使用 Certbot 自动申请并续订阿里云 DNS 免费泛域名证书
<h2 id="背景">背景</h2><p>Certbot 支持自动申请 LetsEncrypt 的泛域名证书,但是官方插件不支持阿里云,在 GitHub 搜索发现已经有人写好了阿里云 DNS 插件,下面只需要进行简单的配置即可免费申请一个泛域名证书并自动续订。</p>
<h2 id="安装-certbot-和-certbot-dns-aliyun">安装 Certbot 和 certbot-dns-aliyun</h2>
<p><strong>本文基于 CentOS 7</strong></p>
<ol>
<li>
<p>首先安装 Python 3</p>
<pre><code class="language-bash">yum install -y python36
</code></pre>
</li>
<li>
<p>创建并激活虚拟环境</p>
<pre><code class="language-bash">mkdir -p /mnt/certbot
cd /mnt/certbot
python3 -m venv venv
source venv/bin/activate
</code></pre>
</li>
<li>
<p>安装 Certbot 和 certbot-dns-aliyun</p>
<pre><code class="language-bash">pip install certbot certbot-nginx certbot-dns-aliyun
</code></pre>
</li>
</ol>
<h2 id="申请并配置阿里云-dns-访问密钥">申请并配置阿里云 DNS 访问密钥</h2>
<p>前往 https://ram.console.aliyun.com 申请阿里云子账号并授予 <code>AliyunDNSFullAccess</code> 权限。然后为子账号创建 AccessKey 并记录。</p>
<p>创建 certbot-dns-aliyun 配置文件:</p>
<pre><code class="language-bash">cat > /mnt/certbot/credentials.ini <<EOF
certbot_dns_aliyun:dns_aliyun_access_key = 12345678
certbot_dns_aliyun:dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef
EOF
</code></pre>
<p>修改文件权限</p>
<pre><code class="language-bash">chmod 600 /mnt/certbot/credentials.ini
</code></pre>
<h2 id="申请证书">申请证书</h2>
<pre><code class="language-bash">/mnt/certbot/venv/bin/certbot certonly \
-a certbot-dns-aliyun:dns-aliyun \
--certbot-dns-aliyun:dns-aliyun-credentials /mnt/certbot/credentials.ini \
-d yourdomain.com \
-d "*.yourdomain.com"
</code></pre>
<p>配置自动续订:</p>
<pre><code class="language-bash">echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /mnt/certbot/venv/bin/certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
</code></pre>
<h2 id="配置-nginx">配置 nginx</h2>
<pre><code class="language-bash">cat > /etc/nginx/conf.d/nginx.header <<EOF
listen 80;
listen 443 ssl;
if ($scheme != https) {
rewrite ^/(.*) https://$server_name/$1 permanent;
}
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
EOF
</code></pre>
<pre><code class="language-bash">cat > /etc/nginx/conf.d/yourdomain.com.conf <<EOF
server {
server_nameyourdomain.com;
include /etc/nginx/conf.d/nginx.header;
location / {
proxy_set_headerHost $host;
proxy_set_headerX-Real-IP $remote_addr;
proxy_set_headerX-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_headerX-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8080;
}
}
EOF
</code></pre><br><br>
来源:https://www.cnblogs.com/bbling/p/12807642.html
頁:
[1]