获取Let’s Encrypt免费SSL证书
Let’s Encrypt
Let’s Encrypt 是国外一个公共的免费SSL项目,Let’s Encrypt安装部署简单、方便,Let’s Encrypt SSL已经被Firefox、Chrome、IE等浏览器所支持。
如何获取SSL证书
Let's Encrypt 通过基于ACME 协议的自动化 API 颁发证书。
为了与 Let's Encrypt API 交互并获取证书,需要一款名为“ACME 客户端”的软件。获取证书的整个过程不会在此网站上进行,仅供参考。
对于大多数人,推荐使用Certbot ACME 客户端。Certbot 网站提供了有关操作 Certbot 的出色文档和说明。
通过Certbot获取SSL证书
- 熟悉 命令行操作
- 有个已经在线的网站,使用80端口
- 网站托管在服务器,能够通过ssh访问,拥有sudo权限
Linux上的Nginx(snap) 获取SSL操作步骤
1.SSH进入服务器
以具有 sudo 权限的用户身份通过 SSH 进入运行您的 HTTP 网站的服务器。
2.安装snapd
您需要安装 snapd 并确保遵循所有说明来启用经典 snap 支持。
按照 snapcraft 网站上的说明安装 snapd。
3.删除Autbot-Auto和任何Certbot OS软件包
如果使用 apt、dnf 或 yum 等操作系统软件包管理器安装了任何 Certbot 软件包,则应在安装 Certbot snap 之前删除这些软件包,以确保运行 certbot 命令时使用的是 snap,而不是从操作系统软件包管理器安装的软件包。具体的命令视操作系统而定,常见的有 sudo apt-get remove certbot、sudo dnf remove certbot 或 sudo yum remove certbot。
4.安装 Certbot
在计算机的命令行上运行此命令安装 Certbot。
sudo snap install --classic certbot5.准备certbot命令
在计算机上的命令行上执行以下指令,以确保可以运行certbot命令。
sudo ln -s /snap/bin/certbot /usr/bin/certbot6.选择您想如何运行certbot
获取并安装证书...
运行此命令获取证书,并让 Certbot 自动编辑 nginx 配置以提供证书,只需一步就能开启 HTTPS 访问。
sudo certbot --nginx或者,直接获取证书
如果你比较保守,想手动修改nginx配置,请执行以下命令。
sudo certbot certonly --nginx7.测试自动续订
您系统中的 Certbot 软件包带有一个 cron 作业或 systemd 定时器,可在证书过期前自动更新证书。除非更改配置,否则无需再次运行 Certbot。您可以运行以下命令测试证书的自动更新:
sudo certbot renew --dry-run更新 certbot 的命令安装在以下位置之一:
- /etc/crontab
- /etc/cron.*/*
- systemctl list-timers
8.确认 Certbot 运行正常
要确认网站设置正确,请在浏览器中访问 https://yourwebsite.com/,查看 URL 栏中的锁图标。
Ubuntu 24.04 + nginx 获取SSL证书操作实例
已满足Certbot需要
- 熟悉命令行
- 有一个在线的网站,且开通80端口,地址为 http://blog.opsdailou.top/
- 托管在服务器上,能够ssh连接,拥有sudo权限
对于 linux系统 服务器,采用 nginx 代理的网站,这里通过 nginx + linux(snap) 的方式配置 certbot,获取SSL证书。
为 http://blog.opsdailou.top/ 获取SSL证书,通过 https://blog.opsdailou.top/ 访问
基于 Linux上的Nginx(snap) 获取SSL操作步骤 安装Certbot,获取SSL证书
1.SSH登录服务器
无需多言
2.安装snapd
这里查看主机上已经存在 snap,没有进行安装
在 安装 snapd 中可以看到,ubuntu 18.04 及以上,预装了snap的守护进程服务
3.删除certbot-auto和任何certbot OS软件包
已检查系统,没有安装相关软件,有的话就卸载
4.安装Certbot
通过snap 安装 certbot
root@xxxxxxx-host:~# sudo snap install --classic certbot
2025-02-26T10:35:13+08:00 INFO Waiting for automatic snapd restart...
