[Linux] 使用certbot为域名生成免费证书(nginx版)


本文总阅读量

1、下载letencrypt,用于生产免费证书工具:

1
2
3
cd /data/soft
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

2、修改域名对应的配置文件,添加下面内容

1
2
3
4
5
6
7
8
9
10
server {
    listen 80;
    server_name  test.com;
    ...
    location ~ /.well-known {
        root /data/soft;
        allow all;
    }
    ...
}

上面配置的 root /data/soft
信息目录最好不要与其他location指定的目录相同,且确保各个目录存在目录,如果目录相同的情况下可能会遇到以下问题:

1
2
3
4
5
6
7
8
9
10
11
[quote]Failed authorization procedure. test.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.fr/.well-known/acme-challenge/Xefe-sxGfexdcdezDEUJZRfexjfeeloekcdsesx [2001:1600:4:1::b]: 404
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: test.com
Type: unauthorized
Detail: Invalid response from
http://mydomain.fr/.well-known/acme-challenge/Xefe-sxGfexdcdezDEUJZRfexjfeeloekcdsesx
[2001:1600:4:1::b]: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.[/quote]

如果服务器的80端口被限制,会提示如下错误:

1
2
http://demo.broker.masterdax.com/.well-known/acme-challenge/pIV-Rh1355xsh8xJFHhB0llri6HS8S2yOSYRE9N5D5I:
   Timeout during connect (likely firewall problem)

3、执行生成证书命令:

1
/data/soft/certbot-auto certonly --email 123456@qq.com --agree-tos --webroot -w /data/soft/ -d test.com --dry-run

第一次尝试生成证书最好加上–dry-run参数,如果le生成证书次数(包括报错的次数)每天有上限,添加–dry-run调试没有问题之后再真正生成证书

1
/data/soft/certbot-auto certonly --email 123456@qq.com --agree-tos --webroot -w /data/soft/ -d test.com

4、查看生成的证书

1
/data/soft/certbot-auto certificates

5、修改nginx配置文件,添加https相关配置信息,http相关配置加上跳转到https:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
server {
    listen 80;
    server_name  test.com;
    rewrite ^(.*)$  https://$server_name$1 permanent;
    ...
    location ~ /.well-known {
        root /data/soft;
        allow all;
    }
    ...
}

server {
    listen 443 ssl; 
    server_name test.com;
    ....
    ssl_certificate ssl/fullchain.pem;
    ssl_certificate_key ssl/privkey.pem;
    ...
}

6、将生成的证书添加软连接到nginx配置文件指定的路径:

1
2
ln -s /etc/letsencrypt/live/test.com/fullchain.pem /usr/local/openresty/nginx/conf/ssl/fullchain.pem
ln -s /etc/letsencrypt/live/test.com/privkey.pem /usr/local/openresty/nginx/conf/ssl/privkey.pem

7、因为le生成的证书有效期为90天,需要添加定时任务,使其证书自动更新:

cat /data/soft/cron-cerbot.sh 

1
2
#!/bin/bash
/data/soft/certbot-auto renew

授权文件执行权限:

1
chmod a+x /data/soft/cron-cerbot.sh

添加到crontab,每周日凌晨定期更新
crontab -l

1
0 0 * * 0 /data/soft/cron-cerbot.sh
linux
目录
  1. 1. 1、下载letencrypt,用于生产免费证书工具:
  2. 2. 2、修改域名对应的配置文件,添加下面内容
  3. 3. 3、执行生成证书命令:
  4. 4. 4、查看生成的证书
  5. 5. 5、修改nginx配置文件,添加https相关配置信息,http相关配置加上跳转到https:
  6. 6. 6、将生成的证书添加软连接到nginx配置文件指定的路径:
  7. 7. 7、因为le生成的证书有效期为90天,需要添加定时任务,使其证书自动更新:

Proudly powered by Hexo and Theme by Lap
本站访客数人次
© 2020 zeven0707's blog