Centos7下 Nginx 配置ssl证书自动续期Nginx configure ssl certificate automatic renewal under Centos7
Contents
断断续续玩web已经一年了,一些之前从腾讯云申的TrustAsia证书已经陆陆续续开始过期,很方..于是开始尝试申请Let’s Encrypt的免费证书,并实现自动续期|´・ω・)ノ
I’ve been playing on the web intermittently for a year, and some of the TrustAsia certificates from Tencent’s Yunshang have started to expire one after another. It’s very fragrant.. So I started to try to apply for Let’s Encrypt’s free certificate, and realized automatic renewal|´・ω・)ノ
前提条件
- 必须是Centos7系统,其它未测试,不保证有效
- 有自己的域名
- 确认dns已将域名指向服务器
- 防火墙放行80与443端口
- 已配置好nginx代理,并
可以通过http访问域名
(一定确定能访问)
安装certbot
通过yum安装certbot
1 | $ yum update #更新yum源 |
初次申领证书
初次申领某域名证书
格式为
1 | $ certbot certonly --webroot -w [Web站点目录] -d [站点域名] -m [联系人email地址] --agree-tos |
例如
1 | $ certbot certonly --webroot -w /opt/www/demo.yourdomain.com -d demo.yourdomain.com -m yourname@gmail.com --agree-tos |
证书位置
证书存放在/etc/letsencrypt/live/demo.yourdomain.com/
文件夹中。
一共有4个文件,你可能要用到的是fullchain.pem
和privkey.pem
。
配置nginx
在相应的server{}
中加入以下内容:
1 | listen 443 ssl; |
例如
1 | server { |
配置成功后执行如下指令:
1 | $ nginx -t #检查nginx conf语法 |
配置自动续期
编辑crontab规则:(初次配置crontab)
1 | $ crontab -e |
键入以下内容(每月1号5时刷新证书并重启nginx)保存并退出
1 | 00 05 01 * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx |
重启crontab
1 | $ systemctl restart crond.service |
参考链接:
https://blog.csdn.net/sheng119/article/details/72956717
Prerequisites
- Must be Centos7 system, others have not been tested and are not guaranteed to be valid
- Have your own domain name
- Confirm that dns has pointed the domain name to the server
- The firewall allows port 80 and 443
- The nginx proxy has been configured, and
domain name can be accessed via http
(be sure to be able to access)
Install certbot
Install certbot via yum
1 | $ yum update #Update yum source |
Initial application certificate
Apply for a domain name certificate for the first time
The format is
1 | $ certbot certonly --webroot -w [Web site directory] -d [domain name] -m [contact email address] --agree-tos |
E.g
1 | $ certbot certonly --webroot -w /opt/www/demo.yourdomain.com -d demo.yourdomain.com -m yourname@gmail.com --agree-tos |
Certificate location
The certificate is stored in the /etc/letsencrypt/live/demo.yourdomain.com/
folder.
There are 4 files in total, you may need to use fullchain.pem
and privkey.pem
.
Configure nginx
Add the following content to the corresponding server{}
:
1 | listen 443 ssl; |
E.g
1 | server { |
After the configuration is successful, execute the following instructions:
1 | $ nginx -t #Check nginx conf syntax |
Configure automatic renewal
Edit crontab rules: (First configuration crontab)
1 | $ crontab -e |
Type the following (refresh the certificate and restart nginx on the 1st and 5th of each month) to save and exit
1 | 00 05 01 * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx |
Restart crontab
1 | $ systemctl restart crond.service |
Reference link:
https://blog.csdn.net/sheng119/article/details/72956717