certbot 3.2.0 from Certbot Project (certbot-eff✓) installed5.准备Certbot命令
测试certbot命令可以运行,没有进行创建软链接
root@xxxxxxx-host:~# which certbot
/snap/bin/certbot
root@xxxxxxx-host:~# certbot --version
certbot 3.2.0如果命令无法访问,可以创建软链接
sudo ln -s /snap/bin/certbot /usr/bin/certbot6.选择如何运行Certbot
仅获取证书,手动修改nginx配置
sudo certbot certonly --nginx正常需要提供邮件获取证书
root@xxxxxxx-host:~# sudo certbot certonly --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): c
An e-mail address or --register-unsafely-without-email must be provided.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.使用 --register-unsafely-without-email 进行没有电子邮件注册
# 使用 --register-unsafely-without-email 进行没有电子邮件注册
# 请在以下网址阅读服务条款:必须同意才能在ACME服务器上注册。如果不同意就会中断
root@xxxxxxx-host:~# sudo certbot certonly --nginx --register-unsafely-without-email
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at:
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Unable to register an account with ACME server. Registration cannot proceed without accepting Terms of Service.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
同意服务条款,为域名获取证书
# 自动获取域名,选择数字或者留空(表示选择所有域名),为其开启HTTPS
# 这里选择了留空,为所有域名获取证书,只有一个域名
# 获取到证书在 /etc/letsencrypt/live/ 目录中,有效期三个月
# 有自动续订的计划任务
root@xxxxxxx-host:~# sudo certbot certonly --nginx --register-unsafely-without-email
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at:
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: blog.opsdailou.top
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for blog.opsdailou.top
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/blog.opsdailou.top/fullchain.pem
Key is saved at: /etc/letsencrypt/live/blog.opsdailou.top/privkey.pem
This certificate expires on 2025-05-27.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
检查获取到的证书,可以看到是创建的软链接文件,估计是为了方便后续证书的更新
root@xxxxxxx-host:~# ls -alh /etc/letsencrypt/live/*
-rw-r--r-- 1 root root 740 Feb 26 10:47 /etc/letsencrypt/live/README
/etc/letsencrypt/live/blog.opsdailou.top:
total 12K
drwxr-xr-x 2 root root 4.0K Feb 26 10:47 .
drwx------ 3 root root 4.0K Feb 26 10:47 ..
lrwxrwxrwx 1 root root 42 Feb 26 10:47 cert.pem -> ../../archive/blog.opsdailou.top/cert1.pem
lrwxrwxrwx 1 root root 43 Feb 26 10:47 chain.pem -> ../../archive/blog.opsdailou.top/chain1.pem
lrwxrwxrwx 1 root root 47 Feb 26 10:47 fullchain.pem -> ../../archive/blog.opsdailou.top/fullchain1.pem
lrwxrwxrwx 1 root root 45 Feb 26 10:47 privkey.pem -> ../../archive/blog.opsdailou.top/privkey1.pem
-rw-r--r-- 1 root root 692 Feb 26 10:47 README查看目录中的README,/etc/letsencrypt/live/README 和 /etc/letsencrypt/live/blog.opsdailou.top/README 一致
root@xxxxxxx-host:~# cat /etc/letsencrypt/live/README
This directory contains your keys and certificates.
`[cert name]/privkey.pem` : the private key for your certificate.
`[cert name]/fullchain.pem`: the certificate file used in most server software.
`[cert name]/chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`[cert name]/cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
root@xxxxxxx-host:~# cat /etc/letsencrypt/live/blog.opsdailou.top/README
This directory contains your keys and certificates.
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
此目录包含您的密钥和证书。[cert-name]/privkey.pem:证书的私钥。[cert-name]/fullchain.pem:大多数服务器软件中使用的证书文件。[cert name]/chain.pem:用于Nginx中的OCSP装订>=1.3.7。[cert-name]/cert.pem:将破坏许多服务器配置,不应使用
无需阅读更多文档(见下面的链接)。
警告:不要移动或重命名这些文件!
