Skip to content

Instantly share code, notes, and snippets.

@twelvejie
Created May 15, 2024 06:52
Show Gist options
  • Save twelvejie/e14b857dcbdd47a7d3ed0aa0bf066079 to your computer and use it in GitHub Desktop.
Save twelvejie/e14b857dcbdd47a7d3ed0aa0bf066079 to your computer and use it in GitHub Desktop.

安装配置,参考

  1. 安装cerbot
yum install epel-release -y
yum install certbot -y

安装

  1. 安装 aliyun cli 工具

    wget https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz
    tar xzvf aliyun-cli-linux-latest-amd64.tgz
    sudo cp aliyun /usr/local/bin
    rm aliyun

    安装完成后需要配置凭证信息

  2. 安装 certbot-dns-aliyun 插件

    wget https://cdn.jsdelivr.net/gh/justjavac/certbot-dns-aliyun@main/alidns.sh
    sudo cp alidns.sh /usr/local/bin
    sudo chmod +x /usr/local/bin/alidns.sh
    sudo ln -s /usr/local/bin/alidns.sh /usr/local/bin/alidns
    rm alidns.sh
  3. 申请证书,如果用泛域名(*.example.com)申请之后访问提不安全,使用 (-d example.com) ,多个域名直接添加(-d www.example.com)

    测试是否能正确申请:

    certbot certonly -d *.example.com --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean" --dry-run

    正式申请时去掉 --dry-run 参数:

    certbot certonly -d *.example.com --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean"
  4. 证书续期

    certbot renew --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean" --dry-run

    如果以上命令没有错误,把 --dry-run 参数去掉。

  5. 自动续期

    添加定时任务 crontab。

    crontab -e

    输入

    1 1 */1 * * root certbot renew --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean" --deploy-hook "nginx -s reload"
  6. nginx添加证书路径

    server {
        listen 443 ssl;
        # 子域名
        server_name  www.test.com;
        # 这里是你证书的位置
        ssl_certificate /etc/letsencrypt/live/exmple.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/exmple.com/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
        root /usr/share/nginx/html;
    
        location / {
          # 指向前端资源的路径
          root   /home/webapps/test-app/dist;
          index  index.html;
        }
    
        error_page 404 /404.html;
            location = /40x.html {
        }
    
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
    
    

上面脚本中的 --deploy-hook "nginx -s reload" 表示在续期成功后自动重启 nginx。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment