使用环境:centos7+nginx 1、安装:
yum install certbot python2-certbot-nginx2、创建通配符证书
certbot certonly -d *.example.com -d example.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory3、自动更新(未测试)
## 通配符证书只支持 DNS 验证方式,官方提供的插件没有针对国内 DNS 服务器的样例,幸好在github上找打一个;
## github地址:https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
## 申请证书
certbot certonly -d *.example.com --manual --preferred-challenges dns --manual-auth-hook "/脚本目录/au.sh php aly add" --manual-cleanup-hook "/脚本目录/au.sh php aly clean"
## 自动更新(加入 crontab)
## 推荐使用gocron来管理定时任务
## github地址:https://github.com/ouqiang/gocron
1 1 1 * 1 root certbot-auto renew --manual --preferred-challenges dns --manual-auth-hook "/脚本目录/au.sh php aly add" --manual-cleanup-hook "/脚本目录/au.sh php aly clean"
1 1 2 * 1 root systemctl restart nginx
4、nginx配置
server {
listen 80;
listen 443 ssl http2;
## example.com需要更改为你的地址
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_buffer_size 1400;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
## example.com需要更改为你的地址
server_name *.example.com;
access_log off;
index index.html index.htm index.php;
## example.com需要更改为你的地址
root /data/wwwroot/example.com;
if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
.......
}使用acme.sh
1 | 安装 |