安装 Certbot 工具
sudo apt-get update
sudo apt-get install certbot
certbot --version
ImportError: cannot import name ‘appengine’ from ‘urllib3.contrib’ (/usr/local/lib/python3.10/dist-packages/urllib3/contrib/init.py)
解决方案,卸载重装
pip uninstall urllib3
pip install urllib3
设置域名解析
申请证书
方式一:用指定根目录的方式,会在根目录下创建一个.well-known 来验证域名的所有权
certbot certonly --webroot -w /root/www/html -d tmp1210.visionmedicals.cn
证书生成完毕后,我们可以在 /etc/letsencrypt/live/ 目录下看到对应域名的文件夹
方式二:certbot 还有另外一种模式 –standalone , 这种模式不需要指定网站根目录,他会自动启用服务器的 443 端口,来验证域名的归属。我们有其他服务(例如 nginx)占用了 443 端口,就必须先停止这些服务,在证书生成完毕后,再启用。
# sudo certbot certonly --standalone --email jxiao@visionmedicals.com --agree-tos -d xjtmp.test.visionmedicals.cn
certbot certonly --standalone --email jxiao@visionmedicals.com --agree-tos -d tmp1210.test.visionmedicals.cn
自动续期证书
免费的 Let’s Encrypt 证书的有效期为 90 天,因此我们需要设置自动续期,以确保证书不会过期。Certbot 提供了一个方便的命令行工具来自动续期证书。
设置定时任务
sudo crontab -e
0 0 * * 0 certbot renew --quiet
这将在每周日的午夜零点自动执行证书续期操作。
实践 demo
step1.先配置好域名解释
step2.配置一个新的站点
使能够正常 http 访问
server {
listen 80;
listen [::]:80;
server_name tmp1210e.visionmedicals.cn;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
step3.生成证书到指定目录
root@iZ7xva33l57s9vs0useftcZ:~/software/docker/nginx/config/conf.d# certbot certonly --webroot -w /root/www/html -d tmp1210e.visionmedicals.cn --config-dir /root/software/docker/nginx/config/conf.d/cert/ --email jxiao@visionmedicals.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for tmp1210e.visionmedicals.cn
Successfully received certificate.
Certificate is saved at: /root/software/docker/nginx/config/conf.d/cert/live/tmp1210e.visionmedicals.cn/fullchain.pem
Key is saved at: /root/software/docker/nginx/config/conf.d/cert/live/tmp1210e.visionmedicals.cn/privkey.pem
This certificate expires on 2024-03-09.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
We were unable to subscribe you the EFF mailing list. You can try again later by visiting https://act.eff.org.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
step4:更新配置
server {
listen 443 ssl;
server_name tmp1210e.visionmedicals.cn;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
ssl_certificate conf.d/cert/live/tmp1210e.visionmedicals.cn/fullchain.pem;
ssl_certificate_key conf.d/cert/live/tmp1210e.visionmedicals.cn/privkey.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:1m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
server {
listen 80;
server_name tmp1210.visionmedicals.cn;
rewrite ^ https://$host$1 permanent;
}
© 版权声明
博主的文章没有高度、深度和广度,只是凑字数。利用读书、参考、引用、抄袭、复制和粘贴等多种方式打造成自己的纯镀 24k 文章!如若有侵权,请联系博主删除。
喜欢就点个赞吧
![【学习强国】[挑战答题]带选项完整题库(2020年4月20日更新)-武穆逸仙](https://www.iwmyx.cn/wp-content/uploads/2019/12/timg-300x200.jpg)
![【学习强国】[新闻采编学习(记者证)]带选项完整题库(2019年11月1日更新)-武穆逸仙](https://www.iwmyx.cn/wp-content/uploads/2019/12/77ed36f4b18679ce54d4cebda306117e-300x200.jpg)
