Let's Encrypt 申请免费证书

使用 Let’s Encrypt 申请证书

Centos 7.9

安装 Let’s Encrypt

1
2
3

yum install epel-release -y
yum install certbot python2-certbot-apache -y
certbot --version

配置 Nginx 处理 ACME Challenge 请求

# 允许 Nginx 在 /var/www/letsencrypt 目录下查找 ACME Challenge 字符串文件。
location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/letsencrypt;
}


# 创建目录 /var/www/letsencrypt/.well-known/acme-challenge/：
mkdir -p /var/www/letsencrypt/.well-known/acme-challenge/

# 给予 Nginx 读取权限
chown -R www-data:www-data /var/www/letsencrypt

# 重载 Nginx 以应用更改
nginx -t     # 检查配置文件是否正确
systemctl reload nginx    # 重新加载配置文件

运行 Let’s Encrypt 命令以获取证书

1	certbot certonly --webroot -w /var/www/letsencrypt -d test.xxxxxx.com

证书位置

1 2	/etc/letsencrypt/live/test.sreproxy.com/fullchain.pem /etc/letsencrypt/live/test.sreproxy.com/privkey.pem

证书自动续签

crontab -e
# 每天两次（在凌晨和正午）检查续签
0 0,12 * * * certbot renew --quiet

# 每个月的一号强制更新所有已安装的Lets Encrypt SSL证书
0 0 1 * * /usr/bin/certbot renew --force-renewal --deploy-hook "systemctl reload nginx"

转换 pem 证书(视情况转换)

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/test.sreproxy.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/test.sreproxy.com/privkey.pem Your certificate will expire on 2023-08-14. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run “certbot renew”

If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

# 创建一个目录来存储您的 .crt 和 .key 文件
mkdir /etc/letsencrypt/live/test.sreproxy.com/crt_and_key

# 将 fullchain.pem 转换为 .crt 格式
openssl x509 -in /etc/letsencrypt/live/test.sreproxy.com/fullchain.pem -out /etc/letsencrypt/live/test.sreproxy.com/crt_and_key/certificate.crt

# 将 privkey.pem 转换为 .key 格式（实际上，您不需要转换，因为 .pem 和 .key 具有相同的格式，但是为了一致性，我们可以将其复制并重命名）
cp /etc/letsencrypt/live/test.sreproxy.com/privkey.pem /etc/letsencrypt/live/test.sreproxy.com/crt_and_key/private.key

ls -lh /etc/letsencrypt/live/test.sreproxy.com/crt_and_key