一、安装并配置ssl
1、安装 certbot
yum install -y epel-release
yum install -y certbot
2、执行申请命令
certbot certonly --webroot -w [站点目录] -d [域名] -m [联系人email] --agree-tos
3、申请成功后,会在/etc/letsencrypt/live/{域名}/下生成证书一些文件
4、可以查看一下证书有效期
openssl x509 -noout -dates -in /etc/letsencrypt/live/{域名}/fullchain.pem
5、Nginx配置ssl
ln -s /etc/letsencrypt/live/{域名}/fullchain.pem cert/{域名}.crt
ln -s /etc/letsencrypt/live/{域名}/privkey.pem cert/{域名}.key
server{
listen 443 ssl http2;
......
ssl_prefer_server_ciphers on;
#ssl on;
keepalive_timeout 70;
ssl_certificate ./cert/{域名}.crt;
ssl_certificate_key ./cert/{域名}.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains;preload" always;
.......
}
6、重启Nginx
二、自动续签
1、更新证书
certbot renew --dry-run #返回的信息
certbot renew --quiet #不返回的信息,静默方式
2、加入crontab
0 05 * * * certbot renew --quiet && nginx -s reload
Linux运维笔记|自动化运维攻城狮
