网站部署let-encrypt证书

发表于 | 更新于 | 分类于 | 评论数:

Centos7-nginx部署let’s encrypt证书

配置环境
软件 版本
Nginx 1.14.2
Centos CentOS Linux release 7.6.1810 (Core)
安装certbot
1
2
3
yum -y install yum-utils
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
sudo yum install certbot python2-certbot-nginx
生成证书

  1. webroot方式-基于本地有web服务器生成,需要域名能访问80端口

    1
    certbot certonly --webroot -w /data/wwwroot/example -d example.com

    说明:certainly 表明只生成证书

    ​ -w 网站目录

    ​ -d 配置https的域名

  2. standalone方式 独立生成

    1
    certbot certonly --standalone -d example.com
证书生成地址

证书地址:/etc/letsencrypt/live/example.com/fullchain.pem

私钥地址:/etc/letsencrypt/live/example.com/prikkey.pem

配置nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# HTTPS server nginx-1.14.2
   server { 
 			#打开80端口就是同时支持http,https
 			# listen 80;
       listen       443 ssl;
       server_name  example.com;

       ssl_certificate      /etc/letsencrypt/live/example.com/fullchain.pem;
       ssl_certificate_key  /etc/letsencrypt/live/example.com/prikkey.pem;

       ssl_session_cache    shared:SSL:1m;
       ssl_session_timeout  5m;

       ssl_ciphers  HIGH:!aNULL:!MD5;
       ssl_prefer_server_ciphers  on;

       location / {
           root   html;
           index  index.html index.htm;
       }
   }
	# 强制https
   server{
     listen 80;
     server_name example.com;
     rewrite ^/(.*)$ https://example.com/$1 permanent;
	}
Crontab 自动 续期(每两天执行证书续期)
1
2
crontab -e
* * */2 * * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start" > /var/crontab/certbot.txt
Certbot 其他命令

  1. 查看证书

    1
    certbot certificates

  2. 更改现有证书的域

    1
    certbot certonly --cert-name exist.com -d newexample.com,www.newexample.com

  3. 删除系统中证书的相关文件

    1
    certbot delete --cert-name example.com
参考手册

certbot用户手册