Let's Encrypt 证书申请
申请 Let's Encrypt 证书
sudo apt install certbot
sudo certbot certonly --webroot -w 网站根目录 -d 网站域名
生成 ssl_dhparam
sudo openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 2048
NGINX 的配置举例
server {
listen 80 default_server;
listen [::]:80 default_server;
# 310 跳转HTTP流量到HTTPS
return 301 https://$host$request_uri;
}
server {
# 将上面生成的证书和密钥文件填到这里
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/网站域名/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/网站域名/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot 拷贝options-ssl-nginx.conf文件到该目录
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
配置自动续签
开 cron 定时任务,官方推荐执行 certbot renew 一天两次。定时任务如下,每天的0点和12点执行
crontab -e
0 0,12 * * * /usr/bin/certbot renew --quiet
参考
https://cloud.tencent.com/developer/article/2203944
https://blog.csdn.net/for_cxc/article/details/120380370
https://blog.csdn.net/zdhsoft/article/details/127359919