1、安装Certbot
yum install certbot python2-certbot-nginx
2、配置nginx
vim /etc/nginx/nginx.conf
内容如下:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
其中有一行
include /etc/nginx/conf.d/*.conf;
可见我们只要在这个目录下新建一个xxx.conf即可被引用。
在上述目录下添加我们需要配置的文件homePage.conf
内容如下:
server {
listen 80;
server_name www.xxxxxx.com;
}
3、自动配置下载证书
先检查一下nginx的配置文件是否有错误
nginx -t
运行如下:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
自动配置:
certbot --nginx
运行如下:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): #此处需要输入你的邮箱地址
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y #此处选Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y 此处选Y
Account registered.
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.xxxxx.com #此处会列出你配置文件中包含的域名
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 #选择域名对应的序号
Requesting a certificate for www.xxxxx.com
Performing the following challenges:
http-01 challenge for www.xxxxx.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/homePage.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/homePage.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.xxxxx.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Subscribe to the EFF mailing list (email: 你的邮箱地址).
Starting new HTTPS connection (1): supporters.eff.org
An unexpected error occurred:
TypeError: __str__ returned non-string (type Error)
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.xxxxx.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.xxxxx.com/privkey.pem
Your certificate will expire on 2022-03-17. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
renew *all* of your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
相关证书会生成在如下文件中:
/etc/letsencrypt/renewal/www.xxxxx.com.conf
/etc/letsencrypt/archive/www.xxxxx.com
/etc/letsencrypt/live/www.xxxxx.com
此时打开/etc/nginx/conf.d/homePage.conf;
内容如下:
server {
server_name www.xxxxx.com;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.xxxxx.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.xxxxx.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.xxxxx.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.xxxxx.com;
return 404; # managed by Certbot
}
可以看到帮我们自动生成了相关的配置文件
添加我们的跳转后,内容如下:
server {
server_name www.xxxxx.com;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.xxxxx.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.xxxxx.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
root /homePage;
index index.html;
}
}
server {
if ($host = www.xxxxx.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.xxxxx.com;
return 404; # managed by Certbot
}
4、重启/启动nginx,访问域名查看是否配置成功
#启动
nginx -c /etc/nginx/nginx.conf
#重启
nginx -s reload
5、证书的有效期只有三个月,所以需要定时续期
5.1、检查 Cron 服务状态
service crond status
运行如下:
● crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: active (running) since 五 2021-12-17 14:45:07 CST; 5h 5min ago
Main PID: 14167 (crond)
CGroup: /system.slice/crond.service
└─14167 /usr/sbin/crond -n
12月 17 14:45:07 xxxxxxxxxxx systemd[1]: Stopped Command Scheduler.
12月 17 14:45:07 xxxxxxxxxxx systemd[1]: Started Command Scheduler.
12月 17 14:45:07 xxxxxxxxxxx crond[14167]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 59% if used.)
12月 17 14:45:07 xxxxxxxxxxx crond[14167]: (CRON) INFO (running with inotify support)
12月 17 14:45:07 xxxxxxxxxxx crond[14167]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
如果执行后提示:crond (pid xxxxx) is running… 代表正常运行中,则可以跳过下面5.2、5.3两步 。
如果提示错误,不识别的服务,则先按照5.2和5.3执行安装和启动。
5.2、安装 cron 服务
依次输入以下 2 条命令并回车执行
yum -y install vixie-cron
yum -y install crontabs
成功安装 Cron 之后,启动 cron 服务。
5.3、启动 Cron 服务
service crond start
执行后会出现:Starting crond: [ OK ] 的提示,表明启动成功。
继续执行开机启动服务命令,把 Cron 加入开机启动的服务列表中:
chkconfig --level 345 crond on
安装完检查一下 Cron 服务状态
service crond status
如果提示:crond (pid xxxxx) is running… 代表正常运行中。
5.4、搜索 cron 文件所在位置
输入命令:
find / -name "cron"
找到如下结果:
/var/spool/cron
/var/log/cron
/etc/selinux/targeted/active/modules/100/cron
/var/log/cron 这个是日志文件位置,不管它
/var/spool/cron 这里是所有的自动执行任务的 cron 文件存放位置
打开 /var/spool/cron,看看 cron 目录下有没有文件。
- 如果没有,创建 cron 文件,按照步骤5.5。
- 如果有,跳过步骤5.5。
5.5、创建 Cron 文件
输入以下命令:
crontab -e
此时会创建一个新文件同时打开了vim
输入以下内容:
0 3 */7 * * /usr/bin/certbot renew --renew-hook "/usr/sbin/nginx -s reload"
上面这个/usr/bin/certbot和/usr/sbin/nginx 各自需要写成各自的路径可以用which certbot和which nginx查询
按住 shift+分号(打出冒号来),然后输入 wq,回车。退出编辑文件状态。
以上含义是:每隔 7 天,夜里 3 点整自动执行检查续期命令一次。续期完成后,重启 nginx 服务。
5.6、重启 Cron 服务,使之生效
service crond restart
5.7、手动尝试 Certbot 证书更新
/bin/certbot renew
6.可能遇到的问题
https://blog.csdn.net/sinat_39595180/article/details/88120604
网友评论