Let's Encrypt 配置
Let's Encrypt 配置
Created
May 25, 2021 09:40 AM
Tags
Let's Encrypt
Published
Nov 7, 2020
Description
安装 Let's Encrypt,并提供示例 Nginx 配置和 crontab

Installation

sudo apt install certbot

Configure

假设网站为 example.com
在 Nginx/OpenResty 对应的 conf 中添加
location /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/html/example.com;
}
添加在 http 下的即可
/var/www/html/example.com 下面创建需要的文件夹
pushd /var/www/html/example.com
mkdir -p .well-known/acme-challenge

Obain

Webroot

  • email 为申请者邮箱,webroot 为 webroot 方式,w 为站点目录,d 为要加 https 的域名
certbot certonly --email root@example.com \
    --webroot -w /var/www/html/example.com \
    -d example.com \
    -d www.example.com

Standalone

需要占用 443 端口,需要停止 Nginx 等服务
certbot certonly --email admin@example.com \
    --standalone \
    -d example.com \
    -d www.example.com

Nginx Conf

生成的证书会在 /etc/letsencrypt/live/ 下面
Nginx Conf 参考
server {
    listen 80;
    server_name example.com;
    server_name www.example.com;

    location /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /usr/local/openresty/nginx/html/example.com;
    }

    location / {
        return 302 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name example.com;
    server_name www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        include proxy_params;
        proxy_pass http://127.0.0.1:3000;
    }
}

Auto Renew

在 cron 中添加
0 0 * */2 * certbot renew --quiet --post-hook "openresty -s reload"
每隔两个月,在 0 点 0 分自动续期