申请Let's Encrypt证书(certbot申请证书)
Let's Encrypt官网:https://letsencrypt.org/zh-cn/
Certbot官网:https://certbot.eff.org/
Certbot Instructions:https://certbot.eff.org/instructions?ws=nginx&os=centosrhel7&tab=standard1、安装snapd
详见:
https://snapcraft.io/docs/installing-snap-on-centos
yum -y install epel-release
yum -y install snapd
systemctl enable --now snapd.socket
ln -s /var/lib/snapd/snap /snap2、安装Certbot
# 删除certbot
yum remove certbot
# 安装certbot
sudo snap install --classic certbot
# 创建软链接
sudo ln -s /snap/bin/certbot /usr/bin/certbot3、申请SSL证书
sudo certbot certonly -a manual -i nginx -d test.example.com说明:
详见:
https://eff-certbot.readthedocs.io/en/latest/using.html#nginx
certonly:只生成证书,后续自行配置
-a 或 --authenticator:
-i 或 --installer:
-d 或 --domains:域名
--nginx-server-root 可以指定nginx配置文件路径,默认: /etc/nginx 或 /usr/local/etc/nginx
--webroot-path,简写-w,项目目录补充:执行上述命令需要填写邮箱地址
4、自动续期,加入crontab定时任务
测试自动续期:
sudo certbot renew --dry-run定时任务文件:
- /etc/crontab/
- /etc/cron.*/*
- systemctl list-timers
5、Nginx配置SSL证书
# test.example.com.conf配置
# 参考:https://cloud.tencent.com/document/product/400/35244
server {
listen 80;
server_name test.example.com;
# 监听443端口
listen 443 ssl;
# 配置ssl证书
# nginx的ssl证书配置参考:https://cloud.tencent.com/document/product/400/35244
ssl_certificate /etc/letsencrypt/live/test.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.example.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
root html/example;
index index.html index.htm;
}
}6、检查配置
nginx -t7、重启Nginx
nginx -s reload