需求:生成域名证书
在域名所在注册商处修改DNS服务器为 DNSPod ;在 DNSPod 处添加此域名。
获得DNSPod API密钥,复制 SecretId / SecretKey 备用。
网址:https://console.dnspod.cn/account/token/apikey
安装 Certbot 工具:
apt install certbot
安装 TCCLI 工具:
apt install python3-pip && pip install tccli
配置 TCCLI:
tccli configure --profile certbot # 填写云 API 密钥 SecretId # 填写云 API 密钥 SecretKey # 无需更改云产品地域,默认 ap-guangzhou # 无需更改输出格式,默认 json
安装 certbot-dns-dnspod 插件:
curl -L https://cdn.jsdelivr.net/gh/openbunny/certbot-dns-dnspod/dnspod.sh -o /usr/local/bin/dnspod chmod +x /usr/local/bin/dnspod # 如果你的命令行里还找不到这个脚本,可以创建一个符号链接 ln -s /usr/local/bin/dnspod /usr/bin/dnspod
签发证书:
certbot certonly --manual --preferred-challenges=dns --manual-auth-hook "dnspod" --manual-cleanup-hook "dnspod clean" -d *.domain.name -d domain.name
手动续签:
certbot renew --manual --preferred-challenges=dns --manual-auth-hook "dnspod" --manual-cleanup-hook "dnspod clean"
使用定时任务 crontab 定时续签:
sudo crontab -e 30 0 * * * root certbot renew --manual --preferred-challenges=dns --manual-auth-hook "dnspod" --manual-cleanup-hook "dnspod clean" --deploy-hook "nginx -t && systemctl restart nginx"
需求:实现全局 https://domain.name
配置文件路径:/etc/nginx/sites-enabled/default
server {
listen 80;
server_name domain.name;
rewrite ^(.*) https://$server_name$1 permanent;
}
server {
listen 443 ssl http2;
server_name domain.name www.domain.name;
root /home/judge/src/web;
index index.php index.htm index.nginx-debian.html;
ssl_certificate /etc/letsencrypt/live/domain.name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.name/privkey.pem;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}
}