Certbot希望这些文件按顺序保留在此位置
正常运作!
我们建议不要移动这些文件。有关更多信息,请参阅Certbot
用户指南 https://certbot.eff.org/docs/using.html#where-are-my-certificates .
查看自动续订的任务
/etc/crontab 中没有,/etc/cron.*/* 中也没有相关任务
root@xxxxxxx-host:~# ls /etc/crontab
/etc/crontab
root@xxxxxxx-host:~# cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
# You can also override PATH, but by default, newer versions inherit it from the environment
#PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }
47 6 * * 7 root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }
52 6 1 * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; }
#
root@xxxxxxx-host:~# grep cert /etc/crontab
root@xxxxxxx-host:~# cat /etc/cron
cron.d/ cron.daily/ cron.hourly/ cron.monthly/ crontab cron.weekly/ cron.yearly/
root@xxxxxxx-host:~# ls /etc/cron.*/*
/etc/cron.daily/apport /etc/cron.daily/dpkg /etc/cron.daily/man-db /etc/cron.d/e2scrub_all /etc/cron.d/sysstat
/etc/cron.daily/apt-compat /etc/cron.daily/logrotate /etc/cron.daily/sysstat /etc/cron.d/php /etc/cron.weekly/man-db
root@xxxxxxx-host:~# grep cert /etc/cron.*/*
root@xxxxxxx-host:~#通过 systemctl list-timers 查看到存在计时器 snap.certbot.renew.timer 控制 snap.certbot.renew.service 活动
root@xxxxxxx-host:~# systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES >
Wed 2025-02-26 10:58:00 CST 1min 5s Wed 2025-02-26 10:28:03 CST 28min ago pmie_check.timer pmie_check.service
Wed 2025-02-26 10:58:10 CST 1min 15s Wed 2025-02-26 10:28:15 CST 28min ago pmie_farm_check.timer pmie_farm_check.service
Wed 2025-02-26 11:00:00 CST 3min 5s Wed 2025-02-26 10:50:05 CST 6min ago sysstat-collect.timer sysstat-collect.service
Wed 2025-02-26 11:09:00 CST 12min Wed 2025-02-26 10:39:03 CST 17min ago phpsessionclean.timer phpsessionclean.service
Wed 2025-02-26 11:25:00 CST 28min Wed 2025-02-26 10:55:03 CST 1min 50s ago pmlogger_check.timer pmlogger_check.service
Wed 2025-02-26 11:25:10 CST 28min Wed 2025-02-26 10:55:15 CST 1min 38s ago pmlogger_farm_check.timer pmlogger_farm_check.service
Wed 2025-02-26 11:31:46 CST 34min Wed 2025-02-26 10:35:12 CST 21min ago fwupd-refresh.timer fwupd-refresh.service
Wed 2025-02-26 12:31:35 CST 1h 34min Wed 2025-02-26 10:35:12 CST 21min ago motd-news.timer motd-news.service
Wed 2025-02-26 14:05:00 CST 3h 8min - - snap.certbot.renew.timer snap.certbot.renew.service
Wed 2025-02-26 17:25:28 CST 6h Tue 2025-02-25 20:16:59 CST 14h ago apt-daily.timer apt-daily.service
Wed 2025-02-26 21:11:26 CST 10h Tue 2025-02-25 21:11:26 CST 13h ago update-notifier-download.timer update-notifier-download.serv>
Wed 2025-02-26 21:22:03 CST 10h Tue 2025-02-25 21:22:03 CST 13h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Thu 2025-02-27 00:00:00 CST 13h Wed 2025-02-26 00:00:00 CST 10h ago dpkg-db-backup.timer dpkg-db-backup.service
Thu 2025-02-27 00:00:00 CST 13h Wed 2025-02-26 00:00:00 CST 10h ago logrotate.timer logrotate.service
Thu 2025-02-27 00:07:00 CST 13h Wed 2025-02-26 00:07:00 CST 10h ago sysstat-summary.timer sysstat-summary.service
Thu 2025-02-27 00:08:00 CST 13h Wed 2025-02-26 00:08:00 CST 10h ago pmie_daily.timer pmie_daily.service
Thu 2025-02-27 00:10:00 CST 13h Wed 2025-02-26 00:10:00 CST 10h ago pmlogger_daily.timer pmlogger_daily.service
Thu 2025-02-27 06:19:31 CST 19h Wed 2025-02-26 06:08:23 CST 4h 48min ago apt-daily-upgrade.timer apt-daily-upgrade.service
Thu 2025-02-27 09:39:45 CST 22h Wed 2025-02-26 03:43:42 CST 7h ago man-db.timer man-db.service
Sun 2025-03-02 03:10:36 CST 3 days Sun 2025-02-23 03:10:08 CST 3 days ago e2scrub_all.timer e2scrub_all.service
Mon 2025-03-03 00:17:56 CST 4 days Mon 2025-02-24 00:31:03 CST 2 days ago fstrim.timer fstrim.service
Tue 2025-03-04 22:36:04 CST 6 days Mon 2025-02-24 21:01:11 CST 1 day 13h ago update-notifier-motd.timer update-notifier-motd.service
22 timers listed.
