letsencrypt證書-管理工具certbot
目錄
1. 安裝certbot
申請證書的工具:官方是certbot,可以根據你伺服器的型別來選擇安裝教程。地址:certbot
你也可以直接使用certbot-auto(包含certbot,命令和certbot一樣),
[email protected]:~$ wget https://dl.eff.org/certbot-auto
[email protected]:~$ chmod a+x ./certbot-auto
[email protected]:~$ ./certbot-auto --help
官方建議:除非你有特別的需求,否則最好使用certbot來自動管理的你的證書。
2. certbot 介紹
Certbot 現在需要執行在安裝了Python (2.7 or 3.4)的類unix系統上,記憶體大於512MB(如果小於的話,官方解決方案),預設是需要root許可權的,比如寫證書操作需要root許可權。
Certbot客戶機支援獲取和安裝證書的兩種外掛:auth
和install
,當使用certonly引數的時候,只會獲取證書,並不會安裝證,獲取的證書位於/etc/letsencrypt目錄下
主要外掛的介紹:
Plugin | Auth | Install | Notes | Challenge types (and port) |
---|---|---|---|---|
apache | Y | Y | 自動化獲取並安裝證書 | tls-sni-01 (443) |
webroot | Y | N | 已經有執行的服務,通過驗證webroot目錄來獲取證書 | http-01 (80) |
nginx | Y | Y | 使用nginx自動獲取和安裝證書 | tls-sni-01 (443) |
standalone | Y | N | 建立一個standalone WEB服務,需要80或者443埠可用,如果你沒有類似nginx和apache等服務,這很有用 | http-01 (80) or tls-sni-01 (443) |
DNS plugins | Y | N | 通過修改dns伺服器的text記錄,來獲取證書,野卡證書只能通過此方式獲取 | dns-01 (53) |
manual | Y | N | 通過自己給指令獲取證書,支援新增定製指令碼來完成任務 | http-01 (80), dns-01 (53) or tls-sni-01 (443) |
解析:
- 如果你使用standalone外掛,那麼需要使用80和443埠,因為要建一個監聽這些埠的服務,如果你有別的服務使用了該埠,那麼就會出問題了。
- webroot方式,如果你使用了nginx,那麼你需要更改一些nginx配置,確保能驗證你對該域名的所有許可權
3. 外掛的具體使用
這裡講解下部分外掛的使用方法
3.1 webroot
一般需要使用的引數
certonly #只獲取證書,不安裝
--webroot #定義使用的外掛方法是webroot
--webroot-path # 簡寫:-w 目錄位置
-d # 域名
類似下面的命令
certbot certonly --webroot -w /var/www/example -d www.example.com -d example.com -w /var/www/other -d other.example.net -d another.other.example.net
-w
和-d
配合使用,域名將使用最近的path,比如上面 /var/www/example
對應 前兩個域名,/var/www/other
對應後兩個域名
驗證的機制:
驗證的時候會自動向${webroot-path}/.well-known/acme-challenge
目錄下寫一個臨時檔案,然後會發送一個請求,去驗證是否可以正常訪問,訪問的請求類似下面
66.133.109.36 - - [05/Jan/2016:20:11:24 -0500] "GET /.well-known/acme-challenge/HGr8U1IeTW4kY_Z6UIyaakzOkyQgPr_7ArlLgtZE8SX HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
所以我們本身有服務的情況下,比如使用的是nginx,那麼我們需要新增如下配置
server {
server_name www.yoursite.com yoursite.com;
# 需要新增的配置
location ^~ /.well-known/acme-challenge/ {
alias /home/xxx/www/challenges/;
try_files $uri =404;
}
# ... 其它配置
}
3.2 standalone
該外掛會啟動一個web伺服器,使用--preferred-challenges http
引數的話,對應使用80埠,使用--preferred-challenges tls-sni
引數對應使用443埠,所以如果你有佔用這兩個埠的服務,請根據你的實際使用埠,停用佔用埠的程式,同樣配合certonly使用。
使用方法:
sudo certbot certonly --standalone -d example.com -d www.example.com
3.3 DNS plugins
如果你想去的一個野卡證書,那麼只能使用dns驗證的方式(即使你是使用manual引數,根本上還是使用dns驗證方式)。
預設的certbot是不包含dns外掛的,如果你要使用此方式的話,需要下載相應的外掛:外掛地址,具體的使用方法,請點選你對應的dns服務商連結,然後按照相應的方法獲取證書,官方提供的基本上是國外的dns服務區上,國內的服務商暫時沒有,不過可以使用manual方法。
3.4 manual
該方法允許你通過互動的方式獲取證書,可以在其它伺服器上執行,可以選擇http,dns和tls-sni方式中的任意一種。
比如使用dns的方式,會要求你在驗證過程中手動填寫txt dns的記錄,然後繼續,驗證成功後會獲取證書。
舉例:
使用manual方式,選擇dns驗證,申請野卡證書的方法(新增--server https://acme-v02.api.letsencrypt.org/directory
引數)
./certbot-auto certonly -d *.archerwong.cn -d archerwong.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
上面是手動的方式申請,中間需要人工干預,去dns服務商填寫text記錄。
你還可以使用指令碼幫助你完成一些驗證,可以使用--manual-auth-hook
和 --manual-cleanup-hook
引數,關於鉤子的使用:參考地址
正是因為這個鉤子,可以編寫一個 Shell 指令碼,讓指令碼呼叫 DNS 服務商的 API 介面,動態新增 TXT 記錄,這樣就無需人工干預了。
推薦下 :申請dns證書的指令碼
4. 證書管理
4.1 檢視已經申請的證書
$ ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: archerwong.cn-0001
Domains: *.archerwong.cn archerwong.cn
Expiry Date: 2019-03-17 13:24:57+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/archerwong.cn-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/archerwong.cn-0001/privkey.pem
Certificate Name: archerwong.cn
Domains: *.archerwong.cn
Expiry Date: 2019-03-17 12:34:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/archerwong.cn/fullchain.pem
Private Key Path: /etc/letsencrypt/live/archerwong.cn/privkey.pem
