轶哥博客

妄图改变世界的全栈程序员。

配置自动续期的免费通配符SSL证书

公益SSL证书机构Let’s Encrypt从2018-03-13起开始支持通配符证书。通配符证书必须通过DDNS添加TXT记录验证域名所属权。

  1. certbot官网安装certbot。

  2. 安装DNS插件

    cerbot支持很多DNS插件,例如:

     certbot-dns-cloudflare
     certbot-dns-cloudxns
     certbot-dns-digitalocean
     certbot-dns-dnsimple
     certbot-dns-dnsmadeeasy
     certbot-dns-google
     certbot-dns-linode
     certbot-dns-luadns
     certbot-dns-nsone
     certbot-dns-ovh
     certbot-dns-rfc2136
     certbot-dns-route53
     ...

    这里以DNSPOD(腾讯云域名默认DNS)为例:

     git clone https://github.com/tengattack/certbot-dns-dnspod
     cd certbot-dns-dnspod
     sudo python setup.py install

    If you are using certbot-auto, you should run virtualenv first:

     # CentOS 7
     virtualenv --no-site-packages --python "python2.7" "/opt/eff.org/certbot/venv"
     /opt/eff.org/certbot/venv/bin/python2.7 setup.py install

    安装完成后,到DNSPod控制台生成API Token,并保存在配置文件/path/credentials.ini

     certbot_dns_dnspod:dns_dnspod_api_id = 12345
     certbot_dns_dnspod:dns_dnspod_api_token = 1234567890abcdef1234567890abcdef

    赋予相应权限:

     chmod 600 /root/credentials.ini
  3. 执行生成指令

     certbot certonly -a certbot-dns-dnspod:dns-dnspod --certbot-dns-dnspod:dns-dnspod-credentials /root/credentials.ini -d xxx.com -d "*.xxx.com" --server https://acme-v02.api.letsencrypt.org/directory

    生成的证书默认在/etc/letsencrypt/live/xxx.com/目录。

  4. 配置Nginx

     server {
             listen 80;
             server_name  *.abc.com;
             charset utf-8;
             autoindex off;
    
             location / {
                     return 301 https://$host$request_uri;
             }
     }
    
     server {
             listen 443;
             server_name *.abc.com;
             ssl on;
             ssl_certificate /etc/letsencrypt/live/abc.com/fullchain.pem;
             ssl_certificate_key /etc/letsencrypt/live/abc.com/privkey.pem;
             ssl_session_timeout 5m;
             ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
             ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
             ssl_prefer_server_ciphers on;
             charset utf-8;
             autoindex off;
             index index.html index.htm;
    
             location / {
                 proxy_http_version 1.1;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_set_header Host $http_host;
                 proxy_set_header X-NginX-Proxy true;
                    proxy_set_header Upgrade $http_upgrade;
                 proxy_set_header Connection "upgrade";
                 proxy_pass http://127.0.0.1:8888$request_uri;
                 proxy_redirect off;
             }
     }
  1. 设定定时更新(每次申请到的证书有效期三个月)

     crontab -e
     0 0 1 * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew && nginx -s reload

    表示每月自动执行续期脚本并热重启nginx。

    测试自动续订:

     sudo certbot renew --dry-run

参考文章:
https://latlonworld.com/article/free-wildcard-ssl-with-lets-encrypt.html
https://latlonworld.com/article/free-ssl-with-lets-encrypt.html

  上一篇 (记一次服务器启动修复 - /etc/fstab错误至系统无法启动)
下一篇 (Nginx 解决API跨域问题)