一、先安装certbot
wget https://dl.eff.org/certbot-auto ////路径为/home/hao/
chmod a+x certbot-auto
二、申请证书
注意:需要把要申请证书的域名先解析到这台服务器上,才能申请。
填写自己的邮箱,域名(可以填多个)
sudo ./certbot-auto certonly --standalone --email my@qq.com -d abc.com -d www.abc.com
执行上面指令,按提示操作。
Certbot 会启动一个临时服务器来完成验证(会占用80端口或443端口,因此需要暂时关闭 Web 服务器),然后 Certbot 会把证书以文件的形式保存,包括完整的证书链文件和私钥文件。
文件保存在 /etc/letsencrypt/live/ 下面的域名目录下。
修改nginx配置
server {
listen 80 ;
listen [::]:80;
server_name abc.com;
rewrite ^(.*) https://$host$1 permanent;
}
######################################################################
server{
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/abc.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/abc.com/privkey.pem;
server_name abc.com www.abc.com;
root /var/www/abc.com;
}
三、创建定时任务,自动续期
默认证书有效期是3个月,所以需要续期
手动更新-先停止nginx
sudo service nginx stop ////停止服务
//// 如果无法停止服务
ps -ef|grep nginx ////查看进程号
kill -QUIT 927 ////杀掉进程927进程
/home/hao/certbot-auto renew -v
创建定时任务
sudo crontab -e
我的certbot-auto的所在目录为/home/hao/;
在最后添加
0 3 1 * * /home/ubuntu/soft/certbot-auto renew --renew-hook "sudo nginx -s reload"
sudo crontab -l
查看一下是否存在刚才添加的定时命令。如果存在的话,那么每月1日的凌晨3点就会执行一次所有域名的续期操作。
四、删除证书
首先确认你的证书不再需要,如果有必要,请执行下面的命令进行备份
cp /etc/letsencrypt/ /etc/letsencrypt.backup -r
撤销证书
进入certbot目录,执行如下命令:
./certbot-auto revoke --cert-path /etc/letsencrypt/archive/iwwenbo.com/cert1.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Would you like to delete the cert(s) you just revoked?
-------------------------------------------------------------------------------
(Y)es (recommended)/(N)o: Y
-------------------------------------------------------------------------------
Deleted all files relating to certificate iwwenbo.com.
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Congratulations! You have successfully revoked the certificate that was located
at /etc/letsencrypt/archive/iwwenbo.com/cert1.pem
-------------------------------------------------------------------------------
删除证书
./certbot-auto delete
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which certificate(s) would you like to delete?
-------------------------------------------------------------------------------
1: rxblog.xyz
2: weiyanzixun.com
3: iwwenbo.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 3
-------------------------------------------------------------------------------
Deleted all files relating to certificate www.mydomain.com.
-------------------------------------------------------------------------------
选择你要进行删除的域名证书,用英文逗号”,”或者空格进行多个域名的分割;如果取消输入”c”。这样你需要删除的域名相关文件就删除了。
参考文章:
https://zhuanlan.zhihu.com/p/53407930
https://www.4spaces.org/lets-encrypt-certbot-remove-revoke/
补充:多域名配置https
nginx在默认情况下是TLS SNI support disabled
启用方法:
需要重新编译nginx并启用TLS。步骤如下:
$ wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
复制代码$ tar zxvf openssl-1.0.1e.tar.gz
复制代码$ ./configure
--prefix=/usr/local/nginx--with-http_ssl_module\
--with-openssl=./openssl-1.0.1e\
--with-openssl-opt="enable-tlsext"
复制代码$ make
复制代码$ make install
复制代码查看是否启用:
$ nginx -V
nginx version: nginx/1.10.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.0.2j 26 Sep 2016
TLS SNI support enabled
...
作者:tzhennan
链接:https://juejin.im/post/5de655fb518825122671a129
来源:掘金
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
