1. 检查 Certbot 是否已安装
which certbot
2. 安装 Certbot
2.1启用 EPEL 仓库(如果尚未启用):
sudo yum install epel-release
2.2 安装 Certbot 和 Nginx 插件:
sudo yum install certbot python3-certbot-nginx
2.3验证安装是否成功:
certbot --version
2.4.使用 Certbot 自动化脚本 (如果不使用包管理器)
sudo curl https://get.acme.sh | sh
3. 使用 Certbot Nginx 插件
sudo certbot --nginx
4.1使用 certbot 生成证书(执行下面密令时80端口不能被占用):
sudo certbot certonly --standalone -d colourful.run
证书路径
证书文件:/etc/letsencrypt/live/colourful.run/fullchain.pem
私钥文件:/etc/letsencrypt/live/colourful.run/privkey.pem
[root@VM-16-2-centos dream]# sudo certbot certonly --standalone -d colourful.run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for colourful.run
Performing the following challenges:
http-01 challenge for colourful.run
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: myfuturecloud@163.com).
Starting new HTTPS connection (1): supporters.eff.org
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/colourful.run/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/colourful.run/privkey.pem
Your certificate will expire on 2025-03-10. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
[root@VM-16-2-centos dream]#
4.2修改Nginx配置,手动配置 SSL 证书,通常在 /etc/nginx/nginx.conf配置文件中,添加以下内容:
server {
listen 443 ssl;
server_name colourful.run;
ssl_certificate /etc/letsencrypt/live/colourful.run/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/colourful.run/privkey.pem;
}
4.3重新加载 Nginx 配置:
sudo systemctl reload nginx
或
sudo systemctl start nginx
4.4验证 HTTPS 是否生效:
你可以通过浏览器访问 https://colourful.run 来检查 SSL 是否正确配置
4.5自动续期证书:
Certbot 会自动为你设置续期任务,通常 Certbot 会通过 Cron 或系统的定时任务(systemd)来自动更新证书
sudo certbot renew --dry-run
证书相关重要操作
如果你想查看证书的详细信息,可以运行:
sudo certbot certificates
如果你需要撤销证书,可以使用:
sudo certbot revoke --cert-path /etc/letsencrypt/live/colourful.run/fullchain.pem
-------nginx配置https证书
--配置前要确保nginx安装了ssl
----linux版本安装nginx时;:-with-http_ssl_module要启动
./configure --prefix=/dream/rte/nginx --with-http_ssl_module
linux下nginx.conf文档示例:
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream mtis-server {
server localhost:9999;
}
# HTTP 到 HTTPS 的重定向
server {
listen 80;
server_name www.colourful.com;
rewrite ^(.*)$ https://$host\$1;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
# HTTPS 配置
server {
ssl_certificate /etc/letsencrypt/live/colourful.run/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/colourful.run/privkey.pem;
listen 443 ssl;
server_name www.colourful.run;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
location ^~ /yunmeng/ {
proxy_pass http://mtis-server;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 5s;
proxy_read_timeout 60s;
}
# 错误页面配置放到 HTTPS 的 server 块内
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
Windows下nginx.conf文件示例:
#user nobody;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
#WebSocket支持配置
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream xxx-server{
server localhost:15686;
}
server {
listen 80;
server_name www.wmkjyf.com;
rewrite ^(.*)$ https://$host$1;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
# HTTPS server
server {
listen 443 ssl;
#填写证书绑定的域名
server_name www.wmkjyf.com;
#填写证书文件绝对路径
ssl_certificate C:/xxxxxx/ssl/fullchain.crt;
#填写证书私钥文件绝对路径
ssl_certificate_key C:/xxxxxx/ssl/private.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
#自定义设置使用的TLS协议的类型以及加密套件(以下为配置示例,请您自行评估是否需要配置)
#TLS协议版本越高,HTTPS通信的安全性越高,但是相较于低版本TLS协议,高版本TLS协议对浏览器的兼容性较差。
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
#表示优先使用服务端加密套件。默认开启
ssl_prefer_server_ciphers on;
location ^~ /wm-iot/ {
proxy_pass http://xxx-server;
proxy_set_header Host $http_host;
#proxy_read_timeout 3600s; #默认60s没有传输数据就会关闭,延长时间
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location ^~ /wm-mtis/ {
proxy_pass http://xxx-server;
proxy_set_header Host $http_host;
}
location ~* .*\.(gif|ico|png|jpg|eot|svg|ttf|woff|txt|pdf) {
root C:/xxxxxx/projects/static;
expires 30d;
}
location ~* .*\.(js|css)$ {
root C:/xxxxxx/projects/static;
expires 1h;
}
location / {
root C:/xxxxxx/projects/static/page;
index index.html index.htm;
}
location /page/ {
rewrite "^/page/(.*)$" $scheme://$http_host/$1 permanent;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
![React简单入门 - [Next.js项目] - 页面跳转、AntD组件、二级目录等](https://i-blog.csdnimg.cn/direct/fc48f9dd549a49bba18e243c6198b8b7.png)
