Let's Encrypt
免费域名官网
https://letsencrypt.org/
注意
使用此方法申请的证书只有90天的时间,如果想长久使用的话需要定时刷新证书
申请域名并指向目标服务器(略)
安装
certbot
yum -y install snapd systemctl enable --now snapd ln -s /var/lib/snapd/snap /snap snap install core snap install --classic certbot ln -s /snap/bin/certbot /usr/bin/certbot
生成证书
certbot certonly --standalone -d www.mydomain.com
查看已安装的证书及位置
certbot certificates
配置 nginx 使用证书
server { listen 80; server_name www.mydomain.com; return 301 https://www.mydomain.com$request_uri; } server { server_name www.mydomain.com; listen 443; ssl on; ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; location / { proxy_pass http://127.0.0.1:8080; proxy_redirect off; proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_read_timeout 90; } }
刷新证书
certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
添加到定时任务自动刷新(略)
文档更新时间: 2024-04-20 10:57 作者:lee