Let’s Encrypt配置ssl证书自动更新

配置基本的Nginx设置：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

server { listen 80 default_server; listen [::]:80 default_server; server_name yourwebsite.com; location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/www/letsencrypt; } location = /.well-known/acme-challenge/ { return 404; } ... 其他配置，例如 location / { proxy_pass http://localhost:8080; } }

这里location配置了一个/.well-known/acme-challenge/路径，里面host了简单文件，我这里host了一个简单的html文件。原因是你必须证明，你拥有所请求的证书的域名。因为 Let’s Encrypt要求你host一些文件。

 

证书90天过期

Let’s Encrypt证书会在90天后过期，需要配置脚本自动更新证书。

1 2 3 4 5 6 7 8 9

#!/bin/sh # This script renews all the Let's Encrypt certificates with a validity < 30 days if ! /opt/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1 ; then echo Automated renewal failed: cat /var/log/letsencrypt/renew.log exit 1 fi nginx -t && nginx -s reload

 

示例配置：

?

server {

    server_name   www.domain.com domain.com;

 

 

 

    listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;

    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

 

    location / {

           proxy_pass      https://shops.domain.com/;

           proxy_set_header  Host $host;

               

               }

 

    location ^~ /.well-known/acme-challenge/ {

       default_type "text/plain";

       root     /usr/share/nginx/html;

    }

 

    location = /.well-known/acme-challenge/ {

       return 404;

    }

 

}