Certificate Name
是一個重要標識,可以具體指定哪一個證書,可以配合 run, certonly, certificates, renew,和 delete等命令一起使用,比如:
certbot certonly --cert-name archerwong.cn
4.2 重新建立和更新證書
可以使用certonly
或run
命令來建立一個新證書,即使已經存在具有該域名的證書,也沒有關係,那麼certbot會更新該證書,否則會建立一個新證書,一句話存在就更新,不存在就建立
run 和 certonly的區別:
- run 預設的方式,獲取,並安裝一個證書
- certonly 是建立或者更新一個證書,但是不安裝該證書
在recreate證書的時候,可以指定具體行為,可以使用--force-renewal
, --duplicate
, --expand
來限定操作,如果你沒有具體指定,certbot可能會問你具體意圖。
--force-renewal
當請求一個已經存在並有相同域名的證書時,需要把每一個域名通過-d來指定,不管過期與否,強制更新證書。--duplicate
告訴certbot不管有沒有舊證書,都建立一個獨立的新證書--expand
告訴certbot更新一個已經存在的證書,需要使用-d引數包含所有舊的域名,並新增新的域名。
expand 舉例
可以將域名使用逗號分隔
certbot --expand -d existing.com,example.com,newdomain.com
也可以單獨寫
certbot --expand -d existing.com -d example.com -d newdomain.com
當我們需要擴充套件一個證書的時候,上面是通過expand方式,並且是通過-d引數來判定是哪個證書的,但是官方鼓勵使用--cert-name來指明是哪個證書,不建議使用expand。
4.3 改變證書的域名
同樣可以通過指定--cert-name的方式來更改證書的域名,形式如下
certbot certonly --cert-name example.com -d example.com
certbot certonly --cert-name example.com -d example.org,www.example.org
4.4 撤銷證書(revoking certificates)
如果你的證書祕鑰已經被洩露,那麼可以選擇撤銷證書,使用revoke命令,注意這裡配合使用的引數是證書路徑(以cert.pem結尾),不是證書名稱或者域名
certbot revoke --cert-path /etc/letsencrypt/live/CERTNAME/cert.pem
同時可以指定原因,可以使用的原因包括 unspecified(預設), keycompromise, affiliationchanged, superseded, 和 cessationofoperation
certbot revoke --cert-path /etc/letsencrypt/live/CERTNAME/cert.pem --reason keycompromise
如果證書是使用 --staging 或 --test-cert 引數,那麼當revoke證書的時候需要帶著測試引數 --staging 或 --test-cert
因為證書申請是有數目限制的,所以後面我加上了測試用的引數,可以看下申請出的證書過期時間是和正式證書不同的
$ ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: archerwong.cn-0001
Domains: *.archerwong.cn archerwong.cn
Expiry Date: 2019-03-17 13:24:57+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/archerwong.cn-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/archerwong.cn-0001/privkey.pem
Certificate Name: test.archerwong.cn-0001
Domains: test.archerwong.cn
Expiry Date: 2019-03-18 05:36:23+00:00 (INVALID: TEST_CERT)
Certificate Path: /etc/letsencrypt/live/test.archerwong.cn-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/test.archerwong.cn-0001/privkey.pem
Certificate Name: archerwong.cn
Domains: *.archerwong.cn
Expiry Date: 2019-03-17 12:34:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/archerwong.cn/fullchain.pem
Private Key Path: /etc/letsencrypt/live/archerwong.cn/privkey.pem
Certificate Name: test.archerwong.cn
Domains: test.archerwong.cn blog.archerwong.cn
Expiry Date: 2019-03-18 05:32:07+00:00 (INVALID: TEST_CERT)
Certificate Path: /etc/letsencrypt/live/test.archerwong.cn/fullchain.pem
Private Key Path: /etc/letsencrypt/live/test.archerwong.cn/privkey.pem
如果申請的時候有測試引數,但是revoke的時候不加,那麼就會出現問題
$ ./certbot-auto revoke --cert-path /etc/letsencrypt/live/test.archerwong.cn/cert.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
The request message was malformed :: No such certificate
Please see the logfiles in /var/log/letsencrypt for more details.
一旦證書被revoke後,可以使用delete命令刪除證書。
certbot delete --cert-name example.com
注意:如果你revoke一個證書,那麼如果不delete的話,當renew的時候該證書仍然會被更新。
下面演示如何刪除一個證書
$ ./certbot-auto revoke --cert-path /etc/letsencrypt/live/test.archerwong.cn-0001/cert.pem --staging --reason keycompromise
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you like to delete the cert(s) you just revoked?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es (recommended)/(N)o: n
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully revoked the certificate that was located
at /etc/letsencrypt/live/test.archerwong.cn-0001/cert.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Not deleting revoked certs.
