ubuntu/Ningx | Certbot 自动化续期 https 证书

1. 将自己的域名解析道服务器A上

2. Install Certbot

登录到服务器 A

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot 
$ certbot --version //验证是否安装成功

3. 制作证书

如果443端口开着，需要先关闭

certbot certonly    --------> 开启命令

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] 
(press 'c' to cancel): 1  
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected] 

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
(A)gree/(C)ancel: A

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
(Y)es/(N)o: Y
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): you.domain.com //需解析的域名

Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for you.domain.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/you.domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/you.domain.com/privkey.pem
   Your cert will expire on 2019-01-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


my-server$ ls /etc/letsencrypt/live/you.domain.com/  //证书文件目录
cert.pem  chain.pem  fullchain.pem  privkey.pem  README   

看到 ** Congratulations** 就表示制作成功，相关证书可以在/etc/letsencrypt/live/you.domain.com/下查看，

4. 配置 nginx server

server {
        listen 80;
        listen 443 ssl;
        server_name jenkins.dev.school.thoughtworks.cn;
        location / {
                proxy_pass http://localhost:8080/;
                proxy_set_header Host $http_host;
        }
 ssl_certificate /etc/letsencrypt/live/you.domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/you.domain.com/privkey.pem; # managed by Certbot
    ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
    ssl_session_timeout 1440m; # managed by Certbot

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # managed by Certbot
    ssl_prefer_server_ciphers on; # managed by Certbot

    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$server_name$request_uri;
    } # managed by Certbot
}

5. 定时续期证书

crontab -e

添加：0 3 */7 * * /bin/certbot renew --renew-hook "/etc/init.d/nginx reload" 
每隔 7 天，夜里 3 点整自动执行检查续期命令一次。续期完成后，重启 nginx 服务

sudo service cron restart