1、certbot相关地址
(1)certbot的官方网站为:https://certbot.eff.org
(2)选择Centos版教程:https://certbot.eff.org/lets-encrypt/centosrhel7-nginx
2、安装cerbot:
#添加 EPEL 软件源扩展
sudo yum -y install epel-release
#安装 Certbot
sudo yum -y install python2-certbot-nginx
3、生成证书操作:
根据Nginx安装方式,选择证书生成模式(本文采用自动模式)
(1)自动模式(nginx默认安装模式,自动配置)
#需要填写邮箱(建议,填写:证书过期提醒)
#sudo certbot --nginx
#不需要填写邮箱(方便)
sudo certbot --nginx --register-unsafely-without-email
(2)手动模式:(nginx非默认安装,手动配置)
# sudo certbot --nginx certonly
#sudo certbot --nginx --register-unsafely-without-email certonly
(3)证书生成问题:
错误一:(找不到nginx)
Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.",)
由于没有将nginx放到环境变量中,设置nginx软连接
ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx
ln -s /usr/local/nginx/conf/ /etc/nginx
#Cerbot手动模式
sudo certbot --nginx --register-unsafely-without-email certonly
错误二:
Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('Nginx build is missing SSL module (--with-http_ssl_module).',)
通过nginx -V查看nginxconfigure arguments没有安装ssl模板,在nginx目录中重新构建
nginx -V
cd /apps/svr/nginx ./configure --with-http_ssl_module
make && make install
#再次检查
nginx -V
#Cerbot手动模式
sudo certbot --nginx --register-unsafely-without-email certonly
(4)证书生成过程中会自动识别nginx.conf中的域名配置,没有配置域名,需要手动输入
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel):
(5)证书生成的路径存放于 /etc/letsencrypt/live/*
4、nginx配置证书(nginx.conf配置文件内容)
(1)参考配置内容:
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
return 301 https://www.example.com$request_uri;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
listen 80;
listen [::]:80;
server_name www.example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.example.com;
root /var/www/www.example.com;
index index.html index.htm;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
(2)重载配置:nginx -s reload
5、更新证书
(1)主要命令: cerbot renew
(2)自动更新:sudo certbot renew --dry-run
(3)定时更新:每月1、11、21日零点更新
echo "0 0 1,11,21 * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew && nginx -s reload" | sudo tee -a /etc/crontab > /dev/null
(4)更新日志查看:ls /var/log/letsencrypt/
6、查看证书过期日期
certbot certificates
7、注意 (1)手动配置命令:
certbot -d ugoodu.cn -d *.ugoodu.cn --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly
(2)注意添加安全组 443端口需要维护到安全组,才能正常使用
(3)手动配置的自动更新命令
8、推荐参考文:已验证 (1)https://www.xcwmoon.com/post/47 (2)https://www.cnblogs.com/trblog/p/14690908.html
注意:本文归作者所有,未经作者允许,不得转载
