centos7 配置letencrypt证书

首先下载大神编写好的这个自动申请证书的脚本

ssl通配符证书(参考：https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au/blob/master/au.sh)

cd /usr/local/src/
wget https://github.com/certbot/certbot/archive/master.zip
unzip master.zip
git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
cd certbot-letencrypt-wildcard certificates-alydns-au
chmod 0777 au.sh

到腾讯云https://console.cloud.tencent.com/cam/capi上查看自己的API密钥
按提示填写到au.sh里面，然后执行以下命令：

1	cd /usr/local/src/certbot-master

测试：

./certbot-auto certonly  -d *.test.com –d test.com --manual --preferred-challenges dns --dry-run  --manual-auth-hook "/usr/local/src/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy add" --manual-cleanup-hook "/usr/local/src/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy clean"

正式：

./certbot-auto certonly  -d *.test.com -d test.com --manual --preferred-challenges dns  --deploy-hook  "service nginx restart" --manual-auth-hook "/usr/local/src/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy add" --manual-cleanup-hook "/usr/local/src/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy clean"

自动更新证书

打开crontab定时任务文件输入以下命令

1	crontab –e

在文件最后添加以下代码(每周日零点零分检查更新,更新输出日志到/home/renew.txt)

0 0 * * 0 /usr/local/src/certbot-master/certbot-auto renew --manual --preferred-challenges dns --manual-auth-hook "/usr/local/src/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy add" --manual-cleanup-hook "/usr/local/src/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python txy clean" > /home/renew.txt 2>&1

crontab –l查看是否启动了定时任务

配置ssl之后，最后的nginx 配置是这样的:

server{
    listen  80;
    listen  443 ssl http2 default_server;
    server_name *.test.com;
    ssl_certificate "/etc/letsencrypt/live/test.com/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/test.com/privkey.pem";
    rewrite ^(.*)$ https://$host$1 permanent;
}

server {
    listen  443;
    server_name git.test.com;
    client_max_body_size 500m;

    auth_basic "Git User Authentication";
    auth_basic_user_file /home/httpwd/pass.db;
    location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$ {
        root /home/git-repos;
    }
   
    location ~ /.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
     root          /home/git-repos;
             fastcgi_pass  unix:/var/run/fcgiwrap.socket;
        fastcgi_connect_timeout 24h;
        fastcgi_read_timeout 24h;
        fastcgi_send_timeout 24h;
        fastcgi_param SCRIPT_FILENAME   /usr/libexec/git-core/git-http-backend;
        fastcgi_param PATH_INFO         $uri;
        fastcgi_param GIT_HTTP_EXPORT_ALL "";
        fastcgi_param GIT_PROJECT_ROOT  /home/git-repos;
        fastcgi_param REMOTE_USER $remote_user;
        include fastcgi_params;
    }
}