Debian安装Certbot获取SSL证书

安装snapd

# 安装snapd
apt-get update
apt-get install snapd

# 安装 snapd core
snap install core
snap refresh core

通过snapd安装certbot

snap install --classic certbot

# 软链接
ln -s /snap/bin/certbot /usr/bin/certbot

如果遇到无法下载，可能需要翻墙，请给snap设置代理：

sudo snap set system proxy.http=http://127.0.0.1:1081
sudo snap set system proxy.https=http://127.0.0.1:1081

获取SSL证书

执行certbot certonly

certbot certonly -d "*.youdomain.com" --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory

root@docker00:/usr/bin# certbot certonly -d "*.youdomain.com" --manual --preferred-challenges dns-01  --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): xxx@xxx.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for *.youdomain.com
Performing the following challenges:
dns-01 challenge for youdomain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.youdomain.com with the following value:

<your_dns_txt_value>

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/youdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/youdomain.com/privkey.pem
   Your certificate will expire on 2021-07-01. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

- 阅读剩余部分 -

Debian jessie升级至buster

注意：不要跨版本升级，需要逐版本升级。

备份数据

升级前请做好备份操作，防止升级后相关服务不可用或数据无法正常读取。

1. 程序代码
2. 数据库文件
3. 配置文件，如：Nginx、MySQL、PHP等
4. 系统添加的用户和SSH Key等。

说明，下面操作建议使用root账号。

更新当前系统

apt-get update
apt-get upgrade
apt-get dist-upgrade

# 更新好后，建议重启下
reboot

升级至stretch

替换软件源

# 备份软件源
cp /etc/apt/sources.list /etc/apt/sources.list_bak

# 替换jessie为stretch
sed -i 's/jessie/stretch/g' /etc/apt/sources.list

- 阅读剩余部分 -

一、系统安装

1、重新生成SSH host key

参考How To: Ubuntu / Debian Linux Regenerate OpenSSH Host Keys

# 删除原来的host keys
/bin/rm -v /etc/ssh/ssh_host_*
# 重新生成keys
dpkg-reconfigure openssh-server
# 重启ssh
/etc/init.d/ssh restart

在需要访问服务器端客户端上更新ssh指纹：

ssh-keygen -R <your_server_host>

2、更新包管理器及更新软件apt-get update和apt-get upgrade

设置apt源

比如我这里测试中国科技大学综合效果最好，更改sources.list中配置的源：

vim /etc/apt/sources.list

deb http://mirrors.ustc.edu.cn/debian/ stretch main
deb-src http://mirrors.ustc.edu.cn/debian/ stretch main

deb http://mirrors.ustc.edu.cn/debian-security stretch/updates main contrib non-free
deb-src http://mirrors.ustc.edu.cn/debian-security stretch/updates main contrib non-free

deb http://mirrors.ustc.edu.cn/debian/ stretch-updates main contrib non-free
deb-src http://mirrors.ustc.edu.cn/debian/ stretch-updates main contrib non-free

更新源中包数据库

1. apt-get update出现：TypeError: 'NoneType' object is not callable。

解决：(参考Python 3.5 issues during apt-get update/upgrade、openmediavault omv3升级omv4)
打开文件：/usr/lib/python3.5/weakref.py,
109行由def remove(wr, selfref=ref(self)):改为：

def remove(wr, selfref=ref(self), _atomic_removal=_remove_dead_weakref):

117行由_remove_dead_weakref(d, wr.key)改为：

_atomic_removal(d, wr.key)

1. apt-get update出现：Certificate verification failed: The certificate is NOT trusted. The certificate chain uses not yet valid certificate. Could not handshake: Error in the certificate verification.。

