HTTPS实现及自动续期

安装certbot

进行安装目录，如：/data1/server （根据实际情况输入）
git clone https://github.com/certbot/certbot

配置nginx

见下面的完整示例
注意首次配置时需要只开放80端口，完成证书申请后再配置443端口

申请证书

支持一次性申请多个域名（多个域名共用一份证书）

示例

/data1/server/certbot/letsencrypt-auto --no-self-upgrade certonly \
 --webroot -w /data1/webroot/gitlab/certbot/hostname.com \
 -d qy.xzdjjd.com \
 -d wx.xzdjjd.com \
 -d sp.xzdjjd.com \ -d svc.xzdjjd.com

成功后证书一般会位于该目录 /etc/letsencrypt/live/

更新nginx，强制走https

见下面完整示例
更新后重启nginx，并访问网址，检查是https是否正常

自动续期

通过crontab添加定时更新任务

crontab -e

0 3 * * * /data1/tools/certbot/letsencrypt-auto renew --no-self-upgrade --post-hook "/data1/cron/certbot_renew.sh" > /dev/null 2>&1 &

其中certbot_renew.sh为更新证书后，重启nginx让证书生效的脚本，如：

#!/bin/bash
set -xe
#source /etc/profile # 每天定期重启Nginx，避免ssl证书过期 # 只有测试通过才重启nginx /data1/server/nginx/1.15.7/bin/sbin/nginx -t if [ $? -eq 0 ]; then # 重新启动nginx /data1/server/nginx/1.15.7/bin/sbin/nginx -s reload fi exit $?

完整示例

加密算法（ssl_ciphers）根据实际情况配置，本示例中的算法对CPU消耗较高

server {
    listen      443;
    ssl on;
    ssl_certificate_key /etc/letsencrypt/live/svcs.private.3ruler.com/privkey.pem; ssl_certificate /etc/letsencrypt/live/svcs.private.3ruler.com/fullchain.pem; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:30m; ssl_session_timeout 30m; ssl_stapling on; ssl_stapling_verify on; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; resolver 119.29.29.29 114.114.114.114 valid=300s; resolver_timeout 10s; add_header Strict-Transport-Security max-age=63072000; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; server_name svcs.private.3ruler.com; # access_log /data1/logs/nginx/3ruler/svcs.private.3ruler.com-access_log main; # error_log /data1/logs/nginx/3ruler/svcs.private.3ruler.com-error_log; gzip on; gzip_types text/plain application/javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg; client_max_body_size 1024m; location / { proxy_set_header REMOTE_ADDR $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass http://127.0.0.1:8921; proxy_set_header Host $host; proxy_redirect off; proxy_connect_timeout 60; proxy_read_timeout 600; proxy_send_timeout 600; } # 仅用于首次申请证书 # location /.well-known/acme-challenge/ { # root /data1/webroot/certbot/order/svcs.private.3ruler.com; # } } server { listen 80; server_name svcs.private.3ruler.com; # 续期证书通过该入口 location /.well-known/acme-challenge/ { root /data1/webroot/certbot/order/svcs.private.3ruler.com; } location / { return 301 https://$http_host$request_uri; } }