关于使用 certbot 给网站增加 ssl
yum -y install yum-utils yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional yum install certbot python2-certbot-nginx
然后关闭 nginx
certbot --nginx
最后,systemctl restart nginx
增加自动更新证书
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null
===============================================================
方法2:
获取代码
git clone https://github.com/letsencrypt/letsencrypt
执行
cd letsencrypt
./certbot-auto certonly -d domain.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
--preferred-challenges:以dns域名验证该域名是你的,所以中间会产生一个主机和值,需要配置一条 TXT 类型的域名验证
-d 后面是生成的域名, 可以用类似 *.domain.com 包括泛域名
执行自动续费
crontab -e
0 */12 * * * certbot renew --quiet --renew-hook "systemctl reload nginx"
更改 nginx
listen 443 ssl; listen [::]:443 ssl ipv6only=on; ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
server { if ($host = domain.com) { return 301 https://$host$request_uri; } listen 80; listen [::]:80; server_name domain.com; return 404; }