断断续续玩web已经一年了,一些之前从腾讯云申的TrustAsia证书已经陆陆续续开始过期,很方..于是开始尝试申请Let’s Encrypt的免费证书,并实现自动续期|´・ω・)ノ

I’ve been playing on the web intermittently for a year, and some of the TrustAsia certificates from Tencent’s Yunshang have started to expire one after another. It’s very fragrant.. So I started to try to apply for Let’s Encrypt’s free certificate, and realized automatic renewal|´・ω・)ノ

前提条件

  • 必须是Centos7系统,其它未测试,不保证有效
  • 有自己的域名
  • 确认dns已将域名指向服务器
  • 防火墙放行80与443端口
  • 已配置好nginx代理,并可以通过http访问域名(一定确定能访问)

安装certbot

通过yum安装certbot

1
2
3
$ yum update #更新yum源
$ yum install -y epel-release #安装epel源
$ yum install -y certbot #安装certbot

初次申领证书

初次申领某域名证书

格式为

1
$ certbot certonly --webroot -w [Web站点目录] -d [站点域名] -m [联系人email地址] --agree-tos

例如

1
$ certbot certonly --webroot -w /opt/www/demo.yourdomain.com -d demo.yourdomain.com -m yourname@gmail.com --agree-tos

证书位置

证书存放在/etc/letsencrypt/live/demo.yourdomain.com/文件夹中。
一共有4个文件,你可能要用到的是fullchain.pemprivkey.pem

配置nginx

在相应的server{}中加入以下内容:

1
2
3
4
5
6
7
8
9
10
11
listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/demo.yourdomain.com/fullchain.pem; #2
ssl_certificate_key /etc/letsencrypt/live/demo.yourdomain.com/privkey.pem; #3

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
error_page 404 = /404.php;

例如

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
server {
    listen 443 ssl;
    listen 80;

    server_name demo.yourdomain.com; #1
    root /opt/www/demo.yourdomain.com;
    index index.html;
    client_max_body_size 1000M;

    ssl_certificate /etc/letsencrypt/live/demo.yourdomain.com/fullchain.pem; #2
    ssl_certificate_key /etc/letsencrypt/live/demo.yourdomain.com/privkey.pem; #3

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    error_page 404 = /404.html;

}

配置成功后执行如下指令:

1
2
$ nginx -t #检查nginx conf语法
$ systemctl restart nginx #重启nginx

配置自动续期

编辑crontab规则:(初次配置crontab)

1
$ crontab -e

键入以下内容(每月1号5时刷新证书并重启nginx)保存并退出

1
00 05 01 * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx

重启crontab

1
$ systemctl restart crond.service

参考链接:
https://blog.csdn.net/sheng119/article/details/72956717

Prerequisites

  • Must be Centos7 system, others have not been tested and are not guaranteed to be valid
  • Have your own domain name
  • Confirm that dns has pointed the domain name to the server
  • The firewall allows port 80 and 443
  • The nginx proxy has been configured, and domain name can be accessed via http (be sure to be able to access)

Install certbot

Install certbot via yum

1
2
3
$ yum update #Update yum source
$ yum install -y epel-release #Install epel source
$ yum install -y certbot #Install certbot

Initial application certificate

Apply for a domain name certificate for the first time

The format is

1
$ certbot certonly --webroot -w [Web site directory] -d [domain name] -m [contact email address] --agree-tos

E.g

1
$ certbot certonly --webroot -w /opt/www/demo.yourdomain.com -d demo.yourdomain.com -m yourname@gmail.com --agree-tos

Certificate location

The certificate is stored in the /etc/letsencrypt/live/demo.yourdomain.com/ folder.
There are 4 files in total, you may need to use fullchain.pem and privkey.pem.

Configure nginx

Add the following content to the corresponding server{}:

1
2
3
4
5
6
7
8
9
10
11
listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/demo.yourdomain.com/fullchain.pem; #2
ssl_certificate_key /etc/letsencrypt/live/demo.yourdomain.com/privkey.pem; #3

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
error_page 404 = /404.php;

E.g

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
server {
    listen 443 ssl;
    listen 80;

    server_name demo.yourdomain.com; #1
    root /opt/www/demo.yourdomain.com;
    index index.html;
    client_max_body_size 1000M;

    ssl_certificate /etc/letsencrypt/live/demo.yourdomain.com/fullchain.pem; #2
    ssl_certificate_key /etc/letsencrypt/live/demo.yourdomain.com/privkey.pem; #3

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    error_page 404 = /404.html;

}

After the configuration is successful, execute the following instructions:

1
2
$ nginx -t #Check nginx conf syntax
$ systemctl restart nginx #Restart nginx

Configure automatic renewal

Edit crontab rules: (First configuration crontab)

1
$ crontab -e

Type the following (refresh the certificate and restart nginx on the 1st and 5th of each month) to save and exit

1
00 05 01 * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx

Restart crontab

1
$ systemctl restart crond.service

Reference link:
https://blog.csdn.net/sheng119/article/details/72956717