CentOS 系统上,让Nginx 配置 Let’s Encrypt 的SSL证书

https://www.linode.com/docs/guides/enabling-https-using-certbot-with-nginx-on-centos-7/

yum install -y epel-release
yum upgrade -y

yum install -y snapd

systemctl enable --now snapd.socket
systemctl start snapd.socket

ln -s /var/lib/snapd/snap /snap

snap install --classic certbot

error: too early for operation, device not yet seeded or device model not acknowledged

systemctl status snapd

cat /etc/selinux/config

vi /etc/selinux/config

SELINUX=disabled

reboot

snap install --classic certbot

ln -s /snap/bin/certbot /usr/bin/certbot

certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.")

https://zls.bndstone.com/4806.html

yum install -y epel-release
yum install -y nginx

/usr/sbin/nginx                //启动文件
/etc/nginx/nginx.conf          //配置文件

systemctl status nginx.service                 //查看nginx是否已开启
systemctl start nginx.service                  //开启nginx
systemctl stop nginx.service                   //关闭nginx
systemctl restart nginx.service                //重启nginx
systemctl enable nginx.service                 //打开开机自启动nginx
systemctl disable nginx.service                //关闭开机自启动nginx

vi /etc/nginx/nginx.conf

修改 server_name 后面改成 dns.bndstone.com

nginx -t

systemctl reload nginx.service

certbot --nginx -d dns.bndstone.com

certbot --nginx certonly -d dns.bndstone.com

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7

yum install -y epel-release

yum install -y certbot-nginx

yum install -y nginx

/usr/sbin/nginx                //启动文件
/etc/nginx/nginx.conf          //配置文件

systemctl status nginx.service                 //查看nginx是否已开启
systemctl start nginx.service                  //开启nginx
systemctl stop nginx.service                   //关闭nginx
systemctl restart nginx.service                //重启nginx
systemctl enable nginx.service                 //打开开机自启动nginx
systemctl disable nginx.service                //关闭开机自启动nginx

vi /etc/nginx/nginx.conf

修改 server_name 后面改成 dns.bndstone.com

nginx -t

systemctl reload nginx.service

firewall-cmd --add-service=http
firewall-cmd --add-service=https
firewall-cmd --runtime-to-permanent

certbot --nginx -d dns.bndstone.com

[root@a555c8490703 nginx]# certbot --nginx -d dns.bndstone.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): 271824820@qq.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for dns.bndstone.com
Performing the following challenges:
http-01 challenge for dns.bndstone.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/nginx.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/nginx.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://dns.bndstone.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Subscribe to the EFF mailing list (email: 271824820@qq.com).
Starting new HTTPS connection (1): supporters.eff.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/dns.bndstone.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/dns.bndstone.com/privkey.pem
   Your certificate will expire on 2024-12-06. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@a555c8490703 nginx]# find / -name '*dns.bndstone.com*'
/etc/letsencrypt/renewal/dns.bndstone.com.conf
/etc/letsencrypt/live/dns.bndstone.com                     //证书位置
/etc/letsencrypt/archive/dns.bndstone.com                  //证书位置

certificate: /etc/letsencrypt/live/dns.bndstone.com/fullchain.pem
key:  /etc/letsencrypt/live/dns.bndstone.com/privkey.pem

yum install -y crontabs               //安装 crontabs

systemctl status crond.service
systemctl start crond.service
systemctl stop crond.service
systemctl enable crond.service
systemctl disable crond.service

vi /etc/crontab

certbot --nginx certonly -d dns.bndstone.com

certbot --nginx renew

certbot --help

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  (the certbot apache plugin is not installed)
  --standalone      Run a standalone webserver for authentication
  --nginx           Use the Nginx plugin for authentication & installation
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-name or --cert-path)
    delete          Delete a certificate (supply --cert-name)

manage your account:
    register        Create an ACME account
    unregister      Deactivate an ACME account
    update_account  Update an ACME account
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
  -h all                print a detailed help page including all topics
  --version             print the version number