Подновяване сертификат на Let's Encrypt чрез cerbot

Let’s Encrypt използва клиентския Certbot за инсталиране, управление и автоматично подновяване на предоставените от тях сертификати.

В случай, че вашият сертификат не се поднови автоматично, можете ръчно да задействате подновяването по всяко време.

Преди започване на подновяването трябва да освободите порт 80 или просто за момент спрете работата на apache2 сървъра. Това става с команда:

sudo systemctl stop apache2 

За потвърждение можем да проверим наистина ли е спрян:

pi@raspberrypi:~ $ sudo systemctl status apache2
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
     Active: inactive (dead) since Wed 2024-12-18 07:27:13 GMT; 31s ago
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 23629 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
    Process: 26118 ExecStop=/usr/sbin/apachectl graceful-stop (code=exited, status=0/SUCCESS)
   Main PID: 577 (code=exited, status=0/SUCCESS)
        CPU: 2h 14min 12.156s

Dec 18 00:00:51 raspberrypi systemd[1]: Reloading The Apache HTTP Server.
Dec 18 00:00:52 raspberrypi apachectl[23634]: AH00558: apache2: Could not reliably determine the server's fully qu>
Dec 18 00:00:52 raspberrypi systemd[1]: Reloaded The Apache HTTP Server.
Dec 18 07:27:13 raspberrypi systemd[1]: Stopping The Apache HTTP Server...
Dec 18 07:27:13 raspberrypi apachectl[26120]: AH00558: apache2: Could not reliably determine the server's fully qu>
Dec 18 07:27:13 raspberrypi systemd[1]: apache2.service: Killing process 23636 (apache2) with signal SIGKILL.
Dec 18 07:27:13 raspberrypi systemd[1]: apache2.service: Succeeded.
Dec 18 07:27:13 raspberrypi systemd[1]: apache2.service: Unit process 23636 (apache2) remains running after unit s>
Dec 18 07:27:13 raspberrypi systemd[1]: Stopped The Apache HTTP Server.
Dec 18 07:27:13 raspberrypi systemd[1]: apache2.service: Consumed 2h 14min 12.128s CPU time.

Сега можем да продължим с командата към cerbot:

sudo certbot renew

Отговор на командата:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/scs3.eu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate for scs3.eu
Performing the following challenges:
http-01 challenge for scs3.eu
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/scs3.eu/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/scs3.eu/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Тук все пак можем да проверим подновяването на сертификата било ли е успешно:

pi@raspberrypi:~ $ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/scs3.eu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Account registered.
Simulating renewal of an existing certificate for scs3.eu
Performing the following challenges:
http-01 challenge for scs3.eu
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/scs3.eu/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/scs3.eu/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Вече можем сигурно да активираме apache2 сървъра:

sudo systemctl start apache2

И отново проверка активен ли е:

pi@raspberrypi:~ $ sudo systemctl status apache2
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-12-18 07:29:32 GMT; 8s ago
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 26150 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
   Main PID: 26154 (apache2)
      Tasks: 6 (limit: 1595)
        CPU: 531ms
     CGroup: /system.slice/apache2.service
             ├─26154 /usr/sbin/apache2 -k start
             ├─26155 /usr/sbin/apache2 -k start
             ├─26156 /usr/sbin/apache2 -k start
             ├─26157 /usr/sbin/apache2 -k start
             ├─26158 /usr/sbin/apache2 -k start
             └─26159 /usr/sbin/apache2 -k start

Dec 18 07:29:32 raspberrypi systemd[1]: Starting The Apache HTTP Server...
Dec 18 07:29:32 raspberrypi apachectl[26153]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Dec 18 07:29:32 raspberrypi systemd[1]: Started The Apache HTTP Server.

Изглежда всичко работи е поредното потвърждение идва от : "Връзката със сайта е шифрована. Проверено от: Let's Encrypt "

Източник