Certbot 证书有关设置
Last updated: 2020/01/31 Published at: 2020/01/31
更新证书的步骤比较麻烦,特此记录,因为我用的是 certbot 提供的泛域名的证书功能,我只会手动申请。而且貌似 dnspod 并不支持 certbot 提供的插件,故而只能手动更新。
- 申请泛域名证书
1certbot certonly --preferred-challenges dns --manual \
2-d "example.com" \
3--server https://acme-v02.api.letsencrypt.org/directory
- 根据提示添加 DNS 的 TXT 记录
- 生成证书
- 更新 nginx 的证书设置,在最顶层统一设置证书,修改
1# /etc/nginx/nginx.conf
2http {
3 include /etc/nginx/mime.types;
4 default_type application/octet-stream;
5
6 ssl_certificate /etc/ssl/certs/fullchain.pem;
7 ssl_certificate_key /etc/ssl/certs/privkey.pem;
8
9 ssl_session_timeout 5m;
10 ssl_prefer_server_ciphers on;
11 ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256::!MD5;
12 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
13
14 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
15 '$status $body_bytes_sent "$http_referer" '
16 '"$http_user_agent" "$http_x_forwarded_for"';
17
18 access_log /var/log/nginx/access.log main;
19
20 sendfile on;
21 #tcp_nopush on;
22
23 keepalive_timeout 65;
24
25 #gzip on;
26
27 include /etc/nginx/conf.d/*.conf;
28 }
- 设置或更新软链接
1ln -snf /etc/letsencrypt/live/zwlinc.com-0001/fullchain.pem /etc/ssl/certs/fullchain.pem
2ln -snf /etc/letsencrypt/live/zwlinc.com-0001/privkey.pem /etc/ssl/certs/privkey.pem