使用Nginx+CertBot获取SSL证书并自动续签
环境和文档
Ubuntu Server 22.04
CertBot 文档: https://certbot.eff.org/instructions?ws=nginx&os=pip
Nginx 文档: https://nginx.org/en/docs/configure.html
安装Nginx
从GitHub上下载最新发行版本的源码编译安装,目前是1.29.4
https://github.com/nginx/nginx/releases/download/release-1.29.4/nginx-1.29.4.tar.gz
# 解压
tar -zxvf nginx-1.29.4.tar.gz
# 进入目录
cd nginx-1.29.4
# 编译配置
./configure --prefix=/opt/nginx --with-http_ssl_module --with-http_v2_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre
# 开始编译
make -j [CPU核心数] && make install这里也许会遇到缺少ssl库的问题 当启用SSL模块时
# 安装SSL库
sudo apt install libssl-devNginx 路径整理
这里的目的是让网站的配置文件和静态资源尽量的清晰
并且把不同的网站放在不同的配置文件
网站配置文件目录: /opt/nginx/vhost/[网址]_.conf
网站静态资源目录: /www/wwwroot/[网址简称(命名随便)]
# /opt/nginx/conf/nginx.conf
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
daemon on;
http {
include mime.types;
default_type application/octet-stream;
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
include /opt/nginx/vhost/*.conf;
}
# /opt/nginx/vhost/space.yiqumenghua.cn_.conf
server {
listen 80;
server_name space.yiqumenghua.cn;
#access_log logs/host.access.log main;
root /www/wwwroot/space;
index index.html index.htm default.htm default.html;
#error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}安装CertBot
# 安装依赖
sudo apt install python3 python3-dev python3-venv libaugeas-dev gcc
# 虚拟环境
sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
# 安装certbot和nginx的插件
sudo /opt/certbot/bin/pip install certbot certbot-nginx
# 添加软连接到系统PATH(方便使用)
sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot使用
# 我们安装nginx安装路径不是默认安装 所以需要指定配置路径和nginx的可执行文件
certbot certonly --nginx --nginx-server-root /opt/nginx/conf --nginx-ctl /opt/nginx/sbin/nginx成功后就是这样会得到
Certificate is saved at: /etc/letsencrypt/live/space.yiqumenghua.cn/fullchain.pem
Key is saved at: /etc/letsencrypt/live/space.yiqumenghua.cn/privkey.pemroot@iZbp10vttcdkpf5llkyivzZ:~# ./make_ssl.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: space.next-play.cn
2: space.yiqumenghua.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Requesting a certificate for space.yiqumenghua.cn
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/space.yiqumenghua.cn/fullchain.pem
Key is saved at: /etc/letsencrypt/live/space.yiqumenghua.cn/privkey.pem
This certificate expires on 2026-04-05.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -最后手动配置成
server {
listen 80;
listen 443 ssl;
server_name space.yiqumenghua.cn;
#access_log logs/host.access.log main;
root /www/wwwroot/space;
index index.html index.htm default.htm default.html;
#error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
ssl_certificate /etc/letsencrypt/live/space.next-play.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/space.next-play.cn/privkey.pem;
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!SRP:!CAMELLIA:!SEED;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
}如果需要自动续签(未测试)
echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
评论