生活中的Design.

Certbot生成Https证书

字数统计: 609阅读时长: 3 min
2021/07/19 Share

Certbot生成Https证书

  1. 在您的服务器上运行此命令生成Diffie-Hellman keys:

    1
    openssl dhparam -out /etc/nginx/dhparam.pem 2048
  1. 创建一个通用的ACME-challenge目录(用于 Let’s Encrypt):

    1
    mkdir -p /var/www/_letsencrypt
    1
    chown www-data /var/www/_letsencrypt
  2. 注释掉配置中的SSL相关指令:

    1
    sed -i -r 's/(listen .*443)/\1; #/g; s/(ssl_(certificate|certificate_key|trusted_certificate) )/#;#\1/g; s/(server \{)/\1\n    ssl off;/g' /etc/nginx/sites-available/jiayupearl.shop.conf

    主要是把ssl相关的server配置取消掉,上面只是nginxconfig.io上的一个例子,jiayupearl.shop.conf是我的配置文件名

  1. 重新加载你的NGINX服务器:

    1
    sudo nginx -t && sudo systemctl reload nginx
  2. 使用Certbot从 Let’s Encrypt 获得SSL证书:

    1
    certbot certonly --webroot -d jiayupearl.shop -d www.jiayupearl.shop --email yjw999wow@163.com -w /var/www/_letsencrypt -n --agree-tos --force-renewal

    使用--dry-run 测试再获取,否则如果验证多次失败的话会收到速率限制

  1. 在配置中取消注释SSL相关指令:

    1
    sed -i -r -z 's/#?; ?#//g; s/(server \{)\n    ssl off;/\1/g' /etc/nginx/sites-available/jiayupearl.shop.conf

    主要是把ssl相关的server配置取消掉,上面只是nginxconfig.io上的一个例子,jiayupearl.shop.conf是我的配置文件名

  1. 重新加载你的NGINX服务器:

    1
    sudo nginx -t && sudo systemctl reload nginx
  1. 配置Certbot,当NGINX成功更新证书时重新加载:

    1
    echo -e '#!/bin/bash\nnginx -t && systemctl reload nginx' | sudo tee /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
    1
    sudo chmod a+x /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
  2. 重新加载NGINX以载入新的配置:

    1
    sudo nginx -t && sudo systemctl reload nginx
  1. Docker/Nginx的修改

    • /etc/nginx/dhparam.pem /var/www/_letsencrypt /etc/letsencrypt 这几个文件需要映射到容器内
    • 重启nginx docker exec -it nginx nginx -s reload
    • /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh 内容修改如下
      1
      2
      #!/bin/bash
      docker exec -it nginx nginx -s reload
  2. Nginx配置

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
       server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.jiayupearl.shop;
    root /usr/share/nginx/html/blog;

    # SSL
    ssl_certificate /etc/letsencrypt/live/jiayupearl.shop/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/jiayupearl.shop/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/jiayupearl.shop/chain.pem;

    # security
    include nginxconfig.io/security.conf;

    # logging
    access_log /var/log/nginx/jiayupearl.shop.access.log;
    error_log /var/log/nginx/jiayupearl.shop.error.log warn;

    # index.html fallback
    location / {
    try_files $uri $uri/ /index.html;
    }

    # additional config
    include nginxconfig.io/general.conf;
    }

    # non-www, subdomains redirect
    server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .jiayupearl.shop;

    # SSL
    ssl_certificate /etc/letsencrypt/live/jiayupearl.shop/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/jiayupearl.shop/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/jiayupearl.shop/chain.pem;
    return 301 https://www.jiayupearl.shop$request_uri;
    }

    # HTTP redirect
    server {
    listen 80;
    listen [::]:80;
    server_name .jiayupearl.shop;
    include nginxconfig.io/letsencrypt.conf;

    location / {
    return 301 https://www.jiayupearl.shop$request_uri;
    }
    }
CATALOG
  1. 1. Certbot生成Https证书