中間會詢問你是否刪除revoke的證書,為了演示,這裡我選擇不刪除證書。發現狀態又變化了,有了revoked標誌
$ ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
...
Certificate Name: test.archerwong.cn-0001
Domains: blog.archerwong.cn
Expiry Date: 2019-03-18 05:45:31+00:00 (INVALID: TEST_CERT, REVOKED)
Certificate Path: /etc/letsencrypt/live/test.archerwong.cn-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/test.archerwong.cn-0001/privkey.pem
...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
繼續刪除證書
$ ./certbot-auto delete --cert-name test.archerwong.cn-0001
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate test.archerwong.cn-0001.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
此時證書已經被刪除了,檢視發現資料夾(test.archerwong.cn-0001)已經被刪除
$ tree /etc/letsencrypt/live
/etc/letsencrypt/live
├── archerwong.cn
│ ├── cert.pem -> ../../archive/archerwong.cn/cert1.pem
│ ├── chain.pem -> ../../archive/archerwong.cn/chain1.pem
│ ├── fullchain.pem -> ../../archive/archerwong.cn/fullchain1.pem
│ ├── privkey.pem -> ../../archive/archerwong.cn/privkey1.pem
│ └── README
├── archerwong.cn-0001
│ ├── cert.pem -> ../../archive/archerwong.cn-0001/cert1.pem
│ ├── chain.pem -> ../../archive/archerwong.cn-0001/chain1.pem
│ ├── fullchain.pem -> ../../archive/archerwong.cn-0001/fullchain1.pem
│ ├── privkey.pem -> ../../archive/archerwong.cn-0001/privkey1.pem
│ └── README
├── README
└── test.archerwong.cn
├── cert.pem -> ../../archive/test.archerwong.cn/cert2.pem
├── chain.pem -> ../../archive/test.archerwong.cn/chain2.pem
├── fullchain.pem -> ../../archive/test.archerwong.cn/fullchain2.pem
├── privkey.pem -> ../../archive/test.archerwong.cn/privkey2.pem
└── README
3 directories, 16 files
4.5 更新證書
處於安全等因素的考慮,letsencrypt證書只支援90天的有效期,所以我們需要在臨近過期的時間再次更新證書,certbot上可以方便的進行更新操作,使用renew命令
certbot renew
類似於下面的情形,因為我都是新申請的證書,所以沒有更新
$ ./certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/archerwong.cn-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/archerwong.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test.archerwong.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/archerwong.cn-0001/fullchain.pem expires on 2019-03-17 (skipped)
/etc/letsencrypt/live/archerwong.cn/fullchain.pem expires on 2019-03-17 (skipped)
/etc/letsencrypt/live/test.archerwong.cn/fullchain.pem expires on 2019-03-18 (skipped)
No renewals were attempted.
該命令會嘗試更新所有的證書,查詢到期天數低於30天的證書,然後更新
,正式因為上面的特性,當沒有需要更新的證書的時候,就不會採取任何操作,所以這特別適合自動部署,你可以頻繁的進行renew操作,不用擔心產生太多副作用。
這裡還有個強大的功能就是可以使用鉤子,比如你使用的是standalone方式驗證證書,同時你又時刻執行著自己的nginx伺服器,那麼當驗證的時候就需要關閉nginx服務,這時候就可以使用鉤子來自動化完成這個操作,當有證書需要更新的時候才會觸發鉤子,不是每執行一次更新操作就執行一次鉤子,所以不用太擔心會頻繁關閉啟動nginx服務。
certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
--pre-hook 和 --post-hook 鉤子執行在嘗試更新和更新證書之後,如果你想要只執行在一次成功更新證書之後,那麼可以使用--deploy-hook
certbot renew --deploy-hook /path/to/deploy-hook-script
比如,你有一個守護程序需要讀取證書內容但是不是使用root使用者,下面的指令碼可以複製一份證書,並更改證書的許可權。
#!/bin/sh
set -e
for domain in $RENEWED_DOMAINS; do
case $domain in
example.com)
daemon_cert_root=/etc/some-daemon/certs
# Make sure the certificate and private key files are
# never world readable, even just for an instant while
# we're copying them into daemon_cert_root.
umask 077
cp "$RENEWED_LINEAGE/fullchain.pem" "$daemon_cert_root/$domain.cert"
cp "$RENEWED_LINEAGE/privkey.pem" "$daemon_cert_root/$domain.key"
