Docker certbot SSH证书
## 第一步 域名指向NGINX服务
## 第二步配置 NGINX
server {
listen 3080;
server_name 域名;
location ~/.well-known/acme-challenge/ {
root /home/app/certbot
}
}
## 第三部
docker run -it --rm \
-v /home/app/certbot:/data/letsencrypt \
-v /home/app/certbot/ssl:/etc/letsencrypt \
-v /home/app/certbot/logs:/var/log/letsencrypt \
certbot/certbot certonly \
-n \
--webroot \
--webroot-path=/data/letsencrypt \
-m 邮箱 \
--agree-tos \
-d "域名"
安装certbot
yum install -y python-devel
yum install -y openssl-devel
yum install epel-release
yum install certbot
yum install python2-certbot-nginx
配置
certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
邮箱验证
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxxx@xxx.com ##你的邮箱地址
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
同意协议
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A ## 同意协议
允许邮件推送
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y ##允许邮件推送
选择添加https的域名
Starting new HTTPS connection (1): supporters.eff.org
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: x1.xxx.com ##域名1
2: x2.xxx.com ##域名2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
域名选择
blank to select all options shown (Enter 'c' to cancel): 1 2 ##多个输入空格
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pazzn.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/default.conf
同时保留http和https
Please choose wheter or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
## HTTP AND HTTPS 同时保留
1: No redirect - Make no further changes to the webserver configuration.
## HTTPS
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 ##选择1
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/default.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://xxx.xx
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=xxx.xx
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/xxx.xx/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/xxxx.xx/privkey.pem
Your cert will expire on 2019-09-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
免费证书续期
## 模拟更新
certbot renew --dry-run
##如果有提示下面的内容,表示模拟更新成功
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/your.domain.com.conf
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/your.domain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
## 更新证书
certbot renew
自动续期
##定时任务 crontab
0 0 1 */2 * /usr/bin/certbot renew >> /var/log/le-renew.log