小知识:申请免费证书 参考:https://diamondfsd.com/article/e221b455-b0e7-40b7-a6c7-9bb7e3e35657 当然使用伟大的lets encrypt呀 ## 安装工具 ``` # 可选 apt install software-properties-common add-apt-repository ppa:certbot/certbot apt-get update apt-get install certbot ``` ## 开始申请 ### 普通方式 ``` service nginx stop certbot certonly --standalone -d www.superpig.win # service nginx start ``` 如果出现提示按提示输入邮箱和是否共享email给EFF(第一次安装) 申请成功后,会出现这样的提示 ``` IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.superpig.win/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.superpig.win/privkey.pem Your cert will expire on 2018-01-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le ``` ### DNS方式 有时,80端口也许不能用。那就要使用DNS方式。 - 输入命令`certbot --manual --preferred-challenges dns certonly -d jellyfin.superpig.win` - 此时,会出现提示,类似: NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.jellyfin.superpig.win with the following value: j6h2cPbqD0CdeNEu055WfWW2KkGPsb0Gqq20fjAr4Vc Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... - 此时,在相关的域名提供商添加TXT记录,以上面的为例,name为`_acme-challenge.jellyfin.superpig.win`(注意后缀,域名商默认填好了),值为:`j6h2cPbqD0CdeNEu055WfWW2KkGPsb0Gqq20fjAr4Vc` - 回车,等待一下,就好了。 ## 修改nginx配置 在nginx的配置中加入下面的字段就行。 ``` ssl_certificate /etc/letsencrypt/live/www.superpig.win/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.superpig.win/privkey.pem; ``` 搞定。 ## 自动更新证书 ### 普通方式 可以设置每隔一段时间就自动续期证书 ``` 15 2 * */2 * certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start" ``` ### DNS更新 这个比较复杂,阿里云使用插件吧: https://github.com/tengattack/certbot-dns-aliyun ``` pip install certbot-dns-aliyun touch credentials.ini vi credentials.ini # 填好access key certbot_dns_aliyun:dns_aliyun_access_key = 12345678 certbot_dns_aliyun:dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef certbot certonly -a certbot-dns-aliyun:dns-aliyun \ --certbot-dns-aliyun:dns-aliyun-credentials /credentials.ini \ -d file.yinzihao.com ``` 来自 大脸猫 写于 2017-10-09 21:56 -- 更新于2021-06-23 00:49 -- 0 条评论