Let‘s Encrypt免费证书申请

最新推荐文章于 2025-09-26 22:55:01 发布

原创最新推荐文章于 2025-09-26 22:55:01 发布 · 689 阅读

9 ·

CC 4.0 BY-SA版权

文章标签：

#运维

如何解决？
要保证 SSL 证书申请成功，dusirui.com 和 www.dusirui.com 都必须正确解析到服务器 IP。

你需要登录你的域名服务商（比如阿里云、腾讯云、百度云、万网等）的控制台，添加如下解析记录：

类型   主机记录   值（记录内容）   说明
A   @   你的服务器IP   主域名（dusirui.com）指向服务器
A   www   你的服务器IP   子域名（www.dusirui.com）
然执行，然后根据提醒输入Y或者N
sudo yum install epel-release
sudo yum install certbot python3-certbot-nginx

创建目录
sudo mkdir -p /usr/local/nginx/html/.well-known/acme-challenge/

加入内容
echo "test" | sudo tee /usr/local/nginx/html/.well-known/acme-challenge/test.txt

https://dusirui.com/.well-known/acme-challenge/test.txt

执行目录加入文件
vi /usr/local/nginx/conf/nginx.conf

location /.well-known/acme-challenge/ {
root /usr/local/nginx/html;
allow all;
}

Nginx 80和443都需要加入完整的
server {
listen 80;
server_name dusirui.com www.dusirui.com;

location /.well-known/acme-challenge/ {
root /usr/local/nginx/html;
allow all;
}

return 301 https://$host$request_uri;
}

然后Nginx 重载
sudo /usr/local/nginx/sbin/nginx -t
sudo /usr/local/nginx/sbin/nginx -s reload

生成证书，然后会有报错或者成功的提示
[root@lavm-n4qcwkirmw conf.d]# sudo certbot certonly --webroot -w /usr/local/nginx/html -d dusirui.com -d www.dusirui.com

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:

然后在443端口使用证书
ssl_certificate /etc/letsencrypt/live/dusirui.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dusirui.com/privkey.pem;

server {
listen 443 ssl;
server_name dusirui.com;
ssl_certificate /etc/letsencrypt/live/dusirui.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dusirui.com/privkey.pem;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.3; # 仅使用安全的协议
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;

location /.well-known/acme-challenge/ {
root /usr/local/nginx/html;
allow all;
}

location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:9999/; #设置监控后端启动的端口

}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}

然后Nginx 重载
sudo /usr/local/nginx/sbin/nginx -t
sudo /usr/local/nginx/sbin/nginx -s reload

systemctl stop nginx
systemctl start nginx

二、查看系统是否已有自动续期定时任务
查看 cron 任务：

sudo crontab -l
查看 systemd 定时任务：

修改或者加入
sudo crontab -e
0 2,14 * * * /usr/bin/certbot renew --quiet --post-hook "/usr/local/nginx/sbin/nginx -t && /usr/bin/systemctl reload nginx" >> /var/log/certbot-renew.log 2>&1

每天 2 点和 14 点，系统会静默尝试续期证书，如果证书有更新，就验证 nginx 配置并平滑重载 nginx，使新证书生效，所有日志记录到 /var/log/certbot-renew.log。
/usr/local/nginx/sbin/nginx是自己nginx的安装目录
其中/usr/bin/systemctl 通过which systemctl查看具体位置

测试
sudo /usr/bin/certbot renew --dry-run --post-hook "/usr/local/nginx/sbin/nginx -t && /usr/bin/systemctl reload nginx" >> /var/log/certbot-renew.log 2>&1

验证
sudo crontab -l

systemctl status crond
sudo systemctl daemon-reload
sudo systemctl restart crond

生成证书的日志

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/dusirui.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cannot extract OCSP URI from /etc/letsencrypt/archive/dusirui.com/cert1.pem
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Account registered.
Simulating renewal of an existing certificate for dusirui.com and www.dusirui.com
Performing the following challenges:
http-01 challenge for dusirui.com
http-01 challenge for www.dusirui.com
Using the webroot path /usr/local/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/dusirui.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/dusirui.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for dusirui.com and www.dusirui.com
Performing the following challenges:
http-01 challenge for dusirui.com
http-01 challenge for www.dusirui.com
Using the webroot path /usr/local/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/dusirui.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/dusirui.com/privkey.pem
Your certificate will expire on 2025-10-20. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le