一、安装certbob
官网地址 https://certbot.eff.org/ ,安装方法参考官方推荐步骤
官方推荐通过snap来安装,https://snapcraft.io/docs/installing-snap-on-centos
二、安装nginx+ssl
https://www.cnblogs.com/nickchou/p/12678354.html
三、手动申请证书
因官方对国内dns的插件很少,故这里使用手动验证dns(修改域名example.com)
certbot certonly --preferred-challenges dns --manual -d *.example.com --server https://acme-v02.api.letsencrypt.org/directory
参数说明:
参数名 | 居中对齐 |
---|---|
certonly | 意思是只安装证书,手动配置nginx,也可以不加certonly按照步骤提示一步一步进行 |
--nginx-server-root | 是指定nginx conf目录,不配置默认在/etc/nginx/nginx.conf去找 |
-d | 指定域名,也可以填多个 |
--preferred-challenges dns | 需要添加dns验证 |
--manual | 手动dns验证 |
--server | 指定最新的Let‘s Encrypt的v2 API |
执行命令后需要Y确认一遍
手动添加一条TXT的DNS记录
添加完成后按按回车键继续,注意看下证书的存放路径,默认在 /etc/letsencrypt/live
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2021-11-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
四、配置nginx的证书
server {
listen 80;
server_name www.domain.com;
return 301 https://$server_name$request_uri; # http重定向到https
}
server {
listen 443 ssl;
server_name www.domain.com;
# 这里的证书填刚刚生成的路径
ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;
# 这里加载默认的ssl配置
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
root /data/website/h5; # 配置静态目录
index index.html; # 配置默认首页
}
location /api {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:9101;
proxy_redirect off;
}
}
五、证书更新
测试自动更新
certbot renew --dry-run
如果是手动DNS的话是无法自动更新的
如果是二级域名不需要DNS解析可以直接手动更新
certbot renew -v
六、查看证书过期时间
certbot certificates