# Apply the proper file ownership and permissions for
# the daemon to read its certificate and key.
chown some-daemon "$daemon_cert_root/$domain.cert" \
"$daemon_cert_root/$domain.key"
chmod 400 "$daemon_cert_root/$domain.cert" \
"$daemon_cert_root/$domain.key"
service some-daemon restart >/dev/null
;;
esac
done
你可以直接將鉤子檔案放到指定目錄 /etc/letsencrypt/renewal-hooks/pre
, /etc/letsencrypt/renewal-hooks/deploy
, /etc/letsencrypt/renewal-hooks/post
,那麼這三個資料夾裡的檔案會按照,pre,deply,post型別的鉤子執行。同一個資料夾下有多個檔案,那麼這些檔案的執行時按照檔名字母的排序先後執行的。你可以指定不使用這些資料夾下的鉤子檔案,需要在使用命令的時候新增 --no-directory-hooks
引數
如果在更新證書的過程中不需要人工干預,那麼可以將命令新增到crontab
,這樣定期自動更新證書。
如果你在手動更新證書,並且向忽略過期時間的限制,那麼可以使用 --force-renewal
引數,但是這樣做要注意,你可能很快就超過官方申請頻率的限制。
如果你不想在申請過程中有任何輸入,那麼可以使用--noninteractive
(簡寫:-n
)來表名不想輸入,這時客戶端會嘗試幫你填寫需要的選項。
如果快到期的時候你還沒有更新證書,那麼CA會給你發郵件提醒你,這很人性化啊。。。,所以郵箱還是要認真填寫的。
5. 其它問題
野卡證書
預設的,certbot的CA是使用 https://acme-v01.api.letsencrypt.org/
,但是如果你想申請萬用字元證書,那麼你需要指定letsencrypt的新的ACMEV2服務,需要加下面的引數--server https://acme-v02.api.letsencrypt.org/directory
,這樣certbot就可以選擇正確的協議幫你申請野卡證書了。
野卡證書支援dns的驗證方式,具體如何操作,我會單獨寫一篇文章。
命令 certbot --help all
可以通過help來檢視命令怎麼用,這裡就貼一下官方的文件,有一篇文章翻譯了部分,大家可以看下: Certbot命令列工具使用說明
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:
obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near expiry
enhance Add security enhancements to your existing configuration
-d DOMAINS Comma-separated list of domains to obtain a certificate for
--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
--nginx Use the Nginx plugin for authentication & installation
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script hooks
-n Run non-interactively
--test-cert Obtain a test certificate from a staging server
--dry-run Test "renew" or "certonly" without saving any certificates to disk
manage certificates:
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-path or --cert-name)
delete Delete a certificate
manage your account with Let's Encrypt:
register Create a Let's Encrypt ACME account
--agree-tos Agree to the ACME server's Subscriber Agreement
-m EMAIL Email address for important account notifications
optional arguments:
-h, --help show this help message and exit
-c CONFIG_FILE, --config CONFIG_FILE
path to config file (default: /etc/letsencrypt/cli.ini
and ~/.config/letsencrypt/cli.ini)
-v, --verbose This flag can be used multiple times to incrementally
increase the verbosity of output, e.g. -vvv. (default:
-2)
--max-log-backups MAX_LOG_BACKUPS
Specifies the maximum number of backup logs that
should be kept by Certbot's built in log rotation.
Setting this flag to 0 disables log rotation entirely,
causing Certbot to always append to the same log file.
(default: 1000)
-n, --non-interactive, --noninteractive
Run without ever asking for user input. This may
require additional command line flags; the client will
try to explain which ones are required if it finds one
missing (default: False)
--force-interactive Force Certbot to be interactive even if it detects
it's not being run in a terminal. This flag cannot be
used with the renew subcommand. (default: False)
-d DOMAIN, --domains DOMAIN, --domain DOMAIN
Domain names to apply. For multiple domains you can
use multiple -d flags or enter a comma separated list
of domains as a parameter. The first domain provided
will be the subject CN of the certificate, and all
domains will be Subject Alternative Names on the
certificate. The first domain will also be used in
some software user interfaces and as the file paths
for the certificate and related material unless
otherwise specified or you already have a certificate
with the same name. In the case of a name collision it
will append a number like 0001 to the file path name.
(default: Ask)
--cert-name CERTNAME Certificate name to apply. This name is used by
Certbot for housekeeping and in file paths; it doesn't
affect the content of the certificate itself. To see
certificate names, run 'certbot certificates'. When
creating a new certificate, specifies the new
certificate's name. (default: the first provided
domain or the name of an existing certificate on your
system for the same domains)
--dry-run Perform a test run of the client, obtaining test
(invalid) certificates but not saving them to disk.
This can currently only be used with the 'certonly'
and 'renew' subcommands. Note: Although --dry-run
tries to avoid making any persistent changes on a
system, it is not completely side-effect free: if used
with webserver authenticator plugins like apache and
nginx, it makes and then reverts temporary config
changes in order to obtain test certificates, and
reloads webservers to deploy and then roll back those
changes. It also calls --pre-hook and --post-hook
commands if they are defined because they may be
necessary to accurately simulate renewal. --deploy-
hook commands are not called. (default: False)
--debug-challenges After setting up challenges, wait for user input
before submitting to CA (default: False)
--preferred-challenges PREF_CHALLS
A sorted, comma delimited list of the preferred
challenge to use during authorization with the most
preferred challenge listed first (Eg, "dns" or "tls-
sni-01,http,dns"). Not all plugins support all
challenges. See
https://certbot.eff.org/docs/using.html#plugins for
details. ACME Challenges are versioned, but if you
pick "http" rather than "http-01", Certbot will select
the latest version automatically. (default: [])
--user-agent USER_AGENT
Set a custom user agent string for the client. User
agent strings allow the CA to collect high level
statistics about success rates by OS, plugin and use
case, and to know when to deprecate support for past
Python versions and flags. If you wish to hide this
information from the Let's Encrypt server, set this to
"". (default: CertbotACMEClient/0.28.0
(certbot(-auto); OS_NAME OS_VERSION) Authenticator/XXX
Installer/YYY (SUBCOMMAND; flags: FLAGS)
Py/major.minor.patchlevel). The flags encoded in the
user agent are: --duplicate, --force-renew, --allow-
subset-of-names, -n, and whether any hooks are set.
