在Ubuntu上使用Let's Encrypt配置Nginx SSL证书并自动更新

在Ubuntu上使用Let's Encrypt配置Nginx SSL证书并自动更新

绪言

这篇文章其实内容不多，难度不大，只是自己记录一下。

Arisu拷打了我几次我在阿里云上花钱购买SSL证书一事。

最近，一年将至，阿里云已经天天给我发邮件提醒我续费了。

今天下午有点时间，就干脆换成Let's Encrypt吧。

安装certbot

certbot类似一个软件，而这个软件需要使用snapd下载。所以先安装snapd。

sudo apt update
sudo apt install snapd

创建超链接

sudo ln -s /snap/bin/certbot /usr/bin/certbot

配置nginx

确认nginx已经配置成功，即至少包含：

root@2v4G:/etc/nginx/sites-available# cat xxx
server {
    listen 80;
    server_name ************ ***.***.***.***;
...

在已经配置好了nginx的情况下，直接输入：

sudo certbot --nginx

即可。

之后会提示几条协议：

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address or hit Enter to skip.
 (Enter 'c' to cancel): ************

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at:
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ************
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for ************

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/************/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/************/privkey.pem
This certificate expires on 2025-08-26.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for ************ to /etc/nginx/sites-enabled/************
Congratulations! You have successfully enabled HTTPS on https://************

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

至此说明部署成功。

自动更新

自动更新的原理：使用crontab来定时执行自动更新证书指令certbot renew --quiet。

在命令行输入：

crontab -e

然后会让你选择喜欢的文本编辑器：

no crontab for root - using an empty one

Select an editor.  To change later, run 'select-editor'.
  1. /bin/nano        <---- easiest
  2. /usr/bin/vim.basic
  3. /usr/bin/vim.tiny
  4. /bin/ed

Choose 1-4 [1]: 1                   
crontab: installing new crontab

在打开的编辑器中，加入：

0 0 1 * * /usr/bin/certbot renew --quiet

这一行命令表示，在每个月的第一天的凌晨，执行一次自动更新指令。

具体的格式：

m   h   dom  mon  dow   command
|   |    |    |    |       |
|   |    |    |    |       +---- 要执行的命令
|   |    |    |    +------------ 星期几 (0 - 6)（星期天=0）
|   |    |    +----------------- 月份 (1 - 12)
|   |    +---------------------- 日期 (1 - 31)
|   +--------------------------- 小时 (0 - 23)
+------------------------------- 分钟 (0 - 59)

手动更新证书测试

可以手动更新一次证书，测试更新证书功能是否正常：

sudo certbot renew --dry-run

我这边的输出如下：

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/************.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for ************

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/************/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

感悟

原来这玩意配置这么简单呀

阿里云的ssl我花了多少来着？100+？

似乎购买+配置的时间 > 今天下午配置+写blog的时间

有点无感——我都不知道我现在到底配置好了没有（

但是我已经吧还有25天的阿里云的ssl给删了+nginx里面也没了

应该是成功了吧（笑

参考文献

ubuntu上申请Let's Encrypt HTTPS 证书 - super_ip - 博客园

在 Ubuntu 22.04 上使用 Let‘s Encrypt 配置 Nginx SSL 证书_ubuntu let's encrypt-CSDN博客