Pass --all to see loaded but inactive timers, too.
root@xxxxxxx-host:~# systemctl list-timers --all|grep cer
Wed 2025-02-26 14:05:00 CST 3h 7min - - snap.certbot.renew.timer snap.certbot.renew.service查看对应计时器和service
root@xxxxxxx-host:~# systemctl status snap.certbot.renew.timer
● snap.certbot.renew.timer - Timer renew for snap application certbot.renew
Loaded: loaded (/etc/systemd/system/snap.certbot.renew.timer; enabled; preset: enabled)
Active: active (waiting) since Wed 2025-02-26 10:36:29 CST; 24min ago
Trigger: Wed 2025-02-26 14:05:00 CST; 3h 3min left
Triggers: ● snap.certbot.renew.service
Feb 26 10:36:29 xxxxxxx-host systemd[1]: Started snap.certbot.renew.timer - Timer renew for snap application certbot.renew.
root@xxxxxxx-host:~# systemctl status snap.certbot.renew.service
○ snap.certbot.renew.service - Service for snap application certbot.renew
Loaded: loaded (/etc/systemd/system/snap.certbot.renew.service; static)
Active: inactive (dead)
TriggeredBy: ● snap.certbot.renew.timer
root@xxxxxxx-host:~# cat /etc/systemd/system/snap.certbot.renew.timer
[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=snap-certbot-4412.mount
After=snap-certbot-4412.mount
X-Snappy=yes
[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 04:12
OnCalendar=*-*-* 14:05
[Install]
WantedBy=timers.target
root@xxxxxxx-host:~# cat /etc/systemd/system/snap.certbot.renew.service
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application certbot.renew
Requires=snap-certbot-4412.mount
Wants=network.target
After=snap-certbot-4412.mount network.target snapd.apparmor.service
X-Snappy=yes
[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew
SyslogIdentifier=certbot.renew
Restart=no
WorkingDirectory=/var/snap/certbot/4412
TimeoutStopSec=30
Type=oneshotsnap.certbot.renew.timer 定时器,用于触发 certbot.renew 任务,通过OnCalendar 指定每天执行 snap.certbot.renew.service 的时间
每天 在 04:12 和 14:05 触发 snap.certbot.renew.service 进行 SSL 证书续期。
确保 Snap 资源已挂载 ,只有在 snap-certbot-4412.mount 存在的时候,才能进行续期
查看 snap-certbot-4412.mount
root@xxxxxxx-host:~# systemctl status snap-certbot-4412.mount
● snap-certbot-4412.mount - Mount unit for certbot, revision 4412
Loaded: loaded (/etc/systemd/system/snap-certbot-4412.mount; enabled; preset: enabled)
Active: active (mounted) since Wed 2025-02-26 10:36:28 CST; 32min ago
Where: /snap/certbot/4412
What: /dev/loop2
Tasks: 0 (limit: 1942)
Memory: 16.0K (peak: 572.0K)
CPU: 3ms
CGroup: /system.slice/snap-certbot-4412.mount
Feb 26 10:36:28 xxxxxxx-host systemd[1]: Mounting snap-certbot-4412.mount - Mount unit for certbot, revision 4412...
