certbot-auto创建https证书,自动续期

一、先安装certbot

wget https://dl.eff.org/certbot-auto      ////路径为/home/hao/
chmod a+x certbot-auto

二、申请证书

注意:需要把要申请证书的域名先解析到这台服务器上,才能申请。

填写自己的邮箱,域名(可以填多个)

sudo ./certbot-auto certonly --standalone --email my@qq.com -d abc.com -d www.abc.com

执行上面指令,按提示操作。
Certbot 会启动一个临时服务器来完成验证(会占用80端口或443端口,因此需要暂时关闭 Web 服务器),然后 Certbot 会把证书以文件的形式保存,包括完整的证书链文件和私钥文件。
文件保存在 /etc/letsencrypt/live/ 下面的域名目录下。
修改nginx配置

server {
        listen 80 ;
        listen [::]:80;
        server_name abc.com;
        rewrite ^(.*) https://$host$1 permanent;

}

######################################################################

server{
    listen 443 ssl;
    listen [::]:443 ssl;

     ssl_certificate /etc/letsencrypt/live/abc.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/abc.com/privkey.pem;

    server_name abc.com www.abc.com;
    root /var/www/abc.com;
}

三、创建定时任务,自动续期

默认证书有效期是3个月,所以需要续期

手动更新-先停止nginx

sudo service  nginx stop ////停止服务
//// 如果无法停止服务
ps -ef|grep nginx    ////查看进程号
kill -QUIT 927    ////杀掉进程927进程
/home/hao/certbot-auto  renew   -v

创建定时任务

sudo crontab -e

我的certbot-auto的所在目录为/home/hao/;

在最后添加

0 3 1 * * /home/ubuntu/soft/certbot-auto renew --renew-hook "sudo nginx -s reload"
sudo crontab -l

查看一下是否存在刚才添加的定时命令。如果存在的话,那么每月1日的凌晨3点就会执行一次所有域名的续期操作。

四、删除证书

首先确认你的证书不再需要,如果有必要,请执行下面的命令进行备份

cp /etc/letsencrypt/ /etc/letsencrypt.backup -r

撤销证书

进入certbot目录,执行如下命令:

./certbot-auto revoke --cert-path /etc/letsencrypt/archive/iwwenbo.com/cert1.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Would you like to delete the cert(s) you just revoked?
-------------------------------------------------------------------------------
(Y)es (recommended)/(N)o: Y

-------------------------------------------------------------------------------
Deleted all files relating to certificate iwwenbo.com.
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Congratulations! You have successfully revoked the certificate that was located
at /etc/letsencrypt/archive/iwwenbo.com/cert1.pem

-------------------------------------------------------------------------------

删除证书

 ./certbot-auto delete 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which certificate(s) would you like to delete?
-------------------------------------------------------------------------------
1: rxblog.xyz
2: weiyanzixun.com
3: iwwenbo.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 3
-------------------------------------------------------------------------------
Deleted all files relating to certificate www.mydomain.com.
-------------------------------------------------------------------------------

选择你要进行删除的域名证书,用英文逗号”,”或者空格进行多个域名的分割;如果取消输入”c”。这样你需要删除的域名相关文件就删除了。

参考文章:

https://zhuanlan.zhihu.com/p/53407930
https://www.4spaces.org/lets-encrypt-certbot-remove-revoke/

补充:多域名配置https

nginx在默认情况下是TLS SNI support disabled

启用方法:
需要重新编译nginx并启用TLS。步骤如下:

$ wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz

复制代码$ tar zxvf openssl-1.0.1e.tar.gz
复制代码$ ./configure

--prefix=/usr/local/nginx--with-http_ssl_module\
--with-openssl=./openssl-1.0.1e\
--with-openssl-opt="enable-tlsext"

复制代码$ make
复制代码$ make install
复制代码查看是否启用:

$ nginx -V
nginx version: nginx/1.10.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.0.2j  26 Sep 2016
TLS SNI support enabled
...

作者:tzhennan
链接:https://juejin.im/post/5de655fb518825122671a129
来源:掘金
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。