How to prevent ssl certificate expiration in nginx

How does nginx prevent ssl certificate expiration?

nginx configures free SSL certificates and regular certificate updates

Environment contos 6, certificate issuance Let's Encrypt

The premise for certificate generation is that the domain name is Available, that is, it has been registered and has been resolved to a specific IP by DNS

1. Install epel,

>yum install epel-release

2. Download the certbot certificate generation tool certbot-auto

>wget https://dl.eff.org/certbot-auto --no-check-certificate

3 , Installation tool dependencies

>chmod +x certbot-auto
>./certbot-auto -n

4. Generate certificate

Single domain name:

>./certbot-auto certonly --email my@163.com --agree-tos --no-eff-email --webroot -w /usr/local/nginx/html/xue/ -d www.xue37.cn

Note: Replace email, website directory and domain name

Multiple domain names:

>./certbot-auto certonly --email my@163.com --agree-tos --no-eff-email --webroot -w /usr/local/nginx/html/xue/ -d www.xue37.cn -d xue37.cn

The certificate is generated in the /etc/letsencrypt/live/www.xue37.cn/ directory (there will be a prompt message after executing the command at the specific generated address)

5. Certificate extension (because of the validity period of the certificate is 90 days)

The certbot-auto tool supports certificate extension operations, so you can use crontab scheduled tasks to automatically extend the certificate at a scheduled time

>0 3 * * * /root/certbot-auto renew --disable-hook-validation --renew-hook "/usr/local/nginx/sbin/nginx -s reload"

Perform certificate extension at 3 o'clock every day, and the crontab expression can be Baidu

Note:

You can execute it separately first:

/root/certbot-auto renew --disable-hook-validation --renew-hook "/usr/local/nginx/sbin/nginx -s reload"

I am prompted here The following certs are not due for renewal yet, which means that the certificate has not expired and there are no other errors. Therefore, in order to prevent the certificate from expiring for too long, you can set it up to perform extension operations every day

6. Add nginx certificate configuration

server
{
listen 443 ssl;
server_name www.xue37.cn;     ##这里是你的域名
ssl_certificate /etc/letsencrypt/live/www.xue37.cn/fullchain.pem;    #前面生成的证书，改一下里面的域名就行
ssl_certificate_key /etc/letsencrypt/live/www.xue37.cn/privkey.pem;   #前面生成的密钥，改一下里面的域名就行
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
access_log /data/application/logs/xue.access.log main;
location ^~ /bot {
proxy_pass http://xue-server;
include proxy-params.conf;
}
location / {
root html/xue;
index index.html index.htm;
}
location = /50x.html {
root html;
}
}

7. Set 80 port 301 to 443

Modify nginx configuration:

server
{
listen 80;
server_name localhost;
location /.well-known/ {
add_header Content-Type 'text/plain;';
root /usr/local/nginx/html/xue;
}
location / {
return 301 https://www.xue37.cn$request_uri;
}
}

Note: nginx needs to be restarted after modification:/usr/local/nginx/sbin/nginx -s reload

Note: nginx configuration needs to be processed

location ~ /\.
{
deny all;
}

Delete or comment out this configuration or add it in front of this configuration (please ignore it if there is no such configuration)

location ~ /.well-known {
allow all;
}

For more Nginx related technical articles, please visit Nginx usage tutorial column for learning!

The above is the detailed content of How to prevent ssl certificate expiration in nginx. For more information, please follow other related articles on the PHP Chinese website!