网站的https访问,需要域名证书。可以在letsencrypt上申请免费的域名证书。首先,需要向letsencrypt证明对域名的控制权。证明的方式很多,这里采用的是,让certbot在网站上添加一个类似 http://ooxxooxx.com/.well-known/acme-challenge/{token} 的节点,letsencrypt会去访问这个节点,以此证明对域名的控制权。先配置一个简单的nginx,用于申请证书, 验证域名的控制权。得到证书后,就可以配置用于https访问的nginx了。证书3个月过期,更新证书的时候,关掉https访问的nginx,开启证书申请的nginx。更新完成之后,再关掉证书申请的nginx,重新开启https访问的nginx。
- 需要docker镜像
docker pull nginx
docker pull certbot/certbot
- 申请证书的nginx配置letsencrypt-nginx.conf
server {
listen 80;
server_name ooxxooxx.com;
location ~ /.well-known/acme-challenge {
allow all;
root /usr/share/nginx/html;
}
root /usr/share/nginx/html;
index index.html;
}
- 文件index.html
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>Let's Encrypt First Time Cert Issue Site</title>
</head>
<body>
<h1>Oh, hai there!</h1>
<p>
This is the temporary site that will only be used for the very first time SSL certificates are issued by Let's Encrypt's
certbot.
</p>
</body>
</html>
- 启动申请证书的nginx
docker run --network host --rm --name nginx-letsencrypt \
-v /root/docker/nginx/volumes/letsencrypt-nginx.conf:/etc/nginx/conf.d/default.conf \
-v /root/docker/nginx/volumes/letsencrypt/html:/usr/share/nginx/html \
-d nginx
- 申请证书。因为有次数限制,先测试一下命令,成功后在运行正式命令。有--staging参数是测试命令。没有--staging参数就是正式命令。
docker run -it --rm \
-v /root/docker/nginx/volumes/letsencrypt/etc/letsencrypt:/etc/letsencrypt \
-v /root/docker/nginx/volumes/letsencrypt/var/lib/letsencrypt:/var/lib/letsencrypt \
-v /root/docker/nginx/volumes/letsencrypt/var/log/letsencrypt:/var/log/letsencrypt \
-v /root/docker/nginx/volumes/letsencrypt/html:/data/letsencrypt \
certbot/certbot \
certonly --webroot \
--register-unsafely-without-email --agree-tos \
--webroot-path=/data/letsencrypt \
--staging \
-d ooxxooxx.com
看命令的结果,是否有证书生成。
- https的nginx配置https-nginx.conf
server {
listen 443;
server_name ooxxooxx.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/ooxxooxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ooxxooxx.com/privkey.pem;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
- 启动https的nginx
docker run --network host --rm --name nginx-https \
-v /root/docker/nginx/volumes/https-nginx.conf:/etc/nginx/conf.d/default.conf \
-v /root/docker/nginx/volumes/letsencrypt/etc/letsencrypt:/etc/letsencrypt \
-d nginx
- 更新证书
docker run --rm -it --name certbot \
-v /root/docker/nginx/volumes/letsencrypt/etc/letsencrypt:/etc/letsencrypt \
-v /root/docker/nginx/volumes/letsencrypt/var/lib/letsencrypt:/var/lib/letsencrypt \
-v /root/docker/nginx/volumes/letsencrypt/var/log/letsencrypt:/var/log/letsencrypt \
-v /root/docker/nginx/volumes/letsencrypt/html:/data/letsencrypt \
certbot/certbot renew --webroot -w /data/letsencrypt
所有评论(0)