Certbot生成Https证书
在您的服务器上运行此命令生成Diffie-Hellman keys:
1
openssl dhparam -out /etc/nginx/dhparam.pem 2048
创建一个通用的ACME-challenge目录(用于 Let’s Encrypt):
1
mkdir -p /var/www/_letsencrypt
1
chown www-data /var/www/_letsencrypt
注释掉配置中的SSL相关指令:
1
sed -i -r 's/(listen .*443)/\1; #/g; s/(ssl_(certificate|certificate_key|trusted_certificate) )/#;#\1/g; s/(server \{)/\1\n ssl off;/g' /etc/nginx/sites-available/jiayupearl.shop.conf
主要是把ssl相关的server配置取消掉,上面只是nginxconfig.io上的一个例子,jiayupearl.shop.conf是我的配置文件名
重新加载你的NGINX服务器:
1
sudo nginx -t && sudo systemctl reload nginx
使用Certbot从 Let’s Encrypt 获得SSL证书:
1
certbot certonly --webroot -d jiayupearl.shop -d www.jiayupearl.shop --email yjw999wow@163.com -w /var/www/_letsencrypt -n --agree-tos --force-renewal
使用
--dry-run测试再获取,否则如果验证多次失败的话会收到速率限制
在配置中取消注释SSL相关指令:
1
sed -i -r -z 's/#?; ?#//g; s/(server \{)\n ssl off;/\1/g' /etc/nginx/sites-available/jiayupearl.shop.conf
主要是把ssl相关的server配置取消掉,上面只是nginxconfig.io上的一个例子,jiayupearl.shop.conf是我的配置文件名
重新加载你的NGINX服务器:
1
sudo nginx -t && sudo systemctl reload nginx
配置Certbot,当NGINX成功更新证书时重新加载:
1
echo -e '#!/bin/bash\nnginx -t && systemctl reload nginx' | sudo tee /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
1
sudo chmod a+x /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
重新加载NGINX以载入新的配置:
1
sudo nginx -t && sudo systemctl reload nginx
Docker/Nginx的修改
/etc/nginx/dhparam.pem/var/www/_letsencrypt/etc/letsencrypt这几个文件需要映射到容器内- 重启nginx
docker exec -it nginx nginx -s reload /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh内容修改如下1
2!/bin/bash
docker exec -it nginx nginx -s reload
Nginx配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.jiayupearl.shop;
root /usr/share/nginx/html/blog;
# SSL
ssl_certificate /etc/letsencrypt/live/jiayupearl.shop/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jiayupearl.shop/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/jiayupearl.shop/chain.pem;
# security
include nginxconfig.io/security.conf;
# logging
access_log /var/log/nginx/jiayupearl.shop.access.log;
error_log /var/log/nginx/jiayupearl.shop.error.log warn;
# index.html fallback
location / {
try_files $uri $uri/ /index.html;
}
# additional config
include nginxconfig.io/general.conf;
}
# non-www, subdomains redirect
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .jiayupearl.shop;
# SSL
ssl_certificate /etc/letsencrypt/live/jiayupearl.shop/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jiayupearl.shop/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/jiayupearl.shop/chain.pem;
return 301 https://www.jiayupearl.shop$request_uri;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name .jiayupearl.shop;
include nginxconfig.io/letsencrypt.conf;
location / {
return 301 https://www.jiayupearl.shop$request_uri;
}
}