【目標(biāo)】
使用HTTPS方式訪問(wèn)infuq.com的子域名
【說(shuō)明】
1.一臺(tái)阿里云ECS服務(wù)器CentOS7部署了Nginx
2.使用騰訊云 DNSPod 進(jìn)行域名解析配置

image.png

【實(shí)現(xiàn)方式】
使用 certbot 工具

【操作流程】

1.主賬號(hào)登錄騰訊云, 通過(guò)主賬號(hào)創(chuàng)建一個(gè)子用戶

image.png

2.給該子用戶授權(quán)(4個(gè)權(quán)限)

image.png

3.創(chuàng)建密鑰, 記住 SecretId 和 SecretKey

image.png

臨時(shí)關(guān)閉Nginx服務(wù)(即關(guān)閉占用80和443端口的服務(wù))

5.需要部署Python3.10環(huán)境, 這里選擇使用 Docker Python3.10, 直接使用即可

docker pull registry.cn-hangzhou.aliyuncs.com/infuq/python:3.10

6.啟動(dòng)容器, 進(jìn)入容器, 依次執(zhí)行如下命令

6.1
sh-4.2#  yum install -y epel-release

6.2
sh-4.2#  pip3 install --upgrade pip

6.3
sh-4.2#  pip3 install setuptools_rust

6.4
sh-4.2#  pip3 install certbot

6.5
sh-4.2#  certbot --version    // 驗(yàn)證 certbot 是否安裝成功
certbot 5.2.2

6.6
sh-4.2#  pip3 install certbot-dns-tencentcloud

6.7
sh-4.2#  certbot plugins      // 驗(yàn)證 dns-tencentcloud 是否安裝成功

6.8
sh-4.2#  mkdir -p /etc/letsencrypt/tencentcloud

6.9
sh-4.2#  tee /etc/letsencrypt/tencentcloud/credentials.ini <<EOF
> dns_tencentcloud_secret_id = <騰訊云自己的SECRET_ID>
> dns_tencentcloud_secret_key = <騰訊云自己的SECRET_KEY>
> EOF

6.10
sh-4.2# chmod 600 /etc/letsencrypt/tencentcloud/credentials.ini 

6.11
sh-4.2# pip3 install --upgrade certifi

6.12
sh-4.2# export SSL_CERT_FILE=$(python -c "import certifi; print(certifi.where())")

6.13
sh-4.2# export REQUESTS_CA_BUNDLE=$SSL_CERT_FILE

6.14
sh-4.2# which certbot     // 查看certbot命令絕對(duì)位置
/usr/local/bin/python3.10/bin/certbot


6.15 生成密鑰
sh-4.2# /usr/local/bin/python3.10/bin/certbot certonly \
-d "infuq.com" -d "*.infuq.com" \
-a dns-tencentcloud \
--dns-tencentcloud-credentials /etc/letsencrypt/tencentcloud/credentials.ini \
--dns-tencentcloud-propagation-seconds 60 \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos --non-interactive --preferred-challenges dns-01

輸出內(nèi)容
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for infuq.com and *.infuq.com
Waiting 60 seconds for DNS changes to propagate
Encountered exception during recovery: certbot_dns_tencentcloud.certbot_tencentcloud_plugins.APIException: {'Code': 'InvalidParameter.RecordIdInvalid', 'Message': '記錄編號(hào)錯(cuò)誤。'}

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/infuq.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/infuq.com/privkey.pem
This certificate expires on 2026-03-29.
These files will be updated when the certificate renews.

將生成的 fullchain.pem 和 privkey.pem 文件拷貝到Nginx所在的ECS服務(wù)器, 在nginx的conf文件里配置 ssl_certificate 和 ssl_certificate_key

server {
    charset      utf-8;
    listen       443 ssl;
    server_name  fmt.infuq.com;

    ssl_certificate      /root/letsencrypt/fullchain.pem;
    ssl_certificate_key  /root/letsencrypt/privkey.pem;
    ssl_protocols        TLSv1.2 TLSv1.3;


    # 其他內(nèi)容

}

server {
    charset      utf-8;
    listen       80;
    server_name  fmt.infuq.com;

    # http://fmt.infuq.com/ -> https://fmt.infuq.com/
    return 301 https://$host$request_uri;

}

8.重啟Nginx

9.訪問(wèn)正常

image.png