安装ssl证书获取工具certbot,安装前先删除request及urllib包,不然可以会出现No module named 'requests.packages.urllib3' 的错误:
1 2 3 4 5 6 7 | pip uninstall requests -ypip uninstall urllib3 -yyum remove python-urllib3 -yyum remove python-requests -yyum install python-urllib3 -yyum install python-requests -yyum install certbot -y |
centos8直接下载certbot,运行时会自动安装依赖:
获取证书,成功后证书文件在 /etc/letsencrypt/live/haiyun.me/目录下
1 | certbot certonly --webroot --email sss@haiyun.me --agree-tos --no-eff-email -w /var/www/www.haiyun.me -d haiyun.me -d www.haiyun.me |
配置nginx:
1 2 3 4 5 6 7 8 9 | listen 443 default ssl ;server_name www.haiyun.me haiyun.me;index index.html index.htm index.php; root /var/www/www.haiyun.me;ssl_certificate /etc/letsencrypt/live/haiyun.me/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/haiyun.me/privkey.pem;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on; |
由于Let's Encrypt的免费证书有效期为3个月,60天可以更新,使用cron定时任务自动更新证书:
1 | 00 01 * * * certbot renew --renew-hook "nginx -s reload" |
吊销证书:
1 | certbot revoke --cert-path /etc/letsencrypt/live/haiyun.me/cert.pem --key-path /etc/letsencrypt/live/haiyun.me/privkey.pem |
迁移服务器备份:
1 2 | cd /etc/letsencrypttar zcf letsencrypt.tar.gz archive live renewal |
