服务公告
>
综合新闻
>
Let's Encrypt:LetsEncrypt实战案例
Let's Encrypt:LetsEncrypt实战案例
发布时间:2026-04-21 14:01
一、前言
搞过的人都晓得,给客户装HTTPS证书这事,Let's Encrypt白嫖虽香,但手动renew跟定时任务配合不好就是个坑。今天聊透怎么用certbot搞定自动化,避开那些年踩过的路径权限和nginxreload的雷。
二、操作步骤
第1步:确认服务器环境和域名解析
# 先查系统版本,Ubuntu和CentOS命令略有差异
Ubuntu/Debian:
cat /etc/os-release
NAME="Ubuntu"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
# 检查域名DNS是否已生效
nslookup yourdomain.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: yourdomain.com
Address: 192.168.1.100 # 这里显示你服务器的公网IP才对
预期输出:域名解析指向正确IP,防火墙80/443端口已开放
第2步:安装certbot工具
# Ubuntu 22.04+
sudo apt update && sudo apt install certbot python3-certbot-nginx -y
# CentOS/RHEL 8+
sudo dnf install certbot python3-certbot-nginx -y
# 验证安装
certbot --version
certbot 1.21.0
预期输出:certbot命令可用,无报错
第3步:停止web服务让出80端口
# Nginx
sudo systemctl stop nginx
# Apache (CentOS/RHEL常见)
sudo systemctl stop httpd
# 确认端口已释放
sudo ss -tlnp | grep -E ':80|:443'
# 此时应该无输出,80端口已空闲
预期输出:80端口空闲,certbot需要此端口做HTTP-01验证
第4步:申请证书(单域名)
sudo certbot certonly --standalone
--preferred-challenges http-01
--http-01-port 80
-d yourdomain.com
-d www.yourdomain.com
# 首次运行会要求输入邮箱用于过期提醒
Enter email address used for urgent renewal and security notices: admin@yourdomain.com
# 同意条款
Please read the Terms of Service at:
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf
(A)gree/(C)ancel: A
# 是否分享邮箱,选N即可
Would you be willing to share your email address with the Electronic Frontier Foundation?
(Y)es/(N)otes: N
# 成功输出
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/yourdomain.com/privkey.pem
This certificate expires on 2024-04-15.
# CentOS/RHEL路径 /etc/nginx/conf.d/,Ubuntu路径 /etc/nginx/sites-available/default
sudo vi /etc/nginx/conf.d/yourdomain.com.conf
# 写入以下配置(删除模板变量)
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
# 重启nginx
sudo systemctl restart nginx
# 检查配置语法
sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
预期输出:nginx配置生效,443端口监听成功
第6步:设置自动续期定时任务
# certbot默认已安装定时器,先检查状态
sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting)
# 如果没启用,执行以下命令
sudo systemctl enable --now certbot.timer
# 手动测试续期(dry-run不会真正修改证书)
sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/yourdomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The certificate for yourdomain.com is not due for renewal!
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
预期输出:定时器运行中,dry-run验证续期逻辑正常
第7步:配置reload机制(关键步骤!)
# 编辑续期配置文件,添加reload hook
sudo vi /etc/letsencrypt/renewal/yourdomain.com.conf
# 在[renewalparams]段落添加(注意不同发行版路径差异)
# Ubuntu/Debian
post_hook = systemctl reload nginx
# CentOS/RHEL
post_hook = /usr/sbin/nginx -s reload
# 再次验证
sudo certbot renew --dry-run
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /usr/sbin/nginx -s reload
Hook command completed successfully.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
预期输出:post-hook执行成功,证书续期后web服务自动重载配置
三、常见问题FAQ
Q1:申请证书时报"Failed authorization procedure",域名验证失败
老哥,这个锅99%是防火墙或解析没到位。先用curl测试:
# 本地模拟验证请求
curl http://yourdomain.com/.well-known/acme-challenge/test
# 如果返回404,说明nginx配置有问题或者目录没创建
# 如果连不上,检查云服务商安全组是否放行80端口
还有个坑:某些云厂商对80端口有特殊限制,换成443端口的tls-alpn-01验证方式更稳。
Q2:证书续期成功了,但网站显示证书过期
这种情况就是reload hook没配或者配错了。排查步骤:
# 1. 确认配置文件有post_hook
grep -A5 "\[renewalparams\]" /etc/letsencrypt/renewal/yourdomain.com.conf
# 2. 检查nginx是否需要graceful restart
sudo nginx -s reload # 用-s参数,不要restart
# 或者
sudo systemctl reload nginx
# 3. 查看letsencrypt日志是否有reload报错
sudo tail -50 /var/log/letsencrypt/letsencrypt.log | grep -i reload
关键点:reload不是restart,不会断连,restart会导致短暂服务中断。
Q3:多域名和通配符证书怎么申请?
# 通配符证书需要DNS-01验证,要求你的DNS服务商支持API
# 以Cloudflare为例
sudo certbot certonly
--manual
--preferred-challenges dns-01
--server https://acme-v02.api.letsencrypt.org/directory
-d "yourdomain.com"
-d "*.yourdomain.com"
# 会提示你添加DNS TXT记录
Please deploy a DNS TXT record under the name
_acme-challenge.yourdomain.com with the following value:
xBjHJ3d8F3kF9j9kJ2lLmN5oP6qR7sT8uV9wX0yZ1
# 添加后等待生效(可能需要5-30分钟)
nslookup -type=TXT _acme-challenge.yourdomain.com 8.8.8.8
通配符证书自动化难点在于DNS API权限管理,小团队建议用单域名证书+泛解析SLB更省事。
Q4:旧服务器迁移,证书怎么备份和恢复?
# 备份完整证书目录
sudo tar -czvf letsencrypt-backup-$(date +%Y%m%d).tar.gz
/etc/letsencrypt
/var/lib/letsencrypt
# 迁移到新服务器后还原
sudo tar -xzvf letsencrypt-backup-20240315.tar.gz -C /
# 重新生成软链接(可选,通常自动处理)
sudo certbot certificates
注意:新服务器最好用同样的certbot版本,避免权限问题。备份时别忘了/var/lib/letsencrypt目录。
四、总结
核心要点: