安装certbot
root@botao:~# apt update
root@botao:~# apt install certbot
申请单域名证书
- 注意:需要关闭80端口,否则会报错。如遇未关闭80端口的报错,只需关闭后再次执行申请证书的命令即可。
root@botao:~# certbot certonly --standalone -d www.linuxopen.com --http-01-address 0.0.0.0
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): botao@linuxopen.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.linuxopen.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.linuxopen.com/privkey.pem
Your certificate will expire on 2025-06-09. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
配置证书自动续期
自动续期脚本
root@botao:~# cat /scripts/letsencript/ssl_renew.sh
#!/bin/bash
daynum=`/usr/bin/certbot certificates | grep days| awk '{print $6}'`
realtime=`date +%Y-%m-%d+%H:%M:%S`
for day in $daynum
do
if (( $day <= 15 ));
then
/usr/bin/systemctl stop nginx && /usr/bin/certbot renew > /scripts/letsencrypt/certbot-renew.log && /usr/bin/systemctl start nginx && echo "$realtime certbot ok" >> /scripts/letsencrypt/end-renew.log
break
fi
done
计划任务
root@botao:~# crontab -l
#Name: letsencrypt SSL自动续期
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
HOME=/scripts/letsencrypt
SHELL=/bin/bash
17 10 * * 3 ./ssl_renew.sh
nginx配置文件
root@botao:/etc/nginx/conf.d# vim ssl_botao.conf
server {
listen 443 ssl;
server_name linuxopen.com www.linuxopen.com;
access_log /var/log/nginx/http443.access.log;
error_log /var/log/nginx/http443.error.log;
ssl_certificate /etc/letsencrypt/live/www.linuxopen.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.linuxopen.com/privkey.pem;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
add_header Cache-Control no-cache;
add_header Cache-Control private;
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}