申请范域名证书命令

使用certbot可以免费申请范域名证书。使用试输入下面的命令,注意替换命令为自己的域名。

1
sudo certbot certonly  -d "*.example.com" -d example.com -m YOUR_EMAIL --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

申请单域名证书命令

也可以申请单域名证书,命令如下

1
sudo certbot certonly --manual -m YOUR_EMAIL -d example.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Nginx的配置

使用certbot申请的证书会保存在/etc/letsencrypt/live/example.com/下面,注意这里的是一个软连接,指向真正的证书

下面给出一个监听8080端口,转发到443端口并使用证书进行ssl加密的配置方案:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
server {
listen 443 ssl;
server_name *.example.coml
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
client_max_body_size 50m;
client_body_buffer_size 256k;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
proxy_connect_timeout 300s;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
proxy_buffer_size 64k;
proxy_buffers 4 32k;
proxy_busy_buffer_size 64k;
proxy_temp_file_write_size 64k;
proxy_ignore_client_abort on;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
proxy_set_header Host $host:80;
proxy_ssl_server_name on;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 80;
server_name *.example.com;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
proxy_set_header Host $host:80;
proxy_ssl_server_name on;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

注意事项

每次重新更新了证书,都要重启nginx,使用命令

1
sudo systemctl stop nginx

来先关闭服务,再用

1
sudo systemctl start nginx

启动