跳到主要内容

最简单的Certbot申请泛域名证书与续期

阅读需 2 分钟

最简单的Certbot申请泛域名证书与续期

以centos7系统为例:

  1. 需要确保python版本为>=3.8
python -V
  1. 安装 Certbot
pip install certbot certbot-nginx


# 安装certbot-dns-dnspod插件
# https://github.com/tengattack/certbot-dns-dnspod 通过xget转换成国内可以下载的地址:https://xuc.xi-xu.me/
pip install git+https://xget.xi-xu.me/gh/tengattack/certbot-dns-dnspod.git
  1. 配置DnsPod凭证
sudo bash -c 'cat > /opt/certbot/credentials.ini << EOF
dns_dnspod_api_id = 5xxxx8 
dns_dnspod_api_token = 1d661a0d05xxxx1431a5bb65f3d68e46
EOF'

chmod 600 /data/certbot/credentials.ini
  1. 申请证书
certbot certonly -a dns-dnspod \
    --dns-dnspod-credentials /data/certbot/credentials.ini \
    -d peirenlei.cn \
    -d "*.peirenlei.cn"
  1. 查看申请到的证书
certbot  certificates

显示:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: peirenlei.cn-0001
    Serial Number: 50d0891f0bd3093848816ddcd7d8b2aeafb
    Key Type: RSA
    Domains: *.peirenlei.cn peirenlei.cn
    Expiry Date: 2025-08-19 10:58:49+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/peirenlei.cn-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/peirenlei.cn-0001/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/peirenlei.cn.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1. 也可以读取nginx配置的域名
certbot --nginx --nginx-server-root /www/server/nginx/conf
  1. 配置nginx站点:
listen 80;
listen 443 ssl http2 ;


#SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
    #error_page 404/404.html;
    ssl_certificate /etc/letsencrypt/live/peirenlei.cn-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/peirenlei.cn-0001/privkey.pem; # managed by Certbot
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=31536000";
    error_page 497  https://$host$request_uri;

#SSL-END
  1. 测试自动续订
sudo certbot renew --dry-run
Loading Comments...