2024-01-01
CentOS7用Certbot申请泛域名证书(DNSPod)
1. 安装Certbot
> yum install certbot
2. 安装pip
CentOS7一般自带python2.7,只需安装pip即可
> curl "https://bootstrap.pypa.io/pip/2.7/get-pip.py" -o "get-pip.py"
> python2.7 get-pip.py
3. 安装certbot-dns-cloudflare插件
> pip install certbot-dns-dnspod
4. 设置cloudflare api key 文件
获取api key参考这里https://console.dnspod.cn/account/token/token
> vi /root/.secrets/certbot/dnspod.ini
#写入如下信息
dns_dnspod_email = "xxxx@foxmail.com"
#tokenid,token
dns_dnspod_api_token = "00000,6ef9f0c62d1f8677328b2a6e05ea6cdf"
5. 申请证书
申请泛域名二级域名证书和一级域名证书,脚本自动设置cloudflare txt记录,等待60秒后生效,有一些警告询问Yes(Y) No(N) ,输入Y
> certbot certonly -a dns-dnspod --dns-dnspod-credentials /root/.secrets/certbot/dnspod.ini -d kuai.blog -d *.kuai.blog
6. 自动更新证书
设置每月1号,凌晨1:30分更新,—renew-hook 后面为更新完成后需要执行的脚本,此处重载Nginx
> crontab -e
#写入如下信息
30 1 * * 1 certbot renew --renew-hook "/usr/sbin/nginx -s reload"
5. nginx ssl证书配置 gzip配置
> vi /etc/nginx/nginx.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name kuai.blog;
ssl_certificate "/etc/letsencrypt/live/kuai.blog/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/kuai.blog/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
gzip on;
gzip_buffers 32 4K;
gzip_comp_level 6;
gzip_min_length 100;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_disable "MSIE [1-6]\."; #配置禁用gzip条件,支持正则。此处表示ie6及以下不启用gzip(因为ie低版本不支持)
gzip_vary on;
client_max_body_size 100m;
root /home/kuai.blog;
index index.html index.htm index.php;
}