在Nginx服务器上部署自动SSL续签：Certbot全流程教程

certbots安装

在nginx服务器上部署自动续签：

1. 首先确保Linux系统中存在python3.6+

2. 准备安装依赖:

如果是Centos，Redhat系列：

sudo dnf install python3 python-devel augeas-devel gcc

旧版系统用下面命令：

$ sudo yum install python3 python-devel augeas-devel gcc

终端看到如下的输出代表安装成功：

Installed:
augeas-devel.x86_64 0:1.4.0-10.el7                                                                                                            

Dependency Installed:
libxml2-devel.x86_64 0:2.9.1-6.el7_9.6                                     xz-devel.x86_64 0:5.2.2-2.el7_9                                    

Dependency Updated:
augeas-libs.x86_64 0:1.4.0-10.el7   libxml2.x86_64 0:2.9.1-6.el7_9.6   libxml2-python.x86_64 0:2.9.1-6.el7_9.6   xz.x86_64 0:5.2.2-2.el7_9  
xz-libs.i686 0:5.2.2-2.el7_9        xz-libs.x86_64 0:5.2.2-2.el7_9 

如果是Ubuntu，Debian系列：

sudo apt update
sudo apt install python3 python3-dev python3-venv libaugeas-dev gcc

3.在安装certbot之前，确保没有安装其他certbot软件包。

Redhat，Centos系列运行：

sudo dnf remove certbot
旧版系统下面命令：
sudo yum remove certbot

Ubuntu,Debian系列运行：

sudo apt-get remove certbot

4.设置Python虚拟环境，来运行

在终端上执行命令用来设置虚拟环境(这里我放在/opt/下，其他也可以）

sudo python3 -m venv /opt/certbot/
cd /opt/certbot
sudo source bin/activate
#((certbot))注意看提示符变换
sudo pip install --upgrade pip

5.安装certbot命令：

#((certbot))注意确认提示符
sudo pip install certbot certbot-nginx

*看到包含下面的类似输出表示安装成功：

Successfully installed ConfigArgParse-1.7.1 PyOpenSSL-25.1.0

6.让certbot成为可执行的命令： 不需要每次执行，都需要绝对路径

sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

7.certbot有两种运行的方式：（自动配置nginx或手动配置nginx）

# 自动配置nginx
sudo certbot --nginx

#手动配置nginx
sudo certbot certonly --nginx

*如如果nginx是手动编译路径，需要指定nginx安装路径：

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(“Could not find a usable ‘nginx’ binary.
Ensure nginx exists, the binary is executable, and your PATH is set correctly.”)

错误解决：
nginx: 指定路径
—nginx-server-root NGINX_SERVER_ROOT
Nginx server root directory. (default: /etc/nginx)
—nginx-ctl NGINX_CTL
Path to the ‘nginx’ binary, used for ‘configtest’ and retrieving nginx version number. (default: nginx)

*建议使用自动(修复错误)：

certbot --nginx --nginx-ctl="/opt/nginx/sbin/nginx" --nginx-server-root="/opt/nginx/conf"

*按照提示进行操作，老夫操作就是一把梭！

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address or hit Enter to skip.
(Enter 'c' to cancel): ****@****.com          #这里输入你的邮件地址，接受通知                       

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at:
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y       #输入y同意注册项目

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y       #同样输入y同意注册账号
Account registered.

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ******.com             #这里出现配置文件中的域名，用逗号隔开，ssl的标号
2: *****.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2   #输入要SSL的域名标号      
Requesting a certificate for *****.com and ********.*****.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/******.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/*****.com/privkey.pem
This certificate expires on 2025-11-04.
These files will be updated when the certificate renews.

Deploying certificate
Successfully deployed certificate for ***.com to /opt/nginx/vhosts.d/*****_https.conf
Successfully deployed certificate for www.****.com to /opt/nginx/vhosts.d/*****_https.conf
Congratulations! You have successfully enabled HTTPS on https://*****.com and https://www.***.com

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
* Donating to EFF:                    https://eff.org/donate-le            #到这里一把梭Done，神功大成
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

8.将certbot自动续签设置定时任务，每7天更新，这里查看ssl过期程度，
过期后才会更新，没过期只是溜一圈，最好是每天，否则如果在这个7天的空挡里过期了

0 3 */7 * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q

# 或每天一次
0 3 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q

大功告成，虽然自动化续签，但也要留意观察，至于为什么因为闲着也是闲着。多出的时间发会儿呆，游离一下不好嘛!

         感觉有用给个赞

文章原创自：https://fgooc.com 未经许可禁止转载！