如何无限期白嫖 https 证书
一、目标
基于 Let’s Encrypt 获取的免费 https 证书,部署自己的 https 服务
二、流程
1、安装环境
yum install nginx
yum install certbot
yum install python3-certbot-nginx
2、配置 nginx conf 文件
在 conf.d 目录下创建名为 domain.conf 的配置文件
erver {
listen 80 default_server;
listen [::]:80 default_server;
root /root/www/domain.com;
server_name domain.com www.domain.com;
}
3、生成 SSL/TLS 证书以及配置
certbot 默认设置的 conf 路径是 /etc/nginx/nginx.conf, 可以通过 –nginx-server-root 指定 conf 路径
certbot --nginx --nginx-server-root=/opt/nginx/conf/
4、上一步执行正常的话,domain.conf 中会自动生成如下配置
server {
root /root/www/domain;
server_name domain.com www.domain.com;
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.domain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = domain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name domain.com www.domain.com;
return 404; # managed by Certbot
}
5、配置 dns 解析,就可以使用 https 访问了
三、免费续期
Let’s Encrypt 证书将在 90 天后到期,可以通过配置系统定时任务定期自动生成新证书
crontab -e
0 2 1 * * /usr/bin/certbot renew --quiet