出现这个问题可能是服务器本地时间不正常，导致证书验证错误，此时可以看下服务器时间：

root@aml:~# date
# 当前操作时间是：2021-03-22 09:58
Tue 26 Nov 2019 08:47:23 AM UTC

# 重新修改服务器时间
# 设置时区
timedatectl set-timezone "Asia/Shanghai"
# 设置时间
date -s "2021-03-22 09:58:00"

完成后，就可以正常执行：

apt-get update
apt-get upgrade

3、安装常用软件

• 安装apt-get的扩展软件aptitude

  apt-get update aptitude

• 用于替换nano或vi的编辑vim

  aptitude install vim

4、设置区域、时区并同步时间

# 设置区域
dpkg-reconfigure locales
# 设置时区
dpkg-reconfigure tzdata

如果可以的话，与ntp服务器同步下时间：

apt-get install ntpdate
ntpdate ntp1.aliyun.com

5、设置bash环境变量

vim ~/.bashrc

设置内容，然后使设置生效source /root/.bashrc。

6、设置vim环境变量

• 创建vim环境变量文件touch ~/.vimrc；

• 设置环境变量内容:

  syntax on
  set fencs=utf-8,gbk
  set shiftwidth=4
  set softtabstop=4
  set tabstop=4
  set number

7、添加用户

# 添加用户
useradd -d /home/{username} -m -s /bin/bash -U {username}
# 设置新加用户密码
passwd {username}

这样用户就添加成功了，但是可能由于ssh的配置文件sshd_config限制了指定组才能通过ssh登录，比如：AllowGroups root ssh，限定只有用户属于组root和ssh的用户才能登录。将我们新加的用户添加都允许登录的组：

usermod -a -G ssh {username}

8、设置ssh配置信息

ssh默认端口22，安全起见强烈建议更改为其他端口号并限制root账号直接通过ssh登录。

vim /etc/ssh/sshd_config
# 更改端口
Port xxxxx
# 禁用root账号直接登录
PermitRootLogin no
# 仅允许root和ssh组使用
AllowGroups root ssh
# 重启ssh服务
/etc/init.d/ssh restart

9、添加swap交换文件（可选）

• 添加swap文件:(设置512M：1024 512MB = 524288；设置1G：1024 1024 = 1048576;设置2G：1024 1024 2 = 2097152)

  dd if=/dev/zero of=/swapfile bs=1024 count=1048576

• 设置swap文件用户即权限

  chown root:root swapfile
  chmod 777 swapfile

• 将文件转为交换文件并激活

  mkswap /swapfile
  swapon /swapfile

• 自动挂载交换分区文件

  vim /etc/fstab
  # 新起一行添加
  /swapfile swap swap defaults 0 0

• swap交换文件优先等级

  # 查看你的系统里面的swappiness (默认是：60)
  cat /proc/sys/vm/swappiness
  
  # 临时修改swappiness值
  sysctl vm.swappiness=90
  
  # 永久更改swappiness（如果配置文件没有，可以在配置文件最后追加）
  vim /etc/sysctl.conf
  vm.swappiness = 90
  
  # 使设置生效
  sysctl -p

10.安装omv-extras

参考：omv-extras Guides
支持deb安装和命令行安装，这里用命令行：

wget -O - http://omv-extras.org/install | bash

二、安装软件

1、安装MySQL 5.6

参考：MySQL :: A Quick Guide to Using the MySQL APT Repository、How To Install MySQL on Debian 9 (Stretch)

• 添加MySQLAPT 仓库

  cd /tmp
  wget https://repo.mysql.com//mysql-apt-config_0.8.13-1_all.deb
  dpkg -i mysql-apt-config_0.8.13-1_all.deb

• 安装MySQL

  apt-get update
  aptitude install mysql-server

• MySQL Secure Installation

  # 重启MySQL服务
  systemctl restart mysql
  
  # 调用
  mysql_secure_installation

LNMP环境即：Linux+Nginx+MySQL+PHP

安装前准备

更新系统

apt-get update
apt-get dist-upgrade

说明：本操作是针对debian、ubuntu等Linux Distribution,程序安装用aptitude（也可以用apt-get替换，不过推荐用aptitude，这个程序是基于apt-get进行优化扩展，更易用。）

- 阅读剩余部分 -