安装
按照需要配置python3
sudo yum update
sudo yum install python3
yum install epel-release
yum install certbot
--webroot
:这个选项指定了使用Web根目录验证方法来验证域名的所有权,适用于已经运行的网站
-w ./html
:这里的-w
选项后面跟的路径./html就是指定的网站根目录。Certbot将使用这个目录来放置一些特定的临时文件,这些文件将被域名的Web服务器用来响应来自Let's Encrypt验证服务器的请求,以证明你对该域名的控制权。(这个目录要通过域名加根目录直接能访问)
-d domain.com
:这个选项指定了要为哪个域名申请证书。
--cert-name test.com
: 这个参数指定证书的名称。在 Certbot 的存储结构中,这将作为证书、密钥和相关文件的存储目录的名称。指定证书名有助于以后更容易地管理(例如续签或删除)证书。
--key-type rsa
: 这个参数指定了证书使用的密钥类型。RSA 是一种常用的公钥加密算法。此参数表明将生成一个基于 RSA 加密的密钥。你还可以选择使用 ECC(椭圆曲线加密)等其他密钥类型。
certbot certonly --webroot -w ./html -d test.com --cert-name test.com --key-type rsa
或者
sudo /usr/local/bin/certbot-auto certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
出现以下提示代表成功
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/test.burlambird.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/test.burlambird.com/privkey.pem
Your certificate will expire on 2024-08-07. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
测试手动更新
certbot renew
删除某个证书
sudo certbot delete --cert-name example.com
出现以下提示
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/teeekopet.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/teeekopet.com/fullchain.pem expires on 2024-08-07 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
nginx配置
server {
listen 80;
listen 443 ssl;
server_name qq.com;
ssl_certificate /etc/letsencrypt/live/qq.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/qq.com/privkey.pem;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
获得ssl-cert-check脚本
wget https://raw.githubusercontent.com/Matty9191/ssl-cert-check/master/ssl-cert-check
给予脚本执行权限
chmod +x ssl-cert-check
测试
./ssl-cert-check -s baidu.com -p 443 -x 30
脚本
#!/bin/bash
# 证书文件路径数组
certificates=(
"/etc/letsencrypt/live/domain.com/fullchain.pem"
"/etc/letsencrypt/live/domain.com/fullchain2.pem"
)
# 标志,指示是否需要更新证书
need_update=0
# 检查每个证书
for cert in "${certificates[@]}"; do
./ssl-cert-check -c "$cert" -x 30 -n -q
result=$?
if [ $result -eq 1 ]; then
need_update=1
elif [ $result -eq 0 ]; then
echo "INFO: Certificate at $cert is up-to-date."
else
echo "ERROR: Failed to check certificate at $cert."
exit 1
fi
done
# 如果需要,更新证书
if [ $need_update -eq 1 ]; then
echo "INFO: Some certificates are about to expire. Attempting renewal..."
/usr/bin/certbot renew --quiet
if [ $? -eq 0 ]; then
echo "INFO: Certificate renewal successful."
# 尝试重启 Nginx
echo "INFO: Attempting to restart Nginx..."
sudo systemctl reload nginx
if [ $? -eq 0 ]; then
echo "INFO: Nginx restarted successfully."
exit 0
else
echo "ERROR: Failed to restart Nginx."
exit 1
fi
else
echo "ERROR: Certificate renewal failed."
exit 1
fi
else
echo "INFO: No certificate needs renewal."
fi
添加定时任务
0 */12 * * * root /path/example.sh