740671

就能看到对应的操作了

安装snapd

https://snapcraft.io/docs/installing-snapd

想起来当时snapd怎么都安装过不去,各种报错,解了一个又一个,现在直接就安好了

sudo yum install epel-release
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap

安装certbot

sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

测试

有好几种方式测试,每种要求不同

# 自动检测和修改你的nginx配置
sudo certbot --nginx

# 自动获取nginx配置,并且更新证书,手动
sudo certbot certonly --nginx

# 单纯的测试自动刷新
sudo certbot renew --dry-run

但是上面的nginx方式可能会报错,提示你nginx不在xxxx路径下

Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] open() "/etc/nginx/mime.types" failed (2: No such file or directory) in /etc/nginx/nginx.conf:23
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] open() "/etc/nginx/mime.types" failed (2: No such file or directory) in /etc/nginx/nginx.conf:23\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')

这是由于nginx的安装路径和certbot的不同,但是又不能指定路径,所以就会提示这个。所以这种情况下只能手动刷新或者重装nginx

还可以通过如下方式指定目录

https://github.com/certbot/certbot/issues/6401

sudo certbot certonly --nginx --nginx-server-root <path>

手动刷新证书

默认刷新方式是需要提供你的注册邮箱之类的东西,这里就不提供了

certbot certonly --manual -d 你的域名 -d *.你的域名 --register-unsafely-without-email

接着会提示你,要求验证这个域名是你的(以前就是不验证域名归属,直接颁发证书,导致了很多问题,冒用他人域名敲诈等等)

然后他需要2步验证,第一步验证域名是你的,第二步验证vps是你的

第一步,一般是要求你域名增加一个txt段,他会指定name和value,新增一条即可

image-20220613182847095

第二步,要求可以公网访问到该域名下指定文件。

比如他要求访问以下链接,并且文件的指是指定内容

http://hk3.g-2.top/.well-known/acme-challenge/3drvnW7nvMS5s1fbqCHEQFRwnBlD5EV40czQZdT5_e0

# 文件内容
3drvnW7nvMS5s1fbqCHEQFRwnBlD5EV40czQZdT5_e0Maco.Mj8ZSoIF8s_zcLZ_GF2MpgcwCm2i12wRXVStRwLp8Ww

只要找到nginx的默认配置目录,然后去下面建立一个即可。

第二步每次运行都会要不同接口和值,但是第一步不会,所以一定要确保已经可以访问了,再continue

然后就能看到获取到了对应证书的提示了

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/xxxxxxx/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/xxxxxxx/privkey.pem
This certificate expires on 2022-09-11.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

v2ray小问题

更新了v2ray,然后就发现错误信息里一直提示这个问题

2022/06/13 17:56:45 127.0.0.1:37544 rejected  common/drain: common/drain: drained connection > proxy/vmess/encoding: invalid user: VMessAEAD is enforced and a non VMessAEAD connection is received. You can still disable this security feature with environment variable v2ray.vmess.aead.forced = false . You will not be able to enable legacy header workaround in the future.

首先修改v2ray的服务选项

vi /etc/systemd/system/v2ray.service

可以看到如下内容,加入环境变量,关闭强制头验证

[Unit]
Description=V2Ray Service
Documentation=https://www.v2fly.org/
After=network.target nss-lookup.target

[Service]
User=nobody
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=true
# 新增此行
Environment="V2RAY_VMESS_AEAD_FORCED=false"
ExecStart=/usr/local/bin/v2ray -config /usr/local/etc/v2ray/config.json
Restart=on-failure
RestartPreventExitStatus=23

[Install]
WantedBy=multi-user.target

重启服务,验证

systemctl daemon-reload
systemctl restart v2ray

v2ray就正常工作了

Summary

主要是我nginx安装的不对,又懒得重弄,就这样了

Quote

https://blog.miniasp.com/post/2021/02/11/Create-SSL-TLS-certificates-from-LetsEncrypt-using-Certbot

https://github.com/233boy/v2ray/issues/812