1. 安装 Certbot 和 Let’s Encrypt 插件
Certbot 是 Let’s Encrypt 的一个客户端,用于从 Let’s Encrypt 自动获取和安装 SSL 证书。运行以下命令安装 Certbot 和 Certbot 的 Nginx 插件:
sudo apt install certbot python3-certbot-nginx
2. 申请和配置泛域名证书
my_domain="textworld.cn"
sudo certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d $my_domain -d *.${my_domain}
在运行上述命令后,Certbot 会给出一些指示,要求你为域名添加一个特定的 DNS TXT 记录。这是为了验证你对该域名的控制权。确保按照给出的指示正确添加 DNS 记录,并等待其生效,然后继续操作。添加的DNS TXT记录需要一定时间生效,请多等待几分钟,再输入回车让Certbot进行验证
完成验证: 一旦 DNS 记录生效并被 Certbot 验证,你的泛域名证书就会被生成和存储在 /etc/letsencrypt/live/${my_domain}/
目录中。
3.配置 Nginx 使用泛域名证书
本文使用的nginx版本: nginx version: nginx/1.18.0 (Ubuntu)
打开nginx的配置文件
sudo vim /etc/nginx/conf.d/default.conf
指定证书和私钥: 在适当的 server
块中,找到或添加以下行,并确保它们指向你的泛域名证书和私钥的路径:
ssl on;
ssl_certificate /etc/letsencrypt/live/textworld.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/textworld.cn/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
ssl_prefer_server_ciphers on;
下面是一个完整的https server的nginx配置示例,包含了反向代理。
server {
listen 443 ssl http2;
listen [::]:443 ssl http2 default_server;
server_name www.textworld.cn;
root /var/www/hugo_github/public;
index index.html index.htm index.php;
ssl on;
ssl_certificate /etc/letsencrypt/live/textworld.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/textworld.cn/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
ssl_prefer_server_ciphers on;
location / {
index index.html index.htm;
proxy_pass http://127.0.0.1:8080;
}
error_page 404 /404/;
location = /50x.html {
}
}
测试 Nginx 配置:
sudo nginx -t
确保没有错误返回。
重新加载 Nginx:
sudo systemctl reload nginx
现在,你的 Nginx 服务器应该已经成功配置了泛域名证书,并为你的域名及其所有子域名提供了安全的 HTTPS 连接。
自动更新 Let’s Encrypt 证书
当你使用 Let’s Encrypt 证书时,一个常见的问题是如何保证证书的持续有效性。默认情况下,Let’s Encrypt 的证书有效期为 90 天,所以为了确保你的服务不会因为证书过期而中断,最好的做法是自动续期。
sudo certbot certonly --standalone
完整命令的输出如下
lighthouse@VM-16-9-ubuntu:~$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): *.textworld.cn,textworld.cn
Certificate not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/textworld.cn.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for *.textworld.cn and textworld.cn
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/textworld.cn/fullchain.pem
Key is saved at: /etc/letsencrypt/live/textworld.cn/privkey.pem
This certificate expires on 2024-07-26.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/textworld.cn/fullchain.pem
Key is saved at: /etc/letsencrypt/live/textworld.cn/privkey.pem
This certificate expires on 2024-07-25.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
常见错误
使用certbot的renew命令续签之前申请的通配符域名时遇到报错
Failed to renew certificate textworld.cn with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
--manual-auth-hook