Zwlin's Blog

Certbot证书有关设置

2020/01/31

更新证书的步骤比较麻烦,特此记录,因为我用的是certbot提供的泛域名的证书功能,我只会手动申请。而且貌似dnspod并不支持certbot提供的插件,故而只能手动更新。

  1. 申请泛域名证书
1certbot certonly --preferred-challenges dns --manual  \
2-d "example.com" \
3--server https://acme-v02.api.letsencrypt.org/directory
  1. 根据提示添加DNS的TXT记录
  2. 生成证书
  3. 更新nginx的证书设置,在最顶层统一设置证书,修改
 1# /etc/nginx/nginx.conf 
 2http {
 3     include       /etc/nginx/mime.types;
 4     default_type  application/octet-stream;
 5 
 6     ssl_certificate       /etc/ssl/certs/fullchain.pem;
 7     ssl_certificate_key   /etc/ssl/certs/privkey.pem;
 8 
 9     ssl_session_timeout 5m;
10     ssl_prefer_server_ciphers on;
11     ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256::!MD5;
12     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
13 
14     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
15                       '$status $body_bytes_sent "$http_referer" '
16                       '"$http_user_agent" "$http_x_forwarded_for"';
17 
18     access_log  /var/log/nginx/access.log  main;
19 
20     sendfile        on;
21     #tcp_nopush     on;
22 
23     keepalive_timeout  65;
24 
25     #gzip  on;
26 
27     include /etc/nginx/conf.d/*.conf;
28 }
  1. 设置或更新软链接
1ln -snf /etc/letsencrypt/live/zwlinc.com-0001/fullchain.pem /etc/ssl/certs/fullchain.pem 
2ln -snf /etc/letsencrypt/live/zwlinc.com-0001/privkey.pem /etc/ssl/certs/privkey.pem