certbot生成证书及nginx中的使用
1、安装certbot工具
yum install -y epel-release
yum install -y certbot
2、申请泛域名证书
1) 开始申请证书
执行如下命令开始申请证书,按照提示操作即可:
certbot certonly --manual --preferred-challenges dns -d *.demo.com -d demo.com
在收到类似如下提示时进入下一步,添加 TXT 解析记录:
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc
Once this is deployed,
Press ENTER to continue
如果提示
The currently selected ACME CA endpoint does not support issuing wildcard certificates.
可以指定
--server https://acme-v02.api.letsencrypt.org/directory
即:
certbot certonly --manual --preferred-challenges dns -d *.imlhx.com -d imlhx.com --server https://acme-v02.api.letsencrypt.org/directory
2)添加解析记录
根据上面提示,添加名为 _acme-challenge.demo.com 的 TXT 记录,将 667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc设置为记录值。
注意,由于DNS记录不会马上生效,所以稍后再按回车键。可以使用 dig +short -t txt _acme-challenge.example.com 命令验证DNS是否生效。
如果没有dig命令,通过 yum -y install bind-utils进行安装
3)按下回车键
在确认 DNS 记录生效之后,按下回车键将会收到证书申请成功的提示(类似如下内容):
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-03-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
3、证书的保存位置
/etc/letsencrypt/live/demo.com/
4、查看命令有效期
openssl x509 -noout -dates -in /etc/letsencrypt/live/demo.com/cert.pem
5、设置定时任务自动更新证书
letsencrypt证书的有效期是90天,需要在定时任务中使用 certbot renew 命令重新续期证书,但是可以用脚本去更新。
#配置crontab,每月1号5时更新证书,并重启docker容器
00 05 01 * * sudo /usr/bin/certbot renew --quiet && sudo docker restart nginx
6、nginx挂载与配置
1)将证书挂载到容器中
version: '3.0'
services:
nginx:
restart: always
image: nginx
container_name: nginx
privileged: true
ports:
- 443:443
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./conf.d:/etc/nginx/conf.d
- ./logs:/etc/nginx/logs
- /etc/letsencrypt:/etc/letsencrypt
environment:
- TZ=Asia/Shanghai
2)nginx中的配置
server {
listen 443 ssl; # managed by Certbot
server_name test2.demo.com;
location / {
proxy_pass http://111.111.111.111:9000/;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
ssl_certificate /etc/letsencrypt/live/jiuzhang-cloud.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/jiuzhang-cloud.com/privkey.pem; # managed by Certbot
}
server {
if ($host = test2.demo.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name test2.jiuzhang-cloud.com;
rewrite ^/(.*) https://test2.jiuzhang-cloud.com permanent; #跳转到Https
}