部署https并自动续期

1.其它步骤参考地址
https://blog.csdn.net/achenyuan/article/details/79021340
https://blog.csdn.net/Dancen/article/details/62235762

2.配置nginx 开启https
#./configure --prefix=/data/nginx --with-pcre=/usr/local/pcre-8.39 --with-zlib=/usr/local/zlib-1.2.11 --with-openssl=/usr/local/openssl-1.0.1t --with-http_stub_status_module --with-http_ssl_module

./configure --prefix=/data/nginx --with-http_stub_status_module --with-http_ssl_module

3.生成证书
#内部服务器方式，需要先停止nginx
./letsencrypt-auto certonly --standalone --email yjhkhnuje@163.com -d *.redlichee.com 

4.创建调度任务
#!/bin/sh
#停止 nginx 服务,使用 --standalone 独立服务器验证需要停止当前 web server.
/data/nginx/sbin/nginx -s stop
if ! /home/soft/ssl/certbot-0.26.1/letsencrypt-auto renew -nvv --standalone > /home/soft/ssl/certbot-0.26.1/renew.log 2>&1 ; then
echo Automated renewal failed:
cat /home/soft/ssl/certbot-0.26.1/renew.log
exit 1
fi
#启动 nginx
/data/nginx/sbin/nginx

#授权可执行
chmod +x letsencrypt-renew.sh

5.添加调度任务
vi /etc/crontab

#分 时 日 月 星期 执行用户 执行命令
0 23 28 * * root /脚本目录/letsencrypt-renew.sh

#启用调度
crontab /etc/crontab

#临时目录方式
./letsencrypt-auto certonly --webroot --email lzm@senscrm.com -w /data/web/nginx/html/senscrm.com -d redlichee.com -d www.redlichee.com -d demo.redlichee.com -d v2.redlichee.com -d index.redlichee.com -d app.redlichee.com -d static.redlichee.com -d wx.redlichee.com -d git.redlichee.com -d nexus.redlichee.com -d pm.redlichee.com -d wxdsf.redlichee.com -d ehr.redlichee.com -d ssj.redlichee.com -d yjs.redlichee.com -d senscrm.com -d www.senscrm.com -d demo.senscrm.com

# 手动方式
./letsencrypt-auto certonly --manual --email lzm@senscrm.com -d redlichee.com -d www.redlichee.com -d demo.redlichee.com -d v2.redlichee.com -d index.redlichee.com -d app.redlichee.com -d static.redlichee.com -d wx.redlichee.com -d git.redlichee.com -d nexus.redlichee.com -d pm.redlichee.com -d wxdsf.redlichee.com -d ehr.redlichee.com -d ssj.redlichee.com -d yjs.redlichee.com -d senscrm.com -d www.senscrm.com -d demo.senscrm.com

server {

listen 443 ssl;

server_name localhost;

ssl_certificate /etc/letsencrypt/live/redlichee.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/redlichee.com/privkey.pem;

ssl_dhparam /etc/ssl/certs/dhparams.pem;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

ssl_prefer_server_ciphers on;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

}