官网:https://letsencrypt.org/zh-cn
官网建议使用Certbot的方式进行安装,所以首先我们需要安装Certbot
Certbot)
选择运行的机器与系统的对应信息,选择之后页面会进行跳转,我这边使用的是Centos8+NGINX, 会跳转到页面:Certbot - Centosrhel8 Nginx (eff.org)
1.需要登录服务器
2.安装snapd工具(Installing snap on CentOS | Snapcraft documentation)
1)查看Centos版本
cat /etc/centos-release
2)添加epel源
$ sudo dnf install epel-release
$ sudo dnf upgrade
3)安装snapd
sudo yum install snapd #加入systemd管理进程 sudo systemctl enable --now snapd.socket # 添加classic支持 sudo ln -s /var/lib/snapd/snap /snap
安装完成之后, 需要新打开一个终端, 重新进入, 即可使用snapd相关命令
3.安装snap之后,要升级到最新的版本
sudo snap install core; sudo snap refresh core
4.移除老的之前安装过的Certbot工具删除掉
sudo apt-get remove certbot sudo dnf remove certbot sudo yum remove certbot
5.安装Certbot
sudo snap install --classic certbot
创建软链接:
sudo ln -s /snap/bin/certbot /usr/bin/certbot
6.对nginx生成证书
certbot --nginx #如果配置不是默认的位置 (/etc/nginx or /usr/local/etc/nginx),需要手动指定配置文件所在目录 certbot certonly --nginx --nginx-server-root=/root/nginx/conf
正常的话,就顺利生成了证书与Key:
进行nginx配置:
server { listen 80; server_name xx.xx.com; access_log /data/log/nginx/access_xx.xx.com_80.log main buffer=10k flush=5s; error_log /data/log/nginx/error_xx.xx.com_80.log warn; location / { proxy_pass http://127.0.0.1:8000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { listen 443 ssl; server_name xx.xx.com; access_log /data/log/nginx/access_xx.xx.com_443.log main; error_log /data/log/nginx/error_xx.xx.com_443.log warn; ssl_certificate /etc/letsencrypt/live/xx.xx.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/xx.xx.com/privkey.pem; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_pass http://127.0.0.1:8000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
然后重新加载配置文件即可:
nginx -t
nginx -s reload
7.测试证书到期自动更换
sudo certbot renew --dry-run
这个时候 就可以使用https访问一下啦~~~
注意点:
1.nginx需要支持SSL
nginx -V
查看是否加载模块: --with-http_ssl_module
参考: