使用certbot在centos7搭建ssl證書並且自動續約

檢查centos版本

$ cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)

檢查python\nginx版本

$ python -V
Python 2.7.5
$ nginx -v
nginx version: nginx/1.26.1

這裡伺服器自帶了python 2.7.5，如果沒有，可以安裝

sudo yum install python27

更新pip並安裝certbot

pip install --upgrade pip
pip install certbot
# 檢查certbot是否可用，輸出正常，說明pip安裝了最新版的certbot
certbot certificates

生成證書

sudo certbot certonly --standalone -d blog.[xxx.com](http://xxx.com/) --email 你的郵箱

報錯：Problem binding to port 80: Could not bind to IPv4 or IPv6. ，是因為80埠被佔用

netstat -tlnp | grep 80
service nginx stop

再重新生成證書
在伺服器的配置檔案 ，指向你的證書
例如 在你的域名的nignx配置中：

server {
    listen 80;
    server_name blog.xxx.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name blog.xxx.com;

    root /usr/share/nginx/html/hugo-stack-blog/public;
    index index.html;

    ssl_certificate    /etc/letsencrypt/live/blog.xxx.com/fullchain.pem;
    ssl_certificate_key    /etc/letsencrypt/live/blog.xxx.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=31536000" always;
}

手動續簽

sudo certbot certificates	//證書有效期查詢
sudo systemctl stop nginx	//關閉nginx，解除佔用埠
sudo certbot renew				//續簽證書
sudo systemctl restart nginx	//重啟nginx
sudo certbot certificates

crontab定時更新證書

# 檢視當前使用者週期任務
$ crontab -l
# 以root使用者執行，檢視所有周期任務
$ cat /etc/passwd | cut -f 1 -d : | xargs -I {} crontab -l -u {}

# 編輯crontab
$ crontab -e
# 新增如下內容
0 0  1 */3 * sudo systemctl stop nginx && certbot -q renew --renew-hook "systemctl restart nginx" && systemctl restart nginx