Linux CentOS 7 使用certbot管理nginx证书

1、安装Certbot

yum install certbot python2-certbot-nginx

---

2、配置nginx

vim /etc/nginx/nginx.conf

内容如下：

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
   worker_connections  1024;
}


http {
   include       /etc/nginx/mime.types;
   default_type  application/octet-stream;

   log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';

   access_log  /var/log/nginx/access.log  main;

   sendfile        on;
   #tcp_nopush     on;

   keepalive_timeout  65;

   #gzip  on;

   include /etc/nginx/conf.d/*.conf;
}

其中有一行

 include /etc/nginx/conf.d/*.conf;

可见我们只要在这个目录下新建一个xxx.conf即可被引用。

在上述目录下添加我们需要配置的文件homePage.conf
内容如下：

server {
    listen 80;
    server_name www.xxxxxx.com;
}

---

3、自动配置下载证书

先检查一下nginx的配置文件是否有错误

nginx -t

运行如下：

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

自动配置：

certbot --nginx 

运行如下：

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): #此处需要输入你的邮箱地址
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y #此处选Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y 此处选Y
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.xxxxx.com  #此处会列出你配置文件中包含的域名
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 #选择域名对应的序号
Requesting a certificate for www.xxxxx.com
Performing the following challenges:
http-01 challenge for www.xxxxx.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/homePage.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/homePage.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.xxxxx.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Subscribe to the EFF mailing list (email: 你的邮箱地址).
Starting new HTTPS connection (1): supporters.eff.org
An unexpected error occurred:
TypeError: __str__ returned non-string (type Error)
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.xxxxx.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.xxxxx.com/privkey.pem
   Your certificate will expire on 2022-03-17. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

相关证书会生成在如下文件中：

/etc/letsencrypt/renewal/www.xxxxx.com.conf
/etc/letsencrypt/archive/www.xxxxx.com
/etc/letsencrypt/live/www.xxxxx.com

此时打开/etc/nginx/conf.d/homePage.conf;
内容如下：

server {
    server_name www.xxxxx.com;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.xxxxx.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.xxxxx.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = www.xxxxx.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name www.xxxxx.com;
    return 404; # managed by Certbot
}

可以看到帮我们自动生成了相关的配置文件

添加我们的跳转后，内容如下：

server {
    server_name www.xxxxx.com;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.xxxxx.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.xxxxx.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        root   /homePage;
        index index.html;
    }
}
server {
    if ($host = www.xxxxx.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name www.xxxxx.com;
    return 404; # managed by Certbot
}

---

4、重启/启动nginx，访问域名查看是否配置成功

#启动
nginx -c /etc/nginx/nginx.conf
#重启
nginx -s reload

---

5、证书的有效期只有三个月，所以需要定时续期

以下部分摘抄整理来自：https://www.liaosam.com/use-cron-service-and-certbot-for-renewal-of-letsencrypt-ssl-certificates.html

5.1、检查 Cron 服务状态

service crond status

运行如下：

● crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: active (running) since 五 2021-12-17 14:45:07 CST; 5h 5min ago
 Main PID: 14167 (crond)
   CGroup: /system.slice/crond.service
           └─14167 /usr/sbin/crond -n

12月 17 14:45:07 xxxxxxxxxxx systemd[1]: Stopped Command Scheduler.
12月 17 14:45:07 xxxxxxxxxxx systemd[1]: Started Command Scheduler.
12月 17 14:45:07 xxxxxxxxxxx crond[14167]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 59% if used.)
12月 17 14:45:07 xxxxxxxxxxx crond[14167]: (CRON) INFO (running with inotify support)
12月 17 14:45:07 xxxxxxxxxxx crond[14167]: (CRON) INFO (@reboot jobs will be run at computer's startup.)

如果执行后提示：crond (pid xxxxx) is running… 代表正常运行中，则可以跳过下面5.2、5.3两步 。

如果提示错误，不识别的服务，则先按照5.2和5.3执行安装和启动。

---

5.2、安装 cron 服务

依次输入以下 2 条命令并回车执行

yum -y install vixie-cron
yum -y install crontabs

成功安装 Cron 之后，启动 cron 服务。

---

5.3、启动 Cron 服务

service crond start

执行后会出现：Starting crond: [ OK ] 的提示，表明启动成功。

继续执行开机启动服务命令，把 Cron 加入开机启动的服务列表中：

chkconfig --level 345 crond on

安装完检查一下 Cron 服务状态

service crond status

如果提示：crond (pid xxxxx) is running… 代表正常运行中。

---

5.4、搜索 cron 文件所在位置

输入命令：

find / -name "cron"

找到如下结果：

/var/spool/cron
/var/log/cron
/etc/selinux/targeted/active/modules/100/cron

/var/log/cron 这个是日志文件位置，不管它
/var/spool/cron 这里是所有的自动执行任务的 cron 文件存放位置

打开 /var/spool/cron，看看 cron 目录下有没有文件。

• 如果没有，创建 cron 文件，按照步骤5.5。
• 如果有，跳过步骤5.5。

---

5.5、创建 Cron 文件

输入以下命令：

crontab -e

此时会创建一个新文件同时打开了vim

输入以下内容：

0 3 */7 * * /usr/bin/certbot renew --renew-hook "/usr/sbin/nginx -s reload"

上面这个/usr/bin/certbot和/usr/sbin/nginx 各自需要写成各自的路径可以用which certbot和which nginx查询
按住 shift+分号(打出冒号来)，然后输入 wq，回车。退出编辑文件状态。

以上含义是：每隔 7 天，夜里 3 点整自动执行检查续期命令一次。续期完成后，重启 nginx 服务。

---

5.6、重启 Cron 服务，使之生效

service crond restart

---

5.7、手动尝试 Certbot 证书更新

/bin/certbot renew

---

6.可能遇到的问题

https://blog.csdn.net/sinat_39595180/article/details/88120604