1.Let's Encrypt证书
# Let's Encrypt证书
#依次执行这个命令
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x ./certbot-auto
sudo ./certbot-auto --help
2.证书下载安装
# 创建通配符证书
$sudo ./certbot-auto certonly -d *.xxx.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
*.xxx.com 代表自己的域名 *代表所有的子域名
当出现这个这句话的时候请注意 (别回车那么快 慢一点)
_acme-challenge.xxx.com = O3wTEcONmDE-2el69a6xHv7O28M4P0i7hxiJGluJ_xQ
域名系统->域名解析->增加TXT记录
到阿里云后台域名解析 添加 这样的一条记录 之后在回车
类型 选择TXT文本
主机记录 _acme-challenge.xxx.com
记录值 O3wTEcONmDE-2el69a6xHv7O28M4P0i7hxiJGluJ_xQ
这个过程中还可能需要输入你的邮箱地址(不要那么快,自己又不熟悉环境)
成功之后会显示
就是 fullchain.pem privkey.pem 存放的目录
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/xxx.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/xxx.com/privkey.pem
Your cert will expire on 2019-02-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
3.复制证书到nginx容器的映射目录
创建nginx容器启动
sudo docker run -d \
--name=nginx \
--restart always \
-p 80:80 -p 443:443 \
-v /opt/nginx/conf.d:/etc/nginx/conf.d \
-v /opt/nginx/sslkey:/etc/nginx/sslkey \
nginx
conf.d文件夹 是存放 nginx.conf配置的
sslkey文件夹 是存放 fullchain.pem privkey.pem
cp /etc/letsencrypt/live/xxx.com/* /opt/nginx/sslkey/
4.配置Nginx的文件
## nginx配置ssl证书
xxx.xxxx.com.conf
server {
listen 443;
server_name xx.xxxx.com;
client_max_body_size 1000M;
ssl on;
ssl_certificate /etc/nginx/sslkey/fullchain.pem;
ssl_certificate_key /etc/nginx/sslkey/privkey.pem;
location / {
proxy_pass http://xx.xx.xx.xx:xxx; #自己的ip和端口号
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
5.验证https 续期
这个证书只能用90天 到期后 自动续期
# 续期
letsencrypt-auto renew