1.安装snapd
apt install snapd -y
2.确保snapd版本是最新的
snap install core; sudo snap refresh core
3.Install Certbot
sudo snap install --classic certbot
4.创建软链接,确保certbot命令可以执行
sudo ln -s /snap/bin/certbot /usr/bin/certbot
5获得证书,
5.1让certbot来配置nginx
sudo certbot --nginx
Certbot默认nginx配置文件在 /etc/nginx/nginx.conf 或 ****/usr/local/etc/nginx/nginx.conf****,若你的nginx配置文件不在此处(以/usr/local/nginx/conf/nginx.conf为例),需在命令后加上 --nginx-server-root /usr/local/nginx/conf
5.2 获得证书,自己配置nginx
sudo certbot certonly --nginx
5.1和5.2根据需要只需要执行一个即可
5.3 证书说明
证书保存在/etc/letsencrypt/live/$domain #$domain为域名
privkey.pem # 证书私钥
fullchain.pem # 所有证书,包括服务器证书 APACHE>=2.4.8需要SSLCertificateFile, Nginx 需要的ssl_certificate
5.4示例nginx配置
server {
listen 80;
server_name www.12345.tk;
root /data/www/;
index index.html index.htm;
location / {
if ( $scheme = http ) { # 判断请求的是http,就执行以下操作
rewrite / https://www.12345.tk permanent;
}
}
}
server {
server_name www.12345.tk;
root /data/www;
# SSL 配置
listen 443 ssl;
# listen 80;
ssl_certificate /etc/letsencrypt/live/www.12345.tk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.12345.tk/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
}
6.测试自动续期
sudo certbot renew --dry-run
7.检查
更新certbot安装在以下位置之一
/etc/crontab/
/etc/cron.*/*
systemctl list-timers