方案:
使用 Let's Encrypt 证书,并配合 Certbot 工具来自动化证书的获取与更新
前提:
- 域名解析已生效
- 服务器80端口开放
步骤:
1. 安装 Certbot 和 Nginx 插件
Certbot 是用来获取和自动更新 Let’s Encrypt 证书的工具
yum install certbot python3-certbot-ngin
2. 获取 SSL 证书
使用 Certbot 获取 Let's Encrypt SSL 证书。这个过程会自动生成 HTTPS 配置并更新 Nginx 配置文件。
[root@xxx ~]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: examle1.com
2: dev.examle1.com
3: api.examle1.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
输入对应的域名数字,比如3,执行结束,自动更新nginx配置文件,并reload nginx服务
blank to select all options shown (Enter 'c' to cancel): 3
Requesting a certificate for api.examle1.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/api.examle1.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/api.examle1.com/privkey.pem
This certificate expires on 2025-03-22.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for api.examle1.com to /etc/nginx/conf.d/api.examle1.com.conf
Congratulations! You have successfully enabled HTTPS on https://api.examle1.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3.配置自动更新
每天3:13检查一次更新,并reload nginx
13 3 * * * certbot renew >> /root/certbot_renew.log 2>&1 && systemctl reload nginx >> /root/certbot_error.log 2>&1
