一、下载Certbot-auto客户端
wget /certbot-auto #下载
chmod a+x certbot-auto #分配执行权限
./certbot-auto --help #查看帮助
二、配置nginx
server
{
listen 80;
server_name ;
index ;
root /www/wwwroot/;
#一键申请SSL证书验证目录相关设置
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /home/wwwroot//;
}
location = /.well-known/acme-challenge/ {
return 404;
}
access_log /www/wwwlogs/;
error_log /www/wwwlogs/;
}
重启nginx服务器
./usr/local/nginx/sbin/nginx -s reload
三、生成ssl证书
./certbot-auto certonly --email xxxxxx@ --agree-tos --no-eff-email --webroot -w /www/wwwroot/ -d
./certbot-auto certonly --email [邮箱] --agree-tos --no-eff-email --webroot -w [项目目录] -d [域名]
生成成功
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live// #公钥地址
Your key file has been saved at:
/etc/letsencrypt/live// #私钥地址
Your cert will expire on 2019-08-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: /donate
Donating to EFF: /donate-le
四、继续配置nginx
server{
listen 80;
server_name ;
return 301 $request_uri;
}
server
{
listen 443 ssl http2;
server_name ;
index ;
root /www/wwwroot/;
ssl_certificate /etc/letsencrypt/live//;
ssl_certificate_key /etc/letsencrypt/live//;
ssl_trusted_certificate /etc/letsencrypt/live//;
#禁止访问的文件或目录
location ~ ^/(\.|\.htaccess|\.git|\.svn|\.project|LICENSE|)
{
return 404;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
error_log off;
access_log /dev/null;
}
location ~ .*\.(js|css)?$
{
expires 12h;
error_log off;
access_log /dev/null;
}
access_log /www/wwwlogs/;
error_log /www/wwwlogs/;
}
五、证书续签相关
1、查看证书有效期,到期时间
./certbot-auto certificates
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name:
Domains:
Expiry Date: 2019-08-14 06:33:04+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live//
Private Key Path: /etc/letsencrypt/live//
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
openssl x509 -noout -dates -in /etc/letsencrypt/live//
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
notBefore=May 16 06:33:04 2019 GMT
notAfter=Aug 14 06:33:04 2019 GMT
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2、更新
# 更新证书
./certbot-auto renew --dry-run
# 如果不需要返回的信息,可以用静默方式
certbot renew --quiet
#手动更新
./certbot-auto renew -v
#自动更新
./certbot-auto renew --quiet --no-self-upgrade
#定时更新
加入定时任务 crontab -e
0 4 1 */2 * /usr/bin/certbot-auto renew --quiet #每两个月的一号凌晨4点更新一次