Cerbot自动化管理Nginx网站证书

发表于 分类于 评论: 阅读次数:

收到腾讯云的证书续期通知,结果在申请新证书时发现,腾讯云不再支持一年的免费证书:

2024年4月25日起,腾讯云新签发的免费证书有效期调整为 90 天

考虑到一直是手动更新证书,如果三个月手动操作一次还是挺费劲的。于是研究Let's Encrypt的certbot,唯一的顾虑是如何证明自己对二级域名的所有权问题。实践之后发现此问题并不存在,因为certbot仅是签发一个证书而已,并不存在对网站本身的威胁。

下面是certbot的配置步骤,其实仅需要执行几个命令,非常简单。

安装certbot

这里安装使用apt而不是推荐的snap,个人认为snap太重,不如apt轻量。不喜欢在df -lh时看到一堆无用的snap项。

$ apt update
$ apt install certbot

获取证书

获取证书的命令很简单:

$ certbot certonly --nginx -d yourdomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested nginx plugin does not appear to be installed
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

如果遇到这个错误:The requested nginx plugin does not appear to be installed,需要安装这个包:

$ apt install python3-certbot-nginx

然后重复命令即可:

$ certbot certonly --nginx -d yourdomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): xx@gmail.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for yourdomain.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/yourdomain.com/privkey.pem
This certificate expires on 2025-02-15.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

由于是第一次执行certbot,所以需要回答一些问题,例如紧急邮箱和服务协议等。执行完毕后证书文件存在/etc/letsencrypt/live/yourdomain.com/目录中。

之后再更新证书就不会再问一堆问题了,一键完成: 

$ certbot certonly --nginx -d yourdomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for yourdomain.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/yourdomain.com/privkey.pem
This certificate expires on 2025-02-15.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

修改网站证书文件路径

网站证书文件位于/etc/nginx/sites-available/yourdomain.com,修改下面两行:

server {
    server_name yourdomain.com;
    listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ...
}

然后测试nginx的配置是否正确:

$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

重启nginx,浏览器中查看证书是否已经生效:

$ nginx -s reload

配置证书自动更新

新建一个cron job:

$ sudo crontab -e

增加一个条目,每天3:28执行更新证书:

28 3 * * * certbot renew --nginx --quiet