Let’s Encrypt配置ssl证书自动更新

配置基本的Nginx设置：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

server { listen 80 default_server; listen [::]:80 default_server; server_name yourwebsite.com; location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/www/letsencrypt; } location = /.well-known/acme-challenge/ { return 404; } ... 其他配置，例如 location / { proxy_pass http://localhost:8080; } }

这里location配置了一个/.well-known/acme-challenge/路径，里面host了简单文件，我这里host了一个简单的html文件。原因是你必须证明，你拥有所请求的证书的域名。因为 Let’s Encrypt要求你host一些文件。

证书90天过期

Let’s Encrypt证书会在90天后过期，需要配置脚本自动更新证书。

1 2 3 4 5 6 7 8 9

#!/bin/sh # This script renews all the Let's Encrypt certificates with a validity < 30 days if ! /opt/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1 ; then echo Automated renewal failed: cat /var/log/letsencrypt/renew.log exit 1 fi nginx -t && nginx -s reload

示例配置：

server {
    server_name   www.domain.com domain.com;



    listen 443 ssl; 
    ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; 
    include /etc/letsencrypt/options-ssl-nginx.conf; 
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 

    location / {
           proxy_pass      https://shops.domain.com/;
           proxy_set_header  Host $host;
              
               }

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root     /usr/share/nginx/html;
    }

    location = /.well-known/acme-challenge/ {
       return 404;
    }

}