使用certbot在centos7搭建ssl证书并且自动续约

检查centos版本#

$ cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)

检查python\nginx版本#

$ python -V
Python 2.7.5
$ nginx -v
nginx version: nginx/1.26.1

这里服务器自带了python 2.7.5，如果没有，可以安装

sudo yum install python27

更新pip并安装certbot

pip install --upgrade pip
pip install certbot
# 检查certbot是否可用，输出正常，说明pip安装了最新版的certbot
certbot certificates

生成证书#

sudo certbot certonly --standalone -d blog.[xxx.com](http://xxx.com/) --email 你的邮箱

报错：Problem binding to port 80: Could not bind to IPv4 or IPv6. ，是因为80端口被占用

netstat -tlnp | grep 80
service nginx stop

再重新生成证书
在服务器的配置文件 ，指向你的证书
例如 在你的域名的nignx配置中：

server {
    listen 80;
    server_name blog.xxx.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name blog.xxx.com;

    root /usr/share/nginx/html/hugo-stack-blog/public;
    index index.html;

    ssl_certificate    /etc/letsencrypt/live/blog.xxx.com/fullchain.pem;
    ssl_certificate_key    /etc/letsencrypt/live/blog.xxx.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=31536000" always;
}

手动续签#

sudo certbot certificates	//证书有效期查询
sudo systemctl stop nginx	//关闭nginx，解除占用端口
sudo certbot renew				//续签证书
sudo systemctl restart nginx	//重启nginx
sudo certbot certificates

crontab定时更新证书#

# 查看当前用户周期任务
$ crontab -l
# 以root用户执行，查看所有周期任务
$ cat /etc/passwd | cut -f 1 -d : | xargs -I {} crontab -l -u {}

# 编辑crontab
$ crontab -e
# 添加如下内容
0 0  1 */3 * sudo systemctl stop nginx && certbot -q renew --renew-hook "systemctl restart nginx" && systemctl restart nginx