如果SSL证书成功获取,certbot将打印以下消息:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/linuxidc.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/linuxidc.com/privkey.pem
Your cert will expire on 2018-07-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
现在您已拥有证书文件,您可以按如下方式编辑域服务器块:
server {
listen 80;
server_name linuxize.com;
include snippets/letsencrypt.conf;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name ;
ssl_certificate /etc/letsencrypt/live/linuxidc.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/linuxidc.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/linuxidc.com/chain.pem;
include snippets/ssl.conf;
return 301 https://linuxidc.com$request_uri;
}
server {
listen 443 ssl http2;
server_name linuxidc.com;
# . . . other code
ssl_certificate /etc/letsencrypt/live/linuxidc.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/linuxidc.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/linuxidc.com/chain.pem;
include snippets/ssl.conf;
# . . . other code
}
通过上面的配置,我们强制HTTPS并从www重定向到非www版本。
最后,重新加载Nginx服务以使更改生效:
sudo systemctl reload nginx
SSL证书自动续订
让我们加密的证书有效期为90天。 要在证书过期前自动续订证书,我们将创建一个每天运行两次的cronjob,并在证书到期前30天自动更新证书。
运行crontab命令来创建一个新的cronjob:
sudo crontab -e
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"
要测试续订过程,您可以使用certbot --dry-run开关:
sudo certbot renew --dry-run
如果没有错误,则意味着更新过程成功。