--user-agent-comment USER_AGENT_COMMENT
Add a comment to the default user agent string. May be
used when repackaging Certbot or calling it from
another tool to allow additional statistical data to
be collected. Ignored if --user-agent is set.
(Example: Foo-Wrapper/1.0) (default: None)
automation:
Flags for automating execution & other tweaks
--keep-until-expiring, --keep, --reinstall
If the requested certificate matches an existing
certificate, always keep the existing one until it is
due for renewal (for the 'run' subcommand this means
reinstall the existing certificate). (default: Ask)
--expand If an existing certificate is a strict subset of the
requested names, always expand and replace it with the
additional names. (default: Ask)
--version show program's version number and exit
--force-renewal, --renew-by-default
If a certificate already exists for the requested
domains, renew it now, regardless of whether it is
near expiry. (Often --keep-until-expiring is more
appropriate). Also implies --expand. (default: False)
--renew-with-new-domains
If a certificate already exists for the requested
certificate name but does not match the requested
domains, renew it now, regardless of whether it is
near expiry. (default: False)
--reuse-key When renewing, use the same private key as the
existing certificate. (default: False)
--allow-subset-of-names
When performing domain validation, do not consider it
a failure if authorizations can not be obtained for a
strict subset of the requested domains. This may be
useful for allowing renewals for multiple domains to
succeed even if some domains no longer point at this
system. This option cannot be used with --csr.
(default: False)
--agree-tos Agree to the ACME Subscriber Agreement (default: Ask)
--duplicate Allow making a certificate lineage that duplicates an
existing one (both can be renewed in parallel)
(default: False)
--os-packages-only (certbot-auto only) install OS package dependencies
and then stop (default: False)
--no-self-upgrade (certbot-auto only) prevent the certbot-auto script
from upgrading itself to newer released versions
(default: Upgrade automatically)
--no-bootstrap (certbot-auto only) prevent the certbot-auto script
from installing OS-level dependencies (default: Prompt
to install OS-wide dependencies, but exit if the user
says 'No')
-q, --quiet Silence all output except errors. Useful for
automation via cron. Implies --non-interactive.
(default: False)
security:
Security parameters & server settings
--rsa-key-size N Size of the RSA key. (default: 2048)
--must-staple Adds the OCSP Must Staple extension to the
certificate. Autoconfigures OCSP Stapling for
supported setups (Apache version >= 2.3.3 ). (default:
False)
--redirect Automatically redirect all HTTP traffic to HTTPS for
the newly authenticated vhost. (default: Ask)
--no-redirect Do not automatically redirect all HTTP traffic to
HTTPS for the newly authenticated vhost. (default:
Ask)
--hsts Add the Strict-Transport-Security header to every HTTP
response. Forcing browser to always use SSL for the
domain. Defends against SSL Stripping. (default: None)
--uir Add the "Content-Security-Policy: upgrade-insecure-
requests" header to every HTTP response. Forcing the
browser to use https:// for every http:// resource.
(default: None)
--staple-ocsp Enables OCSP Stapling. A valid OCSP response is
stapled to the certificate that the server offers
during TLS. (default: None)
--strict-permissions Require that all configuration files are owned by the
current user; only needed if your config is somewhere
unsafe like /tmp/ (default: False)
--auto-hsts Gradually increasing max-age value for HTTP Strict
Transport Security security header (default: False)
testing:
The following flags are meant for testing and integration purposes only.
--test-cert, --staging
Use the staging server to obtain or revoke test
(invalid) certificates; equivalent to --server https
://acme-staging-v02.api.letsencrypt.org/directory
(default: False)
--debug Show tracebacks in case of errors, and allow certbot-
auto execution on experimental platforms (default:
False)
--no-verify-ssl Disable verification of the ACME server's certificate.
(default: False)
--tls-sni-01-port TLS_SNI_01_PORT
Port used during tls-sni-01 challenge. This only
affects the port Certbot listens on. A conforming ACME
server will still attempt to connect on port 443.
(default: 443)
--tls-sni-01-address TLS_SNI_01_ADDRESS
The address the server listens to during tls-sni-01
challenge. (default: )
--http-01-port HTTP01_PORT
Port used in the http-01 challenge. This only affects
the port Certbot listens on. A conforming ACME server
will still attempt to connect on port 80. (default:
80)
--http-01-address HTTP01_ADDRESS
The address the server listens to during http-01
challenge. (default: )
--break-my-certs Be willing to replace or renew valid certificates with
invalid (testing/staging) certificates (default:
False)
paths:
Flags for changing execution paths & servers
--cert-path CERT_PATH
Path to where certificate is saved (with auth --csr),
installed from, or revoked. (default: None)
--key-path KEY_PATH Path to private key for certificate installation or
revocation (if account key is missing) (default: None)
--fullchain-path FULLCHAIN_PATH
Accompanying path to a full certificate chain
(certificate plus chain). (default: None)
--chain-path CHAIN_PATH
Accompanying path to a certificate chain. (default:
None)
--config-dir CONFIG_DIR
Configuration directory. (default: /etc/letsencrypt)
--work-dir WORK_DIR Working directory. (default: /var/lib/letsencrypt)
--logs-dir LOGS_DIR Logs directory. (default: /var/log/letsencrypt)
--server SERVER ACME Directory Resource URI. (default:
https://acme-v02.api.letsencrypt.org/directory)
manage:
Various subcommands and flags are available for managing your
certificates:
certificates List certificates managed by Certbot
delete Clean up all files related to a certificate
renew Renew all certificates (or one specified with --cert-
name)
revoke Revoke a certificate specified with --cert-path or
--cert-name
update_symlinks Recreate symlinks in your /etc/letsencrypt/live/
directory
run:
Options for obtaining & installing certificates
certonly:
Options for modifying how a certificate is obtained
--csr CSR Path to a Certificate Signing Request (CSR) in DER or
PEM format. Currently --csr only works with the
'certonly' subcommand. (default: None)
renew:
The 'renew' subcommand will attempt to renew all certificates (or more
precisely, certificate lineages) you have previously obtained if they are
close to expiry, and print a summary of the results. By default, 'renew'
will reuse the options used to create obtain or most recently successfully
renew each certificate lineage. You can try it with `--dry-run` first. For
more fine-grained control, you can renew individual lineages with the
`certonly` subcommand. Hooks are available to run commands before and
after renewal; see https://certbot.eff.org/docs/using.html#renewal for
more information on these.
