當輸入到 sudo certbot –apache 時,系統會進入對談式的安裝程序,Certbot 會掃描 HTTP Server 的設定,根據掃描結果列出主機上所擁有的網域,並且詢問要為哪些網域安裝憑證。可以同時選擇多個網域,每個網域以空白或是逗號分隔。如果直接 Enter,就會替所有網域都安裝憑證。
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: caloskao.org 2: blog.caloskao.org 3: www.caloskao.org 4: example.caloskao.org ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge caloskao.org Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/caloskao.org-le-ssl.conf Deploying Certificate for caloskao.org to VirtualHost /etc/apache2/sites-available/caloskao.org-le-ssl.conf Enabling available site: /etc/apache2/sites-available/caloskao.org-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
------------------------------------------------------------------------------- Congratulations! You have successfully enabled https://caloskao.org You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=caloskao.org ------------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/caloskao.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/caloskao.org/privkey.pem Your cert will expire on 2018-03-22. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Certbot 預設會啟動自動更新,輸入 sudo systemctl status certbot.timer 確認自動更新有沒有正常執行:
sudo systemctl status certbot.timer ● certbot.timer - Run certbot twice daily Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled) Active: active (waiting) since Thu 2018-06-21 09:02:48 CST; 6 days ago Jun 21 09:02:48 apps-csie systemd[1]: Started Run certbot twice daily.
sudo certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/caloskao.org.conf ------------------------------------------------------------------------------- Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator apache, Installer None Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for caloskao.org Waiting for verification... Cleaning up challenges ------------------------------------------------------------------------------- new certificate deployed without reload, fullchain is /etc/letsencrypt/live/caloskao.org/fullchain.pem ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/caloskao.org/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) -------------------------------------------------------------------------------