返回

使用Certbot为Nginx自动生成SSL证书并自动续期的指南

开发配置

为了使用Certbot自动生成SSL证书并自动续期,您需要首先安装Certbot及其Nginx插件。以下是在常见Linux发行版上安装Certbot的方法:

Ubuntu/Debian:

sudo apt-get update
sudo apt-get install certbot python3-certbot-nginx

CentOS/RHEL:

sudo yum install epel-release
sudo yum install certbot python3-certbot-nginx
sudo yum install certbot python-certbot-nginx

Fedora:

sudo dnf install certbot python3-certbot-nginx

安装完成后,您可以使用以下命令为Nginx自动生成SSL证书:

sudo certbot --nginx --cert-name yourdomain_com_$(date +"%Y%m%d%H%M%S") -d yourdomain.com -d www.yourdomain.com

将yourdomain.com和www.yourdomain.com替换为您的实际域名。Certbot将自动配置Nginx以使用生成的证书。

证书将在90天后过期,因此我们需要设置自动续期。Certbot包含一个名为certbot renew的命令,用于检查证书是否需要更新,如果需要,则自动更新它们。为了设置自动续期,我们将创建一个定时任务(cron job)。

在Ubuntu/Debian上创建定时任务:

打开cron配置文件:

sudo EDITOR=vim crontab -e
sudo crontab -e

在文件末尾添加以下行:

0 0,12 * * * /usr/bin/certbot renew --quiet

这将每天两次(每12小时)运行certbot renew命令。

在CentOS/RHEL/Fedora上创建定时任务:

创建一个新的定时任务文件:

sudo EDITOR=vim crontab -e
sudo crontab -e
sudo nano /etc/cron.d/certbot-renew

将以下内容粘贴到文件中:

0 0,12 * * * root /usr/bin/certbot renew --quiet

保存并关闭文件。这将每天两次(每12小时)运行certbot renew命令。

现在,您已经为Nginx配置了自动生成的SSL证书,并设置了自动续期。Certbot将确保您的证书在到期之前自动更新。

错误处理:
1.错误信息

root@iZ2ze2p3ogjy0d5do2bgddZ:~# sudo certbot --nginx -d xxx.com
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests_toolbelt/_compat.py", line 48, in <module>
    from requests.packages.urllib3.contrib import appengine as gaecontrib
ImportError: cannot import name 'appengine' from 'requests.packages.urllib3.contrib' (/usr/local/lib/python3.10/dist-packages/urllib3/contrib/__init__.py)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
  File "/usr/bin/certbot", line 25, in importlib_load_entry_point
    return next(matches).load()
  File "/usr/lib/python3.10/importlib/metadata/__init__.py", line 171, in load
    module = import_module(match.group('module'))
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 2, in <module>
    from certbot._internal import main as internal_main
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 28, in <module>
    from certbot._internal import account
  File "/usr/lib/python3/dist-packages/certbot/_internal/account.py", line 19, in <module>
    from acme.client import ClientBase  # pylint: disable=unused-import
  File "/usr/lib/python3/dist-packages/acme/client.py", line 34, in <module>
    from requests_toolbelt.adapters.source import SourceAddressAdapter
  File "/usr/lib/python3/dist-packages/requests_toolbelt/__init__.py", line 12, in <module>
    from .adapters import SSLAdapter, SourceAddressAdapter
  File "/usr/lib/python3/dist-packages/requests_toolbelt/adapters/__init__.py", line 12, in <module>
    from .ssl import SSLAdapter
  File "/usr/lib/python3/dist-packages/requests_toolbelt/adapters/ssl.py", line 16, in <module>
    from .._compat import poolmanager
  File "/usr/lib/python3/dist-packages/requests_toolbelt/_compat.py", line 50, in <module>
    from urllib3.contrib import appengine as gaecontrib
ImportError: cannot import name 'appengine' from 'urllib3.contrib' (/usr/local/lib/python3.10/dist-packages/urllib3/contrib/__init__.py)

升级您的kfp库到最新版本,使用以下命令:

pip install --upgrade kfp