使用 Certbot 自动申请并续订阿里云 DNS 免费泛域名证书 ssl证书
#centos 8 #安装Python 3
ls -la /usr/bin/python{,2,3} /usr/libexec/platform-python
yum install python3 python3-devel -y
ln -sf /usr/bin/python3 /usr/bin/python
python -V
pip3 install --upgrade pip -i https://mirrors.aliyun.com/pypi/simple/
pip3 install pip --upgrade -i https://mirrors.aliyun.com/pypi/simple/
#安装 Certbot 和 certbot-dns-aliyun
pip install certbot certbot-nginx certbot-dns-aliyun
#前往 ram.console.aliyun.com 申请阿里云子账号并授予 AliyunDNSFullAccess 权限。然后为子账号创建 AccessKey 并记录
mkdir /etc/certbot/
cat > /etc/certbot/credentials.ini <<EOF
certbot_dns_aliyun:dns_aliyun_access_key = LTAI6BMgFkW6ass0
certbot_dns_aliyun:dns_aliyun_access_key_secret = dJfKwTvCH6gvGn8j5KbVbDRaxIhTwH
EOF
#修改文件权限
chmod 600 /etc/certbot/credentials.ini
#申请证书
certbot certonly -a certbot-dns-aliyun:dns-aliyun --certbot-dns-aliyun:dns-aliyun-credentials /etc/certbot/credentials.ini -d myki.cn -d "*.myki.cn"
#自动续订
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /mnt/certbot/venv/bin/certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
#配置 nginx
cat > /etc/nginx/conf.d/nginx.header <<EOF
listen 80;
listen 443 ssl;
if ($scheme != https) {
rewrite ^/(.*) https://$server_name/$1 permanent;
}
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
EOF
cat > /etc/nginx/conf.d/yourdomain.com.conf <<EOF
server {
server_name yourdomain.com;
include /etc/nginx/conf.d/nginx.header;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8080;
}
}
EOF
文章作者 🐳Myki
上次更新 2020-09-05