certbot生成证书及nginx中的使用

certbot生成证书及nginx中的使用

1、安装certbot工具

yum install -y epel-release
yum install -y certbot

2、申请泛域名证书

1) 开始申请证书

执行如下命令开始申请证书,按照提示操作即可:

certbot certonly --manual --preferred-challenges dns -d *.demo.com -d demo.com

在收到类似如下提示时进入下一步,添加 TXT 解析记录:

Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:

667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc

Once this is deployed,
Press ENTER to continue

如果提示
The currently selected ACME CA endpoint does not support issuing wildcard certificates.
可以指定
--server https://acme-v02.api.letsencrypt.org/directory
即:
certbot certonly --manual --preferred-challenges dns -d *.imlhx.com -d imlhx.com --server https://acme-v02.api.letsencrypt.org/directory

2)添加解析记录

根据上面提示,添加名为 _acme-challenge.demo.com 的 TXT 记录,将 667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc设置为记录值。
注意,由于DNS记录不会马上生效,所以稍后再按回车键。可以使用 dig +short -t txt _acme-challenge.example.com 命令验证DNS是否生效。
如果没有dig命令,通过 yum -y install bind-utils进行安装

3)按下回车键

在确认 DNS 记录生效之后,按下回车键将会收到证书申请成功的提示(类似如下内容):

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-03-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

3、证书的保存位置

/etc/letsencrypt/live/demo.com/

4、查看命令有效期

openssl x509 -noout -dates -in /etc/letsencrypt/live/demo.com/cert.pem

5、设置定时任务自动更新证书

letsencrypt证书的有效期是90天,需要在定时任务中使用 certbot renew 命令重新续期证书,但是可以用脚本去更新。

#配置crontab,每月1号5时更新证书,并重启docker容器

00 05 01 * * sudo /usr/bin/certbot renew --quiet && sudo docker restart nginx

6、nginx挂载与配置

1)将证书挂载到容器中

version: '3.0'
services:
  nginx:
    restart: always
    image: nginx
    container_name: nginx
    privileged: true
    ports:
      - 443:443
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./conf.d:/etc/nginx/conf.d
      - ./logs:/etc/nginx/logs
      - /etc/letsencrypt:/etc/letsencrypt
    environment:
      - TZ=Asia/Shanghai

2)nginx中的配置

server {
        listen 443 ssl; # managed by Certbot
        server_name  test2.demo.com;
        location / {
            proxy_pass http://111.111.111.111:9000/;
        }
        #error_page  404              /404.html;
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
        ssl_certificate /etc/letsencrypt/live/jiuzhang-cloud.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/jiuzhang-cloud.com/privkey.pem; # managed by Certbot
}

server {
    if ($host = test2.demo.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen 80;
        server_name test2.jiuzhang-cloud.com;
        rewrite ^/(.*) https://test2.jiuzhang-cloud.com permanent;    #跳转到Https
}
上一篇:cerbot 生成泛域名证书


下一篇:2021最新Centos安装SSL证书(含宝塔)