使用 Let’s Encrypt 申请证书

Centos 7.9

安装 Let’s Encrypt

1
2
3
yum install epel-release -y
yum install certbot python2-certbot-apache -y
certbot --version

配置 Nginx 处理 ACME Challenge 请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 允许 Nginx 在 /var/www/letsencrypt 目录下查找 ACME Challenge 字符串文件。
location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/letsencrypt;
}


# 创建目录 /var/www/letsencrypt/.well-known/acme-challenge/:
mkdir -p /var/www/letsencrypt/.well-known/acme-challenge/

# 给予 Nginx 读取权限
chown -R www-data:www-data /var/www/letsencrypt

# 重载 Nginx 以应用更改
nginx -t     # 检查配置文件是否正确
systemctl reload nginx    # 重新加载配置文件

运行 Let’s Encrypt 命令以获取证书

1
certbot certonly --webroot -w /var/www/letsencrypt -d test.xxxxxx.com

证书位置

1
2
/etc/letsencrypt/live/test.sreproxy.com/fullchain.pem
/etc/letsencrypt/live/test.sreproxy.com/privkey.pem

证书自动续签

1
2
3
4
5
6
crontab -e
# 每天两次(在凌晨和正午)检查续签
0 0,12 * * * certbot renew --quiet

# 每个月的一号强制更新所有已安装的Lets Encrypt SSL证书
0 0 1 * * /usr/bin/certbot renew --force-renewal

转换 pem 证书(视情况转换)

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/test.sreproxy.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/test.sreproxy.com/privkey.pem Your certificate will expire on 2023-08-14. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run “certbot renew”
1
2
3
4
5
6
7
8
9
10
# 创建一个目录来存储您的 .crt 和 .key 文件
mkdir /etc/letsencrypt/live/test.sreproxy.com/crt_and_key

# 将 fullchain.pem 转换为 .crt 格式
openssl x509 -in /etc/letsencrypt/live/test.sreproxy.com/fullchain.pem -out /etc/letsencrypt/live/test.sreproxy.com/crt_and_key/certificate.crt

# 将 privkey.pem 转换为 .key 格式(实际上,您不需要转换,因为 .pem 和 .key 具有相同的格式,但是为了一致性,我们可以将其复制并重命名)
cp /etc/letsencrypt/live/test.sreproxy.com/privkey.pem /etc/letsencrypt/live/test.sreproxy.com/crt_and_key/private.key

ls -lh /etc/letsencrypt/live/test.sreproxy.com/crt_and_key