基础环境
基于Cent OS 7操作系统,Docker以及Nginx,Nginx与certbot分别安装在不同的Docker容器中
域名所有权验证
Nginx设置
Nginx启动时增加两个数据卷,读取域名所有权验证内容以及证书与密钥
docker stop nginx
docker rm nginx
docker run -p 80:80 --name nginx \
--restart always \
-v /opt/volume/nginx/conf:/etc/nginx \
-v /opt/volume/nginx/html:/usr/share/nginx/html \
-v /opt/volume/nginx/log:/var/log/nginx \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \
-v /opt/volume/certbot/domain:/usr/share/certbot/domain:ro \
-v /opt/volume/certbot/cert:/usr/share/certbot/cert:ro \
--network language-trainer \
-d nginx
修改配置文件/opt/volume/nginx/conf/conf.d/default.conf,增加域名所有权验证路径
server {
listen 80;
server_name languagetrainer.oliverclio.com;
location /api/ {
proxy_pass http://language-trainer:8080/;
}
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /.well-known/acme-challenge/ {
root /usr/share/certbot/domain;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
测试certbot
配置两个数据卷,分别用于域名所有权验证以及存放证书与密钥
docker run -it --rm \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \
-v /opt/volume/certbot/domain:/usr/share/certbot/domain \
-v /opt/volume/certbot/cert:/etc/letsencrypt \
certbot/certbot \
certonly --webroot --webroot-path /usr/share/certbot/domain/ --dry-run -d languagetrainer.oliverclio.com
运行输出The dry run was successful,则测试通过,域名所有权也已验证成功,但未真正签发证书
签发证书
运行certbot
去掉--dry-run参数,增加-m参数指定接收重要信息的邮箱,增加-n参数以非交互形式运行,增加--agree-tos表示同意条款
docker run -it --rm \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \
-v /opt/volume/certbot/domain:/usr/share/certbot/domain \
-v /opt/volume/certbot/cert:/etc/letsencrypt \
certbot/certbot \
certonly --webroot --webroot-path /usr/share/certbot/domain/ \
-d languagetrainer.oliverclio.com -m wintyhao123@163.com -n --agree-tos
成功签发证书,输出以下信息
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for languagetrainer.oliverclio.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/languagetrainer.oliverclio.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/languagetrainer.oliverclio.com/privkey.pem
This certificate expires on 2023-06-01.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
Nginx使用证书
Nginx启动时增加443端口的映射
docker stop nginx
docker rm nginx
docker run -p 80:80 -p 443:443 --name nginx \
--restart always \
-v /opt/volume/nginx/conf:/etc/nginx \
-v /opt/volume/nginx/html:/usr/share/nginx/html \
-v /opt/volume/nginx/log:/var/log/nginx \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \
-v /opt/volume/certbot/domain:/usr/share/certbot/domain:ro \
-v /opt/volume/certbot/cert:/usr/share/certbot/cert:ro \
--network language-trainer \
-d nginx
修改配置文件/opt/volume/nginx/conf/conf.d/default.conf
server {
listen 80;
server_name languagetrainer.oliverclio.com;
location /.well-known/acme-challenge/ {
root /usr/share/certbot/domain;
}
location / {
return 301 https://languagetrainer.oliverclio.com$request_uri;
}
}
server {
listen 443 ssl;
server_name languagetrainer.oliverclio.com;
ssl_certificate /usr/share/certbot/cert/live/languagetrainer.oliverclio.com/fullchain.pem;
ssl_certificate_key /usr/share/certbot/cert/live/languagetrainer.oliverclio.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location /api/ {
proxy_pass http://language-trainer:8080/;
}
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
更新证书
测试更新
docker run -it --rm \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \
-v /opt/volume/certbot/domain:/usr/share/certbot/domain \
-v /opt/volume/certbot/cert:/etc/letsencrypt \
certbot/certbot \
renew --dry-run
输出成功信息
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/languagetrainer.oliverclio.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for languagetrainer.oliverclio.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/languagetrainer.oliverclio.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
手动更新
去掉--dry-run参数,30天内过期的证书才会真正更新
docker run -it --rm \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \
-v /opt/volume/certbot/domain:/usr/share/certbot/domain \
-v /opt/volume/certbot/cert:/etc/letsencrypt \
certbot/certbot \
renew
输出以下信息
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/languagetrainer.oliverclio.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/languagetrainer.oliverclio.com/fullchain.pem expires on 2023-06-01 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
定时更新
编写shell脚本/opt/certbot/renew.sh
#!/bin/bash
sudo echo "-----Renewing certification begins-----"
sudo docker run --rm -v /etc/timezone:/etc/timezone:ro -v /etc/localtime:/etc/localtime:ro -v /opt/volume/certbot/domain:/usr/share/certbot/domain -v /opt/volume/certbot/cert:/etc/letsencrypt certbot/certbot renew
sudo echo "-----Renewing certification ends-----"
sudo echo "-----Restarting nginx begins.-----"
sudo docker restart nginx
sudo echo "-----Restarting nginx ends.-----"
脚本执行权限
chmod u+x /opt/certbot/renew.sh
添加定时任务
30 03 1,15 * * /opt/certbot/renew.sh
删除证书
docker run -it --rm \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \
-v /opt/volume/certbot/domain:/usr/share/certbot/domain \
-v /opt/volume/certbot/cert:/etc/letsencrypt \
certbot/certbot \
delete
按提示选择需要删除的证书并确认即可
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which certificate(s) would you like to delete?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: chat.oliverclio.com
2: languagetrainer.oliverclio.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificate(s) are selected for deletion:
* chat.oliverclio.com
WARNING: Before continuing, ensure that the listed certificates are not being
used by any installed server software (e.g. Apache, nginx, mail servers).
Deleting a certificate that is still being used will cause the server software
to stop working. See https://certbot.org/deleting-certs for information on
deleting certificates safely.
Are you sure you want to delete the above certificate(s)?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Deleted all files relating to certificate chat.oliverclio.com.
参考文档
PREVIOUS单例模式的实现
NEXTweb.xml代码模板