菜鸟笔记
提升您的技术认知

Certbot 自动申请并续订阿里云 DNS 免费泛域名证书

Certbot 支持自动申请 LetsEncrypt 的泛域名证书,但是官方插件不支持阿里云,在 GitHub 搜索发现已经有人写好了阿里云 DNS 插件,下面只需要进行简单的配置即可免费申请一个泛域名证书并自动续订。

安装 Certbot 和 certbot-dns-aliyun

本文基于 CentOS 7

首先安装 Python 3

yum install -y python36

创建并激活虚拟环境

mkdir -p /mnt/certbot
cd /mnt/certbot
python3 -m venv venv
source venv/bin/activate

安装 Certbot 和 certbot-dns-aliyun

pip install certbot certbot-nginx certbot-dns-aliyun

申请并配置阿里云 DNS 访问密钥

前往 ram.console.aliyun.com 申请阿里云子账号并授予 AliyunDNSFullAccess 权限。然后为子账号创建 AccessKey 并记录。
创建 certbot-dns-aliyun 配置文件:

cat > /mnt/certbot/credentials.ini <<EOF
certbot_dns_aliyun:dns_aliyun_access_key = 12345678
certbot_dns_aliyun:dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef
EOF

修改文件权限

chmod 600 /mnt/certbot/credentials.ini

申请证书

/mnt/certbot/venv/bin/certbot certonly \
-a certbot-dns-aliyun:dns-aliyun \
--certbot-dns-aliyun:dns-aliyun-credentials /mnt/certbot/credentials.ini \
-d yourdomain.com \
-d "*.yourdomain.com"

配置自动续订:

echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /mnt/certbot/venv/bin/certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

配置 nginx

cat > /etc/nginx/conf.d/nginx.header <<EOF
listen 80;
listen 443 ssl;
if ($scheme != https) {
    rewrite ^/(.*) https://$server_name/$1 permanent;
} 
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
EOF
cat > /etc/nginx/conf.d/yourdomain.com.conf <<EOF
server {
    server_name  yourdomain.com;
    include      /etc/nginx/conf.d/nginx.header;

    location / {
        proxy_set_header  Host $host;  
        proxy_set_header  X-Real-IP $remote_addr;  
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;  
        proxy_set_header  X-Forwarded-Proto $scheme;  

        proxy_pass http://127.0.0.1:8080;
    }
}
EOF