centos配置Let's Encrypt并自动更新
假如就放在
/home
下
wget https:
//github
.com
/certbot/certbot/archive/master
.zip
unzip master.zip
cd
certbot-master/
.
/certbot-auto
--help
.
/certbot-auto
certonly --webroot --agree-tos -
v
-t --email loonghereqq.com -w
/var/www/vduok
.com
/mch/web
-d mch.vduok.com
如果报错,再执行一遍
email为邮箱,-w后面为网站目录,-d后面为网站域名
然后生成的证书在
/etc/letsencrypt/live/
下
编辑nginx配置文件,不同框架,需要改不同的东西,大同小异
server {
listen 443;
server_name mch.vduok.com;
ssl on;
root
/var/www/vduok
.com
/merchant/web
;
index index.html index.php;
ssl_certificate
"/etc/letsencrypt/live/mch.vduok.com/fullchain.pem"
;
ssl_certificate_key
"/etc/letsencrypt/live/mch.vduok.com/privkey.pem"
;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
try_files $uri $uri/
/index
.php$is_args$query_string;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location
/storage/
{
alias
/var/www/vduok
.com
/storage/
;
}
}
server {
server_name mch.vduok.com;
location / {
rewrite (.*) https:
//mch
.vduok.com$1 permanent;
}
}
service nginx reload
即可完成SSL的配置,有效期3个月,快到期会自动往上面的邮箱发邮件,后台renew续期即可
/home/certbot-master/certbot-auto
renew
完成续期
加入定时任务,设置了每周一凌晨4点30自动更新证书,并自动重启nginx服务,证书在到期前30天内才能更新,多余的更新会自动忽略掉的,每周更新还有一个好处是更新可能会失败,这样最多还有4次的尝试机会来保证不会过期.
创建脚本 renew-cert.sh
#!/bin/bash
/home/certbot-master/certbot-auto
renew
/sbin/service
nginx reload
保存脚本,并给予可执行权限
chmod
a+x renew-cert.sh
写入定时任务
crontab
-e
30 4 * * 1
/home/renew-cert
.sh >>
/home/renew-cert
.log 2>&1
保存并重启crontd
service crond restart
完成自动更新证书