本文介绍使用certbot为网站添加HTTPS支持,并自动更新

前提

  • docker
  • docker-compose

部署

克隆仓库

这一步必不可少,一定要按照作者的仓库目录结构来执行,完成后,可以自行更改nginx/conf.d下的配置文件。

具体原因我也不知,但是不照做,会出现一些奇怪的问题。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ mkdir -p /data
$ cd /data
$ git clone https://ghproxy.com/https://github.com/gcdd1993/nginx-certbot
$ cd nginx-certbot
$ ls -l
drwxr-xr-x 4 root root 4096 Jun  8 22:01 ./
drwxr-xr-x 5 root root 4096 Jun  8 21:49 ../
drwxr-xr-x 4 root root 4096 Jun  8 21:53 data/
-rw-r--r-- 1 root root  660 Jun  8 21:49 docker-compose.yml
drwxr-xr-x 8 root root 4096 Jun  8 21:49 .git/
-rw-r--r-- 1 root root   14 Jun  8 21:49 .gitignore
-rwxr-xr-x 1 root root 2286 Jun  8 22:01 init-letsencrypt.sh*
-rw-r--r-- 1 root root 1074 Jun  8 21:49 LICENSE
-rw-r--r-- 1 root root 1376 Jun  8 21:49 README.md

为域名添加证书

💡在这一步执行前,请确认已经将需要添加证书的域名指向本机公网IP,因为在执行过程中,会进行服务器所属权校验,需要访问你所操作的域名

1、修改init-letsencrypt.shemail为你的邮箱

1
2
3
4
$ vim init-letsencrypt.sh
...
email="gcwm99@gmail.com"
...

2、修改操作域名

1
2
$ sed -i 's/example.org/your_domain/g' data/nginx/app.conf \
	&& sed -i 's/example.org/your_domain/g' init-letsencrypt.sh

3、执行init-letsencrypt.sh

直到出现以下内容,说明已经完成

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ ./init-letsencrypt.sh
...
Requesting a certificate for your_domain

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/your_domain/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/your_domain/privkey.pem
This certificate expires on 2021-09-06.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
* Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4、多域名操作

步骤同上,先修改域名为待操作域名,然后执行init-letsencrypt.sh

1
2
3
4
$ sed -i 's/your_domain/your_domain2/g' data/nginx/app.conf \
	&& sed -i 's/your_domain/your_domain2/g' init-letsencrypt.sh
$ ./init-letsencrypt.sh
...

5、启动你的网站

1
2
3
4
# 注释app.conf
$ cd data/nginx
$ mv app.conf app.conf.bak
# 添加你的网站配置

示例配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
upstream my.site {
    server localhost:8080;
}
server {
    server_name your_domain;

    proxy_read_timeout 600s;
    proxy_send_timeout 600s;

    location / {
        add_header X-Frame-Options deny;
        proxy_pass http://my.site;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    server_tokens off;
}
server {
    if ($host = your_domain) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name your_domain;
    listen 80;
    return 404; # managed by Certbot
}

更新证书

作者给出的docker-compose.yml已经默认12小时检查并更新一次,所以非常省心

1
2
3
4
5
$ docker exec -it nginx-certbot_certbot_1 certbot renew
...
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/your_domain/fullchain.pem expires on 2021-09-06 (skipped)
No renewals were attempted.

相关资料