这是 8月中旬 我在 宁波东钱湖福泉山 爬山时,在山脚下拍到的漫画☁️
安装 Let's Encrypt
我的博客站点之前一直用的阿里云免费证书,证书的有效期是 3 个月,每次换太麻烦了,这次我决定换成免费且能自动续杯的 Let's Encrypt 证书。
安装的步骤主要有下面这些:
安装 Certbot 工具
获取 SSL 证书
🛠️ 安装 Certbot 工具
更新系统包列表
yum update
安装 Certbot 及其 Nginx 插件
yum install epel-release
yum install certbot python3-certbot-nginx
📝 获取 SSL 证书
certbot --nginx -d fangyuzong.com -d www.fangyuzong.com
[root@iZbp18654sp3w5s8wrn9pmZ ~]# certbot --nginx -d fangyuzong.com -d www.fangyuzong.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): 2587241007@qq.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for fangyuzong.com and www.fangyuzong.com
Performing the following challenges:
http-01 challenge for fangyuzong.com
http-01 challenge for www.fangyuzong.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/fangyuzong.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/fangyuzong.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/fangyuzong.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/fangyuzong.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://fangyuzong.com and
https://www.fangyuzong.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Subscribe to the EFF mailing list (email: 2587241007@qq.com).
Starting new HTTPS connection (1): supporters.eff.org
An unexpected error occurred:
ConnectionError: ('Connection aborted.', gaierror(-2, 'Name or service not known'))
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/fangyuzong.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/fangyuzong.com/privkey.pem
Your certificate will expire on 2025-11-24. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
renew *all* of your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
[root@iZbp18654sp3w5s8wrn9pmZ ~]# 🔧 验证证书与配置
🔄 设置自动续期
测试续期命令
[root@iZbp18654sp3w5s8wrn9pmZ ~]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fangyuzong.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cannot extract OCSP URI from /etc/letsencrypt/archive/fangyuzong.com/cert1.pem
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Account registered.
Simulating renewal of an existing certificate for fangyuzong.com and www.fangyuzong.com
Performing the following challenges:
http-01 challenge for fangyuzong.com
http-01 challenge for www.fangyuzong.com
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/fangyuzong.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/fangyuzong.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -配置定时任务自动续期
证书到期前,Certbot 会自动尝试续期。但为了确保万无一失,可以添加一个定时任务(cron job)。编辑 crontab:
crontab -e添加以下一行,表示每天凌晨 2:30 检查并续期即将过期的证书(--quiet 表示静默执行,只在必要时输出):
30 2 * * * /usr/bin/certbot renew --quiet结束
配置完成,后面就不需要再自己手动搞了,方便了很多。