概述
# certbot
# https://certbot.eff.org/lets-encrypt/centosrhel7-nginx
# https://certbot.eff.org/docs/using.html#getting-certificates-and-choosing-plugins
# SSH into the server
SSH into the server running your HTTP website as a user with sudo privileges.
# Enable EPEL repo
You’ll need to enable the EPEL (Extra Packages for Enterprise Linux) repository.
Follow these instructions at the Fedora wiki to enable EPEL.
yum install -y yum-utils
yum-config-manager –enable rhel-7-server-optional-rpms –enable rhel-7-server-extras-rpms
# Enable the optional channel
If you’re using RHEL or Oracle Linux, you’ll also need to enable the optional channel. On EC2, RHEL users can enable the optional channel by running the following command, substituting your EC2 region for REGION in the command:
yum -y install yum-utils
yum-config-manager –enable rhui-7-rhel-server-extras rhui-7-rhel-server-optional
# Install Certbot
Run this command on the command line on the machine to install Certbot.
sudo yum install certbot python2-certbot-nginx
# 备份原先nginx配置
备份配置
# 如果是默认安装的nginx则执行以下操作
# Choose how you’d like to run Certbot
Either get and install your certificates…
Run this command to get a certificate and have Certbot edit your Nginx configuration automatically to serve it, turning on HTTPS access in a single step.
sudo certbot –nginx
Or, just get a certificate
If you’re feeling more conservative and would like to make the changes to your Nginx configuration by hand, run this command.
sudo certbot certonly –nginx
# Set up automatic renewal
We recommend running the following line, which will add a cron job to the default crontab.
echo “0 0,12 * * * root python -c ‘import random; import time; time.sleep(random.random() * 3600)’ && certbot renew” | sudo tee -a /etc/crontab > /dev/null
# Confirm that Certbot worked
To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar. If you want to check that you have the top-of-the-line installation, you can head to https://www.ssllabs.com/ssltest/.
# 如果非默认yum安装的nginx则执行以下操作:(要使用“独立”Web服务器获取证书,您可以通过 在命令行中包含certonly和使用独立插件–standalone。此插件需要绑定到端口80才能执行域验证,因此您可能需要停止现有的Web服务器。)
nginx -s stop
certbot certonly –standalone –email ‘你的邮箱地址’ -d ‘你的域名1’ -d ‘你的域名2’
certbot certonly –standalone –email ‘gly896420885@163.com’ -d ‘guojingyi.cn’ -d ‘www.guojingyi.cn’
# 查看生产的证书
tree /etc/letsencrypt/
/etc/letsencrypt/
|– accounts
| `– acme-v02.api.letsencrypt.org
| `– directory
| `– bb1504c830be74e4077ab2ff9294ba7a
| |– meta.json
| |– private_key.json
| `– regr.json
|– archive
| `– guojingyi.cn
| |– cert1.pem
| |– chain1.pem
| |– fullchain1.pem
| `– privkey1.pem
|– csr
| |– 0000_csr-certbot.pem
| |– 0001_csr-certbot.pem
| |– 0002_csr-certbot.pem
| `– 0003_csr-certbot.pem
|– keys
| |– 0000_key-certbot.pem
| |– 0001_key-certbot.pem
| |– 0002_key-certbot.pem
| `– 0003_key-certbot.pem
|– live
| |– guojingyi.cn
| | |– cert.pem -> ../../archive/guojingyi.cn/cert1.pem
| | |– chain.pem -> ../../archive/guojingyi.cn/chain1.pem
| | |– fullchain.pem -> ../../archive/guojingyi.cn/fullchain1.pem
| | |– privkey.pem -> ../../archive/guojingyi.cn/privkey1.pem
| | `– README
| `– README
|– renewal
| `– guojingyi.cn.conf
`– renewal-hooks
|– deploy
|– post
`– pre
15 directories, 22 files
# nginx添加ssl配置
ssl_certificate /etc/letsencrypt/live/guojingyi.cn/fullchain.pem; # 证书位置
ssl_certificate_key /etc/letsencrypt/live/guojingyi.cn/privkey.pem; # 证书位置
# 启动nginx
systemctl start nginx
# 任务计划更新证书,添加crontab
0 0 15 */2 * /usr/bin/certbot renew –pre-hook “systemctl stop nginx” –post-hook “systemctl start nginx”
# Where are my certificates?
All generated keys and issued certificates can be found in /etc/letsencrypt/live/$domain. In the case of creating a SAN certificate with multiple alternative names, $domain is the first domain passed in via -d parameter. Rather than copying, please point your (web) server configuration directly to those files (or create symlinks). During the renewal, /etc/letsencrypt/live is updated with the latest necessary files.
Note
/etc/letsencrypt/archive and /etc/letsencrypt/keys contain all previous keys and certificates, while /etc/letsencrypt/live symlinks to the latest versions.
The following files are available:
privkey.pem
Private key for the certificate.
Warning
This must be kept secret at all times! Never share it with anyone, including Certbot developers. You cannot put it into a safe, however – your server still needs to access this file in order for SSL/TLS to work.
Note
As of Certbot version 0.29.0, private keys for new certificate default to 0600. Any changes to the group mode or group owner (gid) of this file will be preserved on renewals.
This is what Apache needs for SSLCertificateKeyFile, and Nginx for ssl_certificate_key.
fullchain.pem
All certificates, including server certificate (aka leaf certificate or end-entity certificate). The server certificate is the first one in this file, followed by any intermediates.
This is what Apache >= 2.4.8 needs for SSLCertificateFile, and what Nginx needs for ssl_certificate.
cert.pem and chain.pem (less common)
cert.pem contains the server certificate by itself, and chain.pem contains the additional intermediate certificate or certificates that web browsers will need in order to validate the server certificate. If you provide one of these files to your web server, you must provide both of them, or some browsers will show “This Connection is Untrusted” errors for your site, some of the time.
Apache < 2.4.8 needs these for SSLCertificateFile. and SSLCertificateChainFile, respectively.
If you’re using OCSP stapling with Nginx >= 1.3.7, chain.pem should be provided as the ssl_trusted_certificate to validate OCSP responses.
最后
以上就是忧伤红酒为你收集整理的oracle 认证 续期,使用certbot自动续期免费ssl证书的全部内容,希望文章能够帮你解决oracle 认证 续期,使用certbot自动续期免费ssl证书所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
发表评论 取消回复