Feb 26 10:36:28 xxxxxxx-host systemd[1]: Mounted snap-certbot-4412.mount - Mount unit for certbot, revision 4412.
root@xxxxxxx-host:~# cat /etc/systemd/system/snap-certbot-4412.mount
[Unit]
Description=Mount unit for certbot, revision 4412
After=snapd.mounts-pre.target
Before=snapd.mounts.target
[Mount]
What=/var/lib/snapd/snaps/certbot_4412.snap
Where=/snap/certbot/4412
Type=squashfs
Options=nodev,ro,x-gdu.hide,x-gvfs-hide
LazyUnmount=yes
[Install]
WantedBy=snapd.mounts.target
WantedBy=multi-user.target为什么 ExecStart 运行 /usr/bin/snap run --timer="00:00~24:00/2" certbot.renew 而不是 certbot renew?
这是因为 Certbot 是通过 Snap 安装的,而 Snap 管理的应用程序通常不能直接以二进制文件的方式运行,而是要通过 snap run 进行管理。
- snap run 的作用
/usr/bin/snap run certbot.renew
这是 Snap 运行 certbot.renew 命令的标准方式。
certbot.renew 是 Snap 包中的命令,而不是系统级可执行文件。
如果直接运行:
certbot renew
系统可能找不到 Certbot,因为它 不是通过 APT/YUM 安装的,而是 Snap 运行的沙盒应用。
- --timer="00:00~24:00/2" 作用
完整的 ExecStart:
/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew
🔹 这个 --timer 选项的作用
00:00~24:00/2 代表 从 00:00 开始,每 2 小时执行一次,直到 24:00 为止。
Certbot 可能会忽略 systemd 的定时器机制,而使用 Snap 自己的内部调度,确保它不会过于频繁地运行,也不会干扰系统。
这个 --timer 机制是 Snap 提供的,专门用于防止 Snap 任务过载或被误调用。
- 为什么不是 certbot renew?
如果使用 APT 安装的 Certbot,可以直接运行:
certbot renew
但 Snap 版本 的 Certbot 默认安装在 Snap 沙盒环境中,需要通过 snap run 来执行:
snap run certbot.renew
而 --timer="00:00~24:00/2" 主要是 Snap 的定时机制,确保任务不会频繁执行,同时避免 Certbot 续期时触发 ACME 限流问题。
letsencrypt 证书相关目录
root@xxxxxxx-host:/etc/nginx/conf.d# ls -alh /etc/letsencrypt/
total 52K
drwxr-xr-x 7 root root 4.0K Feb 26 11:20 .
drwxr-xr-x 125 root root 12K Feb 26 10:39 ..
