使用 certbot 在CentOS7下配置nginx支持泛域名https, 例如我们申请zqyu.com这个域名的泛域名证书
一、 安装certbot
$ sudo yum install python2-certbot-nginx
二、 生成证书
$ certbot certonly --manual -d zqyu.com -d *.zqyu.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
安装过程中出现错误
ImportError: No module named 'requests.packages.urllib3'
更新软件即可
$ pip uninstall requests
$ pip uninstall urllib3
$ yum remove python-urllib3
$ yum remove python-requests
$ yum install python-urllib3
$ yum install python-requests
$ yum install certbot
重新执行生成证书的命令,按照提示填写相对应的信息,在域名的解析中添加解析TXT记录
Please deploy a DNS TXT record under the name
_acme-challenge.[你的域名] with the following value:
LAgFSE1_ML8l2T35GuyW1Iq-HZ8dncQUkxd131fZq3w[这一串是安装过程中生成的token]
Before continuing, verify the record is deployed.
安装成功后提示如下
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/[你的域名]/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/[你的域名]/privkey.pem
Your cert will expire on 2019-01-25. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
三、 在nginx中配置证书
server {
listen 80;
server_name [你的域名];
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name [你的域名];
ssl_certificate /etc/letsencrypt/live/[你的域名]/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/[你的域名]/privkey.pem;
root [你的网站根目录];
location / {
access_log off;
}
}
重新加载nginx规则nginx -s reload即可
四、 自动更新证书
Let’s Encrypt 证书的有效期是90天,到期后需要重新安装
五、卸载
$ yum remove certbot python2-certbot-nginx
$ yum autoremove
网友评论