--pre-hook PRE_HOOK Command to be run in a shell before obtaining any
certificates. Intended primarily for renewal, where it
can be used to temporarily shut down a webserver that
might conflict with the standalone plugin. This will
only be called if a certificate is actually to be
obtained/renewed. When renewing several certificates
that have identical pre-hooks, only the first will be
executed. (default: None)
--post-hook POST_HOOK
Command to be run in a shell after attempting to
obtain/renew certificates. Can be used to deploy
renewed certificates, or to restart any servers that
were stopped by --pre-hook. This is only run if an
attempt was made to obtain/renew a certificate. If
multiple renewed certificates have identical post-
hooks, only one will be run. (default: None)
--deploy-hook DEPLOY_HOOK
Command to be run in a shell once for each
successfully issued certificate. For this command, the
shell variable $RENEWED_LINEAGE will point to the
config live subdirectory (for example,
"/etc/letsencrypt/live/example.com") containing the
new certificates and keys; the shell variable
$RENEWED_DOMAINS will contain a space-delimited list
of renewed certificate domains (for example,
"example.com www.example.com" (default: None)
--disable-hook-validation
Ordinarily the commands specified for --pre-hook
/--post-hook/--deploy-hook will be checked for
validity, to see if the programs being run are in the
$PATH, so that mistakes can be caught early, even when
the hooks aren't being run just yet. The validation is
rather simplistic and fails if you use more advanced
shell constructs, so you can use this switch to
disable it. (default: False)
--no-directory-hooks Disable running executables found in Certbot's hook
directories during renewal. (default: False)
--disable-renew-updates
Disable automatic updates to your server configuration
that would otherwise be done by the selected installer
plugin, and triggered when the user executes "certbot
renew", regardless of if the certificate is renewed.
This setting does not apply to important TLS
configuration updates. (default: False)
--no-autorenew Disable auto renewal of certificates. (default: True)
certificates:
List certificates managed by Certbot
delete:
Options for deleting a certificate
revoke:
Options for revocation of certificates
--reason {unspecified,keycompromise,affiliationchanged,superseded,cessationofoperation}
Specify reason for revoking certificate. (default:
unspecified)
--delete-after-revoke
Delete certificates after revoking them. (default:
None)
--no-delete-after-revoke
Do not delete certificates after revoking them. This
option should be used with caution because the 'renew'
subcommand will attempt to renew undeleted revoked
certificates. (default: None)
register:
Options for account registration & modification
--register-unsafely-without-email
Specifying this flag enables registering an account
with no email address. This is strongly discouraged,
because in the event of key loss or account compromise
you will irrevocably lose access to your account. You
will also be unable to receive notice about impending
expiration or revocation of your certificates. Updates
to the Subscriber Agreement will still affect you, and
will be effective 14 days after posting an update to
the web site. (default: False)
--update-registration
With the register verb, indicates that details
associated with an existing registration, such as the
e-mail address, should be updated, rather than
registering a new account. (default: False)
-m EMAIL, --email EMAIL
Email used for registration and recovery contact. Use
comma to register multiple emails, ex:
[email protected],[email protected] (default: Ask).
--eff-email Share your e-mail address with EFF (default: None)
--no-eff-email Don't share your e-mail address with EFF (default:
None)
unregister:
Options for account deactivation.
--account ACCOUNT_ID Account ID to use (default: None)
install:
Options for modifying how a certificate is deployed
config_changes:
Options for controlling which changes are displayed
--num NUM How many past revisions you want to be displayed
(default: None)
rollback:
Options for rolling back server configuration changes
--checkpoints N Revert configuration N number of checkpoints.
(default: 1)
plugins:
Options for for the "plugins" subcommand
--init Initialize plugins. (default: False)
--prepare Initialize and prepare plugins. (default: False)
--authenticators Limit to authenticator plugins only. (default: None)
--installers Limit to installer plugins only. (default: None)
update_symlinks:
Recreates certificate and key symlinks in /etc/letsencrypt/live, if you
changed them by hand or edited a renewal configuration file
enhance:
Helps to harden the TLS configuration by adding security enhancements to
already existing configuration.
plugins:
Plugin Selection: Certbot client supports an extensible plugins
architecture. See 'certbot plugins' for a list of all installed plugins
and their names. You can force a particular plugin by setting options
provided below. Running --help <plugin_name> will list flags specific to
that plugin.
