root@botao:~# apt update 
root@botao:~# apt install certbot

申请单域名证书

• 注意：需要关闭80端口，否则会报错。如遇未关闭80端口的报错，只需关闭后再次执行申请证书的命令即可。

root@botao:~# certbot certonly --standalone -d www.linuxopen.com --http-01-address 0.0.0.0
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): botao@linuxopen.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.linuxopen.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.linuxopen.com/privkey.pem
   Your certificate will expire on 2025-06-09. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

配置证书自动续期

• 证书有效期3个月，可以用脚本+计划任务自动续期。

自动续期脚本

• 检查证书过期时间小于15天执行证书续期命令

root@botao:~# cat /scripts/letsencript/ssl_renew.sh 
#!/bin/bash

daynum=`/usr/bin/certbot certificates | grep days| awk '{print $6}'`
realtime=`date +%Y-%m-%d+%H:%M:%S`

for day in $daynum
do
    if (( $day <= 15 ));
    then
        /usr/bin/systemctl stop nginx && /usr/bin/certbot renew > /scripts/letsencrypt/certbot-renew.log && /usr/bin/systemctl start nginx && echo "$realtime certbot ok" >> /scripts/letsencrypt/end-renew.log
break
    fi
done

计划任务

• 每周三早上10点17分执行证书续期脚本

root@botao:~# crontab -l
#Name: letsencrypt SSL自动续期
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
HOME=/scripts/letsencrypt
SHELL=/bin/bash
17 10 * * 3 ./ssl_renew.sh

nginx配置文件

• 主要是写清楚证书文件位置和代理端口

root@botao:/etc/nginx/conf.d# vim ssl_botao.conf 
server {
    listen 443 ssl;
    server_name linuxopen.com www.linuxopen.com;
    access_log /var/log/nginx/http443.access.log;
    error_log /var/log/nginx/http443.error.log;

        ssl_certificate   /etc/letsencrypt/live/www.linuxopen.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/www.linuxopen.com/privkey.pem;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        add_header Cache-Control no-cache;
        add_header Cache-Control private;

    location / {
            proxy_pass http://127.0.0.1:80;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}

开通SSL域名证书并配置自动续期最先出现在博韬。