第一步:安装 certbot
进入官网,点开:https://certbot.eff.org/
选择要 web service 和 系统类型
然后按照步骤操作即可,以下是操作步骤
安装 Snapd 软件
可以参考步骤去操作:
sudo apt update sudo apt install snapd
卸载老的 Certbot
如果未安装过,可以调过此步骤
sudo snap install --classic certbot
给 certbot 命令创建软链,方便直接操作
sudo ln -s /snap/bin/certbot /usr/bin/certbot
到此就是安装成功了
第二步、配置生成证书
生成 nginx 证书
sudo certbot --nginx
如果报错:提示 /etc/nginx/ 下面的配置文件不存在,可以把你安装的配置文件目录直接软连到 /etc/nginx 下面就解决了,这个 certbot 只认识 /etc/nginx/ 下的配置。
# ln -s /usr/local/nginx/conf /etc/nginx
然后继续生成证书:
# certbot --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): xiaopx@qq.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Account registered. Which names would you like to activate HTTPS for? We recommend selecting either all domains, or all domains in a VirtualHost/server block. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: xxx.com.cn 2: www.xxx.com.cn - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Requesting a certificate for xxx.com.cn Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/xxx.com.cn/fullchain.pem Key is saved at: /etc/letsencrypt/live/xxxx.com.cn/privkey.pem This certificate expires on 2023-11-10. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. Deploying certificate Successfully deployed certificate for xxx.com.cn to /etc/nginx/xxx.com.cn.conf Congratulations! You have successfully enabled HTTPS on https://xxx.com.cn - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
重复使用命令 certbot --nginx,继续生成第二个域名的证书
第三步:自动更新证书
# certbot renew --dry-run
此命令可以自动更新所有证书。可以设置在以下自动触发点
/etc/crontab/
/etc/cron.*/*
systemctl list-timers
设置自动更新定时任务
# crontab -e #定时更新证书脚本,每个月1日检查更新证书 00 00 01 * * certbot renew --dry-run