1. 安装
1.1 安装依赖
sudo apt update
sudo apt install python3 python3-dev python3-venv libaugeas-dev gcc
sudo apt-get remove certbot
1.2 创建一个虚拟环境
mkdir certbot
cd certbot/
uv venv certbot
source certbot/bin/activate
1.3 Install
uv pip install certbot certbot-nginx
# 建立链接
sudo ln -s /opt/module/certbot/bin/certbot /usr/bin/certbot
1.4 使用
# 仅获取证书
sudo certbot certonly --nginx
# 为单域名申请
sudo certbot --nginx -d ginwineli.cn -d www.ginwineli.cn
2. 基于 docker 的配置
修改 nginx 的 docker-compose.yml
services:
nginx:
container_name: nginx
image: nginx
restart: always
ports:
- "80:80"
- "443:443"
environment:
TZ : 'Asia/Shanghai'
volumes:
- /opt/module/nginx/html:/usr/share/nginx/html
- /opt/module/nginx/www:/var/www
- /opt/module/nginx/logs:/var/log/nginx
- /opt/module/nginx/nginx.conf/:/etc/nginx/nginx.conf
- /opt/module/certbot:/etc/letsencrypt
- /opt/module/nginx/conf.d:/etc/nginx/conf.d
networks:
- nginx-network
command: >
sh -c "nginx -g 'daemon off;'"
depends_on:
- certbot # 确保 Certbot 先启动(仅首次申请时必要)
certbot:
container_name: certbot
image: certbot/certbot
volumes:
- /opt/module/certbot:/etc/letsencrypt
- /opt/module/nginx/html:/usr/share/nginx/html
networks:
- nginx-network
networks:
nginx-network:
driver: bridge
name: nginx-network
nginx 配置文件 *.conf
server {
listen 80;
listen [::]:80;
server_name ginwineli.cn;
#配置http验证可访问
location ^~ /.well-known/acme-challenge/ {
#此目录都是nginx容器内的目录,对应宿主机volumes中的http验证目录,而宿主机的又与certbot容器中命令--webroot-path指定目录一致,从而就整个串起来了,解决了http验证问题
root /etc/letsencrypt;
}
#http跳转到https
location / {
return 301 https://$host$request_uri;
}
}
2.2 测试
docker compose up -d
# 测试证书发放
docker compose run --rm certbot certonly --webroot --webroot-path /etc/letsencrypt --dry-run -d ginwineli.cn
# 正式获取
docker compose run --rm certbot certonly --webroot --webroot-path /etc/letsencrypt -d ginwineli.cn
Certbot 会在 /opt/module/certbot/certs/live/xxx.com/ 目录下生成证书文件,包括:
fullchain.pem:完整的证书链privkey.pem:私钥
3. 配置 HTTPS
server {
listen 443 ssl;
server_name ginwineli.cn;
ssl_certificate /etc/letsencrypt/live/ginwineli.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ginwineli.cn/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
重启应用配置
docker compose restart nginx
4. 配置定时任务自动续期
为了避免证书过期,设置一个定时任务每月 1 号自动续期证书并重启 Nginx
sudo crontab -e
任务内容
0 0 1 * * cd /opt/module/nginx && /usr/bin/docker compose run --rm certbot renew && /usr/bin/docker compose restart nginx
5. 泛域名配置
添加 cloudflare.ini (前往 cloudflare 申请令牌)
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = 7FCAY************************ofY6SVif
在 docker-compose.yml 添加
certbot-dns-cloudflare:
container_name: certbot-dns-cloudflare
image: certbot/dns-cloudflare
volumes:
- /opt/module/certbot/cloudflare.ini:~/.secrets/certbot/cloudflare.ini
networks:
- nginx-network
使用
# 泛域名测试
docker compose run --rm certbot-dns-cloudflare certonly --dns-cloudflare --dns-cloudflare-credentials /etc/.secrets/certbot/cloudflare.ini --dry-run -d ginwineli.cn -d *.ginwineli.cn --server https://acme-v02.api.letsencrypt.org/directory
# 申请泛域名
docker compose run --rm certbot-dns-cloudflare certonly --dns-cloudflare --dns-cloudflare-credentials /etc/.secrets/certbot/cloudflare.ini -d ginwineli.cn -d *.ginwineli.cn --server https://acme-v02.api.letsencrypt.org/directory
# 查看现有证书
docker compose run --rm certbot-dns-cloudflare certificates
# 续期
docker compose run --rm certbot-dns-cloudflare renew
修改子域名配置
修改定时任务
sudo crontab -e
任务内容
0 0 1 * * cd /opt/module/nginx && /usr/bin/docker compose run --rm certbot renew && /usr/bin/docker compose restart nginx