- 安裝certbot
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto -
./certbot-auto certonly --standalone -d abc.com -d www.abc.com
certonly: obtain or renew a certificate,but do not install it
run: (default) obtain & install a certificate in your current webserver
renew: renew all previously botained certificate that are near expiry
-d : domains, Comma-separated list of domains to obtain a certificate
--manual: obtain certificate -
./certbot-auto certificates展示獲取的證書信息
- 執行上面指令,按提示操作。
Certbot 會啟動一個臨時服務器來完成驗證(會占用80端口或443端口,因此需要暫時關閉 Web 服務器),然后 Certbot 會把證書以文件的形式保存,包括完整的證書鏈文件和私鑰文件。
文件保存在 /etc/letsencrypt/live/ 下面的域名目錄下。
修改nginx配置
server { listen 80; server_name abc.com; rewrite ^(.*) https://abc.com permanent; } server { listen 443 ssl default_server; listen [::]:443 ssl default_server; ssl_certificate /etc/letsencrypt/live/abc.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/abc.com/privkey.pem; server_name www.abc.com; root /web/abc.com/; } - 創建定時任務,自動續期
默認證書有效期3個月
crontab -e 0 3 1 * * ./certbot-auto renew --renew-hook "sudo nginx -s reload"每月1日的凌晨3點就會執行一次所有域名的續期操作。