--configurator CONFIGURATOR
Name of the plugin that is both an authenticator and
an installer. Should not be used together with
--authenticator or --installer. (default: Ask)
-a AUTHENTICATOR, --authenticator AUTHENTICATOR
Authenticator plugin name. (default: None)
-i INSTALLER, --installer INSTALLER
Installer plugin name (also used to find domains).
(default: None)
--apache Obtain and install certificates using Apache (default:
False)
--nginx Obtain and install certificates using Nginx (default:
False)
--standalone Obtain certificates using a "standalone" webserver.
(default: False)
--manual Provide laborious manual instructions for obtaining a
certificate (default: False)
--webroot Obtain certificates by placing files in a webroot
directory. (default: False)
--dns-cloudflare Obtain certificates using a DNS TXT record (if you are
using Cloudflare for DNS). (default: False)
--dns-cloudxns Obtain certificates using a DNS TXT record (if you are
using CloudXNS for DNS). (default: False)
--dns-digitalocean Obtain certificates using a DNS TXT record (if you are
using DigitalOcean for DNS). (default: False)
--dns-dnsimple Obtain certificates using a DNS TXT record (if you are
using DNSimple for DNS). (default: False)
--dns-dnsmadeeasy Obtain certificates using a DNS TXT record (if you
areusing DNS Made Easy for DNS). (default: False)
--dns-gehirn Obtain certificates using a DNS TXT record (if you are
using Gehirn Infrastracture Service for DNS).
(default: False)
--dns-google Obtain certificates using a DNS TXT record (if you are
using Google Cloud DNS). (default: False)
--dns-linode Obtain certificates using a DNS TXT record (if you are
using Linode for DNS). (default: False)
--dns-luadns Obtain certificates using a DNS TXT record (if you are
using LuaDNS for DNS). (default: False)
--dns-nsone Obtain certificates using a DNS TXT record (if you are
using NS1 for DNS). (default: False)
--dns-ovh Obtain certificates using a DNS TXT record (if you are
using OVH for DNS). (default: False)
--dns-rfc2136 Obtain certificates using a DNS TXT record (if you are
using BIND for DNS). (default: False)
--dns-route53 Obtain certificates using a DNS TXT record (if you are
using Route53 for DNS). (default: False)
--dns-sakuracloud Obtain certificates using a DNS TXT record (if you are
using Sakura Cloud for DNS). (default: False)
apache:
Apache Web Server plugin - Beta
--apache-enmod APACHE_ENMOD
Path to the Apache 'a2enmod' binary (default: None)
--apache-dismod APACHE_DISMOD
Path to the Apache 'a2dismod' binary (default: None)
--apache-le-vhost-ext APACHE_LE_VHOST_EXT
SSL vhost configuration extension (default: -le-
ssl.conf)
--apache-server-root APACHE_SERVER_ROOT
Apache server root directory (default: /etc/apache2)
--apache-vhost-root APACHE_VHOST_ROOT
Apache server VirtualHost configuration root (default:
None)
--apache-logs-root APACHE_LOGS_ROOT
Apache server logs directory (default:
/var/log/apache2)
--apache-challenge-location APACHE_CHALLENGE_LOCATION
Directory path for challenge configuration (default:
/etc/apache2/other)
--apache-handle-modules APACHE_HANDLE_MODULES
Let installer handle enabling required modules for you
(Only Ubuntu/Debian currently) (default: False)
--apache-handle-sites APACHE_HANDLE_SITES
Let installer handle enabling sites for you (Only
Ubuntu/Debian currently) (default: False)
--apache-ctl APACHE_CTL
Full path to Apache control script (default:
apachectl)
certbot-route53:auth:
Obtain certificates using a DNS TXT record (if you are using AWS Route53
for DNS).
--certbot-route53:auth-propagation-seconds CERTBOT_ROUTE53:AUTH_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 10)
dns-cloudflare:
Obtain certificates using a DNS TXT record (if you are using Cloudflare
for DNS).
--dns-cloudflare-propagation-seconds DNS_CLOUDFLARE_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 10)
--dns-cloudflare-credentials DNS_CLOUDFLARE_CREDENTIALS
Cloudflare credentials INI file. (default: None)
dns-cloudxns:
Obtain certificates using a DNS TXT record (if you are using CloudXNS for
DNS).
--dns-cloudxns-propagation-seconds DNS_CLOUDXNS_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 30)
--dns-cloudxns-credentials DNS_CLOUDXNS_CREDENTIALS
CloudXNS credentials INI file. (default: None)
dns-digitalocean:
Obtain certs using a DNS TXT record (if you are using DigitalOcean for
DNS).
--dns-digitalocean-propagation-seconds DNS_DIGITALOCEAN_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 10)
--dns-digitalocean-credentials DNS_DIGITALOCEAN_CREDENTIALS
DigitalOcean credentials INI file. (default: None)
dns-dnsimple:
Obtain certificates using a DNS TXT record (if you are using DNSimple for
DNS).
--dns-dnsimple-propagation-seconds DNS_DNSIMPLE_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 30)
--dns-dnsimple-credentials DNS_DNSIMPLE_CREDENTIALS
DNSimple credentials INI file. (default: None)
dns-dnsmadeeasy:
Obtain certificates using a DNS TXT record (if you are using DNS Made Easy
for DNS).
--dns-dnsmadeeasy-propagation-seconds DNS_DNSMADEEASY_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 60)
--dns-dnsmadeeasy-credentials DNS_DNSMADEEASY_CREDENTIALS
DNS Made Easy credentials INI file. (default: None)
dns-gehirn:
Obtain certificates using a DNS TXT record (if you are using Gehirn
Infrastracture Service for DNS).
