centos7 nginx用certbot申请泛域名https证书

2022-04-04 01:42:04

一、安装certbob

官网地址 https://certbot.eff.org/ ，安装方法参考官方推荐步骤
官方推荐通过snap来安装，https://snapcraft.io/docs/installing-snap-on-centos

二、安装nginx+ssl

https://www.cnblogs.com/nickchou/p/12678354.html

三、手动申请证书

因官方对国内dns的插件很少，故这里使用手动验证dns（修改域名example.com）

certbot certonly --preferred-challenges dns --manual  -d *.example.com --server https://acme-v02.api.letsencrypt.org/directory

参数说明：

参数名	居中对齐
certonly	意思是只安装证书，手动配置nginx，也可以不加certonly按照步骤提示一步一步进行
--nginx-server-root	是指定nginx conf目录，不配置默认在/etc/nginx/nginx.conf去找
-d	指定域名，也可以填多个
--preferred-challenges dns	需要添加dns验证
--manual	手动dns验证
--server	指定最新的Let‘s Encrypt的v2 API

执行命令后需要Y确认一遍

手动添加一条TXT的DNS记录

添加完成后按按回车键继续，注意看下证书的存放路径，默认在 /etc/letsencrypt/live

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2021-11-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

四、配置nginx的证书

    server {
        listen       80;
        server_name  www.domain.com;
        return       301 https://$server_name$request_uri; # http重定向到https
    }
    server {
        listen       443 ssl;
        server_name  www.domain.com;
        # 这里的证书填刚刚生成的路径
        ssl_certificate   /etc/letsencrypt/live/www.domain.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/www.domain.com/privkey.pem;
        # 这里加载默认的ssl配置
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
        location / {
            root /data/website/h5;    # 配置静态目录
            index index.html;         # 配置默认首页
        }
        location /api {
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-Ip $remote_addr;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://127.0.0.1:9101;
            proxy_redirect off;
        }
    }

五、证书更新

测试自动更新

certbot renew --dry-run

如果是手动DNS的话是无法自动更新的
如果是二级域名不需要DNS解析可以直接手动更新

certbot renew -v

六、查看证书过期时间

certbot certificates