zoukankan      html  css  js  c++  java

  • centos7 nginx用certbot申请泛域名https证书

    一、安装certbob

    官网地址 https://certbot.eff.org/ ,安装方法参考官方推荐步骤
    官方推荐通过snap来安装,https://snapcraft.io/docs/installing-snap-on-centos

    二、安装nginx+ssl

    https://www.cnblogs.com/nickchou/p/12678354.html

    三、手动申请证书

    因官方对国内dns的插件很少,故这里使用手动验证dns(修改域名example.com)

    certbot certonly --preferred-challenges dns --manual  -d *.example.com --server https://acme-v02.api.letsencrypt.org/directory

    参数说明:

    参数名 居中对齐
    certonly 意思是只安装证书,手动配置nginx,也可以不加certonly按照步骤提示一步一步进行
    --nginx-server-root 是指定nginx conf目录,不配置默认在/etc/nginx/nginx.conf去找
    -d 指定域名,也可以填多个
    --preferred-challenges dns 需要添加dns验证
    --manual 手动dns验证
    --server 指定最新的Let's Encrypt的v2 API

    执行命令后需要Y确认一遍

    手动添加一条TXT的DNS记录

    添加完成后按按回车键继续,注意看下证书的存放路径,默认在 /etc/letsencrypt/live

    IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2021-11-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

    四、配置nginx的证书

        server {
        listen       80;
        server_name  www.domain.com;
        return       301 https://$server_name$request_uri; # http重定向到https
    }
    server {
        listen       443 ssl;
        server_name  www.domain.com;
        # 这里的证书填刚刚生成的路径
        ssl_certificate   /etc/letsencrypt/live/www.domain.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/www.domain.com/privkey.pem;
        # 这里加载默认的ssl配置
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
        location / {
            root /data/website/h5;    # 配置静态目录
            index index.html;         # 配置默认首页
        }
        location /api {
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-Ip $remote_addr;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://127.0.0.1:9101;
            proxy_redirect off;
        }
    }

    五、证书更新

    测试自动更新

    certbot renew --dry-run

    如果是手动DNS的话是无法自动更新的
    如果是二级域名不需要DNS解析可以直接手动更新

    certbot renew -v

    六、查看证书过期时间

    certbot certificates
  • 相关阅读:
    Mongodb在window上启动
    java:JQuery(Ajax,JSON)
    SqlServer:SqlServer(sql,游标,定时作业,行转列,列转行,公用表达式递归,merge合并)
    java:WebService
    java:svn
    java:Echarts,POI
    java:LeakFilling(Other)
    java:activiti(工作流简介 )
    Linux:lvm磁盘分区,动态扩容
    java:dubbo
  • 原文地址:https://www.cnblogs.com/nickchou/p/15157333.html
Copyright © 2011-2022 走看看