--dns-gehirn-propagation-seconds DNS_GEHIRN_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 30)
--dns-gehirn-credentials DNS_GEHIRN_CREDENTIALS
Gehirn Infrastracture Service credentials file.
(default: None)
dns-google:
Obtain certificates using a DNS TXT record (if you are using Google Cloud
DNS for DNS).
--dns-google-propagation-seconds DNS_GOOGLE_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 60)
--dns-google-credentials DNS_GOOGLE_CREDENTIALS
Path to Google Cloud DNS service account JSON file.
(See https://developers.google.com/identity/protocols/
OAuth2ServiceAccount#creatinganaccount forinformation
about creating a service account and
https://cloud.google.com/dns/access-
control#permissions_and_roles for information about
therequired permissions.) (default: None)
dns-linode:
Obtain certs using a DNS TXT record (if you are using Linode for DNS).
--dns-linode-propagation-seconds DNS_LINODE_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 1200)
--dns-linode-credentials DNS_LINODE_CREDENTIALS
Linode credentials INI file. (default: None)
dns-luadns:
Obtain certificates using a DNS TXT record (if you are using LuaDNS for
DNS).
--dns-luadns-propagation-seconds DNS_LUADNS_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 30)
--dns-luadns-credentials DNS_LUADNS_CREDENTIALS
LuaDNS credentials INI file. (default: None)
dns-nsone:
Obtain certificates using a DNS TXT record (if you are using NS1 for DNS).
--dns-nsone-propagation-seconds DNS_NSONE_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 30)
--dns-nsone-credentials DNS_NSONE_CREDENTIALS
NS1 credentials file. (default: None)
dns-ovh:
Obtain certificates using a DNS TXT record (if you are using OVH for DNS).
--dns-ovh-propagation-seconds DNS_OVH_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 30)
--dns-ovh-credentials DNS_OVH_CREDENTIALS
OVH credentials INI file. (default: None)
dns-rfc2136:
Obtain certificates using a DNS TXT record (if you are using BIND for
DNS).
--dns-rfc2136-propagation-seconds DNS_RFC2136_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 60)
--dns-rfc2136-credentials DNS_RFC2136_CREDENTIALS
RFC 2136 credentials INI file. (default: None)
dns-route53:
Obtain certificates using a DNS TXT record (if you are using AWS Route53
for DNS).
--dns-route53-propagation-seconds DNS_ROUTE53_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 10)
dns-sakuracloud:
Obtain certificates using a DNS TXT record (if you are using Sakura Cloud
for DNS).
--dns-sakuracloud-propagation-seconds DNS_SAKURACLOUD_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 90)
--dns-sakuracloud-credentials DNS_SAKURACLOUD_CREDENTIALS
Sakura Cloud credentials file. (default: None)
manual:
Authenticate through manual configuration or custom shell scripts. When
using shell scripts, an authenticator script must be provided. The
environment variables available to this script depend on the type of
challenge. $CERTBOT_DOMAIN will always contain the domain being
authenticated. For HTTP-01 and DNS-01, $CERTBOT_VALIDATION is the
validation string, and $CERTBOT_TOKEN is the filename of the resource
requested when performing an HTTP-01 challenge. When performing a TLS-
SNI-01 challenge, $CERTBOT_SNI_DOMAIN will contain the SNI name for which
the ACME server expects to be presented with the self-signed certificate
located at $CERTBOT_CERT_PATH. The secret key needed to complete the TLS
handshake is located at $CERTBOT_KEY_PATH. An additional cleanup script
can also be provided and can use the additional variable
$CERTBOT_AUTH_OUTPUT which contains the stdout output from the auth
script.
--manual-auth-hook MANUAL_AUTH_HOOK
Path or command to execute for the authentication
script (default: None)
--manual-cleanup-hook MANUAL_CLEANUP_HOOK
Path or command to execute for the cleanup script
(default: None)
--manual-public-ip-logging-ok
Automatically allows public IP logging (default: Ask)
nginx:
Nginx Web Server plugin
--nginx-server-root NGINX_SERVER_ROOT
Nginx server root directory. (default: /etc/nginx or
/usr/local/etc/nginx)
--nginx-ctl NGINX_CTL
Path to the 'nginx' binary, used for 'configtest' and
retrieving nginx version number. (default: nginx)
null:
Null Installer
standalone:
Spin up a temporary webserver
webroot:
Place files in webroot directory
--webroot-path WEBROOT_PATH, -w WEBROOT_PATH
public_html / webroot path. This can be specified
multiple times to handle different domains; each
domain will have the webroot path that preceded it.
For instance: `-w /var/www/example -d example.com -d
www.example.com -w /var/www/thing -d thing.net -d
m.thing.net` (default: Ask)
--webroot-map WEBROOT_MAP
JSON dictionary mapping domains to webroot paths; this
implies -d for each entry. You may need to escape this
from your shell. E.g.: --webroot-map
'{"eg1.is,m.eg1.is":"/www/eg1/", "eg2.is":"/www/eg2"}'
This option is merged with, but takes precedence over,
-w / -d entries. At present, if you put webroot-map in
a config file, it needs to be on a single line, like:
webroot-map = {"example.com":"/var/www"}. (default:
{})
6. 參考地址
https://certbot.eff.org/docs/intro.html