使用免费,开源的自动化证书管理工具——Certbot
安装
yum install -y certbot制作Certbot证书
Certbot证书不受平台监管,免费且开源
[root@iZj6c4oh2p3wuhcrvycoumZ docker]# certbot certonly --standalone -d hk.fcat.top
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for hk.fcat.top
Performing the following challenges:
http-01 challenge for hk.fcat.top
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
[root@iZj6c4oh2p3wuhcrvycoumZ docker]# docker stop ruoyi-nginx
ruoyi-nginx
[root@iZj6c4oh2p3wuhcrvycoumZ docker]# certbot certonly --standalone -d hk.fcat.top
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for hk.fcat.top
Performing the following challenges:
http-01 challenge for hk.fcat.top
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hk.fcat.top/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hk.fcat.top/privkey.pem
Your certificate will expire on 2025-02-04. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
需要先关闭80端口的应用
执行完上面的脚本后,会在目录下生成相应的公钥和私钥/etc/letsencrypt/live/hk.fcat.top/fullchain.pem;/etc/letsencrypt/live/hk.fcat.top/privkey.pem;
nginx配置
# wordpress博客地址
server {
listen 443 ssl;
server_name wp.fcat.top;
charset utf-8,gbk;
ssl_certificate /etc/letsencrypt/live/wp.fcat.top/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wp.fcat.top/privkey.pem;
location / {
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#set $Real $proxy_add_x_forwarded_for;
proxy_connect_timeout 36000;
proxy_send_timeout 36000;
proxy_read_timeout 36000;
proxy_pass http://wordpress:80/;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
定制自动续约脚本
certbot的自动续约的脚本: 每天早上1点自动检测证书是否过期,如果过期就对其进行续约,以达到永不过期的目的
vim /docker/certbot_renew_ssl.sh
#!/bin/bash
docker stop ruoyi-nginx
/usr/bin/certbot renew --dry-run
docker start ruoyi-nginx
设计定时任务
定时任务组件
yum install vixie-cron
yum install crontabs
/sbin/service crond start //启动服务
/sbin/service crond stop //关闭服务
/sbin/service crond restart //重启服务
/sbin/service crond reload //重新载入配置 用定时任务,每天早上1点执行续约脚本certbot_renew_ssl.sh
vim /etc/crontabSHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
0 3 * * * /docker/certbot_renew_ssl.sh >> /docker/certbot_renew_ssl.log日志
查看日志: tail -f /var/log/cron 或者cron.log