参考文档:https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal# 安装snapdsudo apt install snapd# 更新数据sudo snap install core; sudo snap refresh core# 安装certbotsudo snap install --classic certbot# 安装nginxsudo apt install nginx2.创建证书# 1.执行生成证书命令sudo certbot certonly --manual --preferred-challenges=dns --server \https://acme-v02.api.letsencrypt.org/directory --register-unsafely-without-email \--agree-tos "$@"# 2.在如下地方输入域名Please enter the domain name(s) you would like on your certificate (comma and/orspace separated) (Enter 'c' to cancel): .example.com# 3.回车之后会提示你在自己的域名上做一条TXT记录,等做完这条TXT记录之后等待半分钟只有再执行回车即可# 4.证书生成成功的位置Successfully received certificate.Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pemKey is saved at: /etc/letsencrypt/live/example.com/privkey.pem3.如图操作4.最后再在自己的nginx上配置证书即可server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name .example.com; # SSL ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem; # security # security headers add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; add_header Permissions-Policy "interest-cohort=()" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # . files location ~ /\.(?!well-known) { deny all; } # reverse proxy location / { proxy_pass http://127.0.0.1:3000; proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; # Proxy headers proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Forwarded $proxy_add_forwarded; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; # Proxy timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; } # additional config include nginxconfig.io/general.conf;}# HTTP redirectserver { listen 80; listen [::]:80; server_name .example.com; location / { return 301 https://example.com$request_uri; }}5.这个证书需要三个月更新一次,certbot提供更新命令sudo certbot renew当然免费证书也是可以在第三方的云平台申请免费的证书的,这个也是比较方便的这里只是提供一种别的生成可用的ssl证书的方法(图片来源网络,侵删)
今天给大家讲下如何使用certbot生成免费ssl证书,我想对小白党来说还是可以去使用的certbot是一个国外免费的证书生成工具,试验环境是Ubuntu系统配合nginx做代理,接下来跟着我的步骤来生成证书吧1.安装certbot
0 评论