drwx------ 4 root root 4.0K Feb 26 11:14 accounts
drwx------ 3 root root 4.0K Feb 26 10:47 archive
drwx------ 3 root root 4.0K Feb 26 10:47 live
-rw-r--r-- 1 root root 774 Feb 26 10:39 options-ssl-nginx.conf
drwxr-xr-x 2 root root 4.0K Feb 26 10:47 renewal
drwxr-xr-x 5 root root 4.0K Feb 26 10:39 renewal-hooks
-rw-r--r-- 1 root root 424 Feb 26 10:39 ssl-dhparams.pem
-rw-r--r-- 1 root root 64 Feb 26 10:39 .updated-options-ssl-nginx-conf-digest.txt
-rw-r--r-- 1 root root 64 Feb 26 10:39 .updated-ssl-dhparams-pem-digest.txt到这里,对于certbot大概流程,和相关文件均有所了解了
7.测试自动续订
root@xxxxxxx-host:~# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/blog.opsdailou.top.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for blog.opsdailou.top
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/blog.opsdailou.top/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@xxxxxxx-host:~#直接续订,不行,证书没有到期
root@xxxxxxx-host:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/blog.opsdailou.top.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/blog.opsdailou.top/fullchain.pem expires on 2025-05-27 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -8.确认 Certbot 正常运行
验证https能否使用,已经获取到了SSL证书,需要手动配置nginx配置文件
如果不想手动配置,可以让certbot自动配置
安装证书
已经通过 sudo certbot certonly --nginx 获取到了证书,现在通过 sudo certbot --nginx 让certbot 自动调整nginx配置,使其配置 https访问地址
root@xxxxxxx-host:/etc/nginx/conf.d# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: blog.opsdailou.top
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
# 想为哪些域名激活HTTPS
Certificate not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/blog.opsdailou.top.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
# 提示已经有一个现有的证书和域名匹配,并且没有到期,想做什么
# 1.尝试重新安装此现有证书
# 2.续订和更新证书(可能收CA速率限制)
# 这里选择 1 尝试重新安装
Deploying certificate
Successfully deployed certificate for blog.opsdailou.top to /etc/nginx/conf.d/typecho.conf
Congratulations! You have successfully enabled HTTPS on https://blog.opsdailou.top
# 已成功将blog.opsdailo.top的证书部署到 /etc/nginx/conf.d/typecho.conf
# 祝贺您已成功在上启用HTTPS https://blog.opsdailou.top
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -更新前
server {
listen 80;
# listen 8080;
## Your website name goes here.
server_name blog.opsdailou.top;
## Your only path reference.
## This should be in your http block and if it is, it's not needed here.
root /opt/typecho/;
index index.html index.htm index.php;
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php$1 last;
}
location ~ .*\.php(\/.*)*$ {
include fastcgi.conf;
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
}
access_log /var/log/nginx/typecho_access.log combined;
}更新后
server {
# listen 8080;
## Your website name goes here.
server_name blog.opsdailou.top;
## Your only path reference.
## This should be in your http block and if it is, it's not needed here.
root /opt/typecho/;
index index.html index.htm index.php;
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php$1 last;
}
location ~ .*\.php(\/.*)*$ {
include fastcgi.conf;
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
}
access_log /var/log/nginx/typecho_access.log combined;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/blog.opsdailou.top/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blog.opsdailou.top/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = blog.opsdailou.top) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name blog.opsdailou.top;
return 404; # managed by Certbot
}配置变动项
1.删除了原先监听的80端口,添加到了新的server块中
- 如果通过 http://blog.opsdailou.top/ 访问,返回301,跳转到https地址 https://blog.opsdailou.top/
- 如果是别的域名 http://www.opsdailou.top/ 访问到了该server,返回404
$ curl http://www.opsdailou.top/ -i
HTTP/1.1 404 Not Found
Server: nginx/1.24.0 (Ubuntu)
Date: Wed, 26 Feb 2025 03:29:09 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.24.0 (Ubuntu)</center>
</body>
</html>2.原先的server块中除了删除监听的80端口,还有就是添加了监听443 ssl端口,以及相关HTTPS配置
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/blog.opsdailou.top/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blog.opsdailou.top/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot/etc/letsencrypt/options-ssl-nginx.conf 包含重要的安全参数
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";/etc/letsencrypt/ssl-dhparams.pem 包含 DHE 密码的 DH 参数文件。
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----3.certbot添加的行,都备注了 managed by Certbot
验证结果
访问 https://blog.opsdailou.top/ 验证服务正常
访问 http://blog.opsdailou.top/ 自动跳转到https地址,通过nginx配置301重定向实现
chrome提示连接安全,证书有效,证书基本信息
公用名 (CN) blog.opsdailou.top
组织 (O) <未包含在证书中>
组织单位 (OU) <未包含在证书中>
公用名 (CN) E6
组织 (O) Let's Encrypt
组织单位 (OU) <未包含在证书中>
颁发日期 2025年2月26日星期三 09:49:07
截止日期 2025年5月27日星期二 09:49:06
证书 5799d12eab801f48989d848944ccb7df7086a8b011db0a8a28fb5903d08865b3
公钥 e5c72d4bb8f372208fc75a3563a408127cb360c15cd934e6540770b5162a37f7