51工具盒子安装 cerbot参考 Let's Encrypt 证书申请和续签限制 (ssl 证书): 连接
0-先搞一个 80 测试nginx 配置文件:
准备 well-kown 目录:
mkdir -p /www/uat-dashu.baimei.com
cat test.conf
server {
listen 80;
server_name uat-dashu.baimei.com;
#一键申请SSL证书验证目录相关设置
location ~ \.well-known{
allow all;
root /www/uat-dashu.baimei.com;
}
}
然后 nginx -s reload 加载一下 test.conf
第一次要手动的生成证书文件:
certbot certonly --webroot -w /www/uat-tugele.dashu.com -d uat-tugele.dashu.com
正确输出如下:
我们检查证书是否生成:
1查看我们续约的域名
certbot certificates
也可以ls 证书目录:
检查完以后,我们可以准备自动续约的命令了。
记住把 test.conf 给删除
mv test.conf test.conf.bak
nginx -t
nginx -s reload
1- 准备定时脚本:
定时计划:
0 2 * * * root sh /app/scripts/ssl/renewssl.sh >> /www/renew.log 2>&1
cat renewssl.sh
#!/bin/bash
certbot renew --quiet --deploy-hook "sh /app/scripts/ssl/ssldeploy-uat-ai.baimei.com.sh"
#certbot renew --quiet --deploy-hook "sh /app/scripts/ssl/ssldeploy-ollama.baimei.com.sh"
echo "Script executed at $(date)" >> /www/renew.log
2-准备-自动申请脚本
修改脚本的 域名,以及 ssl path 路径
cat /app/scripts/ssl/ssldeploy-uat-ai.baimei.com.sh
#!/bin/bash
renewed_domains=$RENEWED_DOMAINS
MYDOMAIN="uat-ai.baimei.com"
#SSLPATH=/opt/ssl_key/$MYDOMAIN
SSLPATH=/etc/nginx/ssl_key/oms/$MYDOMAIN
检查是否续约了特定的域名
if [[ $renewed_domains == "$MYDOMAIN" ]]; then
# 对 example.com 做特定的操作
echo " 续约$MYDOMAIN" >> /www/renew.log
# Copy the renewed certificate to the desired location
mkdir -p $SSLPATH
cp -f /etc/letsencrypt/live/$MYDOMAIN/fullchain.pem $SSLPATH/
cp -f /etc/letsencrypt/live/$MYDOMAIN/privkey.pem $SSLPATH/
# Reload the nginx inside the docker container
/usr/sbin/nginx -s reload
fi
3- 准备nginx 配置文件
准备 well-kown 目录:
mkdir -p /www/uat-dashu.baimei.com
server {
listen 443 ssl;
#listen 80;
server_name uat-dashu.baimei.com;
ssl_certificate /etc/nginx/ssl_key/uat/uat-dashu.baimei.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl_key/uat/uat-dashu.baimei.com/privkey.pem;
gzip on;
gzip_http_version 1.1;
gzip_min_length 0;
gzip_buffers 256 64k;
gzip_comp_level 9;
gzip_types text/plain application/x-javascript application/javascript text/javascript text/css application/xml application/json text/xml;
client_header_buffer_size 16k;
client_max_body_size 100m; # 这个需要有,否则上传大文件会报错.
proxy_ignore_client_abort on;
proxy_buffers 64 4k;
location ^~ /.well-known {
allow all;
root /www/uat-dashu.baimei.com;
}
location / {
proxy_pass http://192.168.1.209:31057;
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /stage-api/ {
proxy_pass http://192.168.1.209:31058/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 主要websocket代理配置, $http_upgrade是指http协议头部Upgrade的值.
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
access_log /var/log/nginx/uat-dashu.baimei.com.log custom_format;
error_log /var/log/nginx/uat-dashu.baimei.com.error.log;
error_page 502 503 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
server {
listen 80;
server_name uat-dashu.baimei.com;
if ($host != 'uat-dashu.baimei.com') {
return 403;
}
#return 302 https://$server_name$request_uri;
rewrite ^/(.*)$ https://$server_name:443/$1 permanent;
}
4- 测试:
第一步: 先强制续约,看看脚本是否生效
certbot renew --force-renewal --quiet --deploy-hook "sh /app/scripts/ssl/ssldeploy-uat-tugele.baimei.com.sh"
检查:
cat /www/renew.log
是否有 "续约。。。"
验证证书目录:
ll /etc/nginx/ssl_key/uat/uat-tugele.baimei.com/
再次验证证书时间的时间:
openssl x509 -in /etc/nginx/ssl_key/uat/uat-tugele.baimei.com/fullchain.pem -noout -startdate -enddate
如果日期没问题,那么我们自动续约的就可以了。
整理